udpxy works fine when starts manually. Movistar iptv profile is new in AC86U, recently added in the 384_45713... I think they have simply forgotten. Thanks
[Beta] Asuswrt-Merlin 384.11 Beta is now available
- Thread starter RMerlin
- Start date
-
- Tags
- asuswrt-merlin beta firmware
udpxy works fine when starts manually. Movistar iptv profile is new in AC86U, recently added in the 384_45713... I think they have simply forgotten. Thanks
Thanks for the reply RMerlin. The thing is it does it also with the redirection turned off and the app set to use the router as the NTP server.
RMerlin, thank you for the excellent work. The Beta 2 is working fine on my RT-AC68U C1 so far and I will continue testing. Having the DNS-over-TLS natively rather than having to install a DNSCrypt script in JFFS is awesome! Would it possible to have an option to force LAN client DNS queries over DNS-over-TLS? I realize this is basically a port 53 firewall rule, but a GUI option would be great.
With DDNS over TLS added recently as well, I am super happy. I am hoping NTP-over-TLS, which I believe would be the last significant unencrypted router service, will be an option to implement in the future.
https://tools.ietf.org/id/draft-ietf-ntp-using-nts-for-ntp-10.html
Regards, Jake
skeal
Part of the Furniture
Check out DNSFilter page.
maxbraketorque
Very Senior Member
@Jake, to be more specific, enable DNSFilter and set the Global option to Router. This is mentioned in the first post of this thread.
That works, thanks! I was not aware that option in the UI. Would you agree the DNSFilter page could be eliminated on this release, as it could be incorporated into WAN>Internet Connection page with a "Force DNS Queries over DNS-over-TLS" option?
Edit: That would loose the option to configure specific clients for DNS redirection, however. It also seems the the first 3 or 4 options under WAN>Internet Connection>WAN DNS Setting should be disabled if one is using the DNS-over-TLS option (less confusing)?
Last edited:
Swistheater
Very Senior Member
Dns over tls was placed on firmware for privacy options not to supplant or replace existing features.
@RMerlin
Thank you very much for the firmware and DOT.
CleanBrowsing DNS is incorrect in two options.
CleanBrowsing Family 2 and CleanBrowsing Adult 2.
https://cleanbrowsing.org/guides/dnsovertls
Thanks.
Thank you very much for the firmware and DOT.
CleanBrowsing DNS is incorrect in two options.
CleanBrowsing Family 2 and CleanBrowsing Adult 2.
https://cleanbrowsing.org/guides/dnsovertls
Thanks.
Copy/paste error most likely, thanks. Fixed.
Evictoria
Occasional Visitor
Just to say thank you for 384.11b2 installed and running fine on AX & AC88U and along with various scripts as per my signature.
Running flawlessly with both VPN server & clients.
Kept JackYaz ntpd to impose the ntpsync on all clients.
Great firmware that gives a great use and learn experience of these routers.
Running flawlessly with both VPN server & clients.
Kept JackYaz ntpd to impose the ntpsync on all clients.
Great firmware that gives a great use and learn experience of these routers.
L&LD
Part of the Furniture
While I too prefer Jack Yaz's ntpMerlin script, note that the RMerlin 384.11 Beta 2 also (optionally) redirects clients to use its built-in NTP implementation too.
Evictoria
Occasional Visitor
Thanks !While I too prefer Jack Yaz's ntpMerlin script, note that the RMerlin 384.11 Beta 2 also (optionally) redirects clients to use its built-in NTP implementation too.
Must have overlooked it. I'll give it a try.
But I love the graphs too
maxbraketorque
Very Senior Member
What value would this provide? Is there really information about a device or user that can be gained from an NTP query?
I agree that its no longer intuitive for the DNSFilter tab to be located in the LAN section. Since all the other DNS stuff is now in WAN section, perhaps with its own tab there?
The first DNS entries (DNS Server1, DNS Server2) in the WAN DNS section have a different purpose than the DNS-over-TLS stuff. This is also discussed somewhere in this thread.
Last edited:
RamGuy
Senior Member
Is there a easy way to test and verify whether DNS over TLS is working?
I'm using a local Windows Server 2019 as local DNS server as this lets me do manual DNS entries for IPv4 and IPv6 for multiple domains easy in order to get all my local FQDN to resolve correctly locally and over IP-sec VPN where I also use this same server for DNS resolving.
But I want to utilise DNS over TLS for upstream DNS resolution that is not getting resolved on my Windows Server. Currently I have entered 1.0.0.1 and 1.1.1.1 as WAN DNS servers for IPv4, and for IPv6 I have entered the static global IPv6 address of my Windows Server.
Then I enabled DNS over TLS and configured CloudFlare using both IPv4 and IPv6.
Instead of using CloudFlare as upstream DNS on the Windows Server I have instead used the Asus RT-AX88U's local IPv4 address and link-local IPv6 address and DNS resolving is working as intended I would just like to verify that it's actually using DNS over TLS.
I do get some of these in the system logs;
May 3 18:34:38 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 18:51:45 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 19:51:45 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 20:51:45 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 21:51:46 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
I don't have the "Validate unsigned DNSSEC replies" enabled.
The Windows Server is also taking care of DHCPv4 and it's only broadcasting itself as DNS server.
I'm using a local Windows Server 2019 as local DNS server as this lets me do manual DNS entries for IPv4 and IPv6 for multiple domains easy in order to get all my local FQDN to resolve correctly locally and over IP-sec VPN where I also use this same server for DNS resolving.
But I want to utilise DNS over TLS for upstream DNS resolution that is not getting resolved on my Windows Server. Currently I have entered 1.0.0.1 and 1.1.1.1 as WAN DNS servers for IPv4, and for IPv6 I have entered the static global IPv6 address of my Windows Server.
Then I enabled DNS over TLS and configured CloudFlare using both IPv4 and IPv6.
Instead of using CloudFlare as upstream DNS on the Windows Server I have instead used the Asus RT-AX88U's local IPv4 address and link-local IPv6 address and DNS resolving is working as intended I would just like to verify that it's actually using DNS over TLS.
I do get some of these in the system logs;
May 3 18:34:38 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 18:51:45 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 19:51:45 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 20:51:45 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 21:51:46 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
I don't have the "Validate unsigned DNSSEC replies" enabled.
The Windows Server is also taking care of DHCPv4 and it's only broadcasting itself as DNS server.
Not hijacking your Q, but kind of similar Question. The scenario you are mentioning isn’t clear for me either, in case of Clearbrowsing, which DNS comes/serves first and will clearbrowsing work, (besides the leaking) when VPN DNS is set to Relaxed with policy 192.168.1.0/24?
DoT with clearbrowsing / Diversion / Skynet and maybe AIprotect and Adblockers in browsers is a bit much. But then again, it is possible, so why not…Sjeez
Code:
tcpdump -ni eth0 -p port 53 or port 853Connections to port 853 = DoT. Connections to port 53 = not DoT.
Relaxed mode means there is no guarantee as to which server is used by dnsmasq, it could be any of them.
NTP Man-in-the-middle attacks are possible, and can affect other time-sensitive security-related functions. The TLS benefit is security, not privacy. Here's one article:
https://threatpost.com/novel-ntp-attacks-roll-back-time/115138/
Similar threads
- Locked
Similar threads
Similar threads
-
Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 70
-
-
-
Beta Asuswrt-Merlin 3006.102.1 Beta is now available for WIfi 7 devices
- Started by RMerlin
- Replies: 97
-
-
Beta Asuswrt-Merlin 386.13 beta is now available for AC models
- Started by RMerlin
- Replies: 32
-
-
-
Anyone else having issues trying to flash the newest merlin (stable or beta) to the GT-0AXE11000?
- Started by superdeleted
- Replies: 4
-