[Beta] Asuswrt-Merlin 384.11 Beta is now available

[EmeraldDeer]

NTP Man-in-the-middle attacks are possible, and can affect other time-sensitive security-related functions. The TLS benefit is security, not privacy. Here's one article:

https://threatpost.com/novel-ntp-attacks-roll-back-time/115138/

• I have not heard of an implementation of NTP over TLS
• While TLS is agnostic regarding TCP or UDP, NTP must be UDP for timing performance. Most TLS implementations have been TCP.
• The use case is from NTP client to Internet NTP server. For the well-heeled with reasonable access to the sky, having your own GPS connected NTP server on your LAN addresses most security concerns.

 

[Swistheater]

• I have not heard of an implementation of NTP over TLS
• While TLS is agnostic regarding TCP or UDP, NTP must be UDP for timing performance. Most TLS implementations have been TCP.
• The use case is from NTP client to Internet NTP server. For the well-heeled with reasonable access to the sky, having your own GPS connected NTP server on your LAN addresses most security concerns.

Where there is security just add more security- it wasn't too long ago that someone change time on government agencies computers just to show they could do it. So if there is more security bring it on.

 

[Mark Lear]

Those log lines are unrelated to webui changes. They occur at the moment the clock gets its first sync following WAN coming up.

Thanks, what would I need to look at in the logs to diagnose why the ntp does not work when I attempt the redirect? I am on AC86U beta2 with VPN exclusive and policy based (both in and out of the policy cannot get ntp connection), DoT on, global dns filter to Router. The only ntp related log I see when flexing the ntp setting in the UI and applying is the one related to ntp stopped.

 

[Swistheater]

Thanks, what would I need to look at in the logs to diagnose why the ntp does not work when I attempt the redirect? I am on AC86U beta2 with VPN exclusive and policy based (both in and out of the policy cannot get ntp connection), DoT on, global dns filter to Router. The only ntp related log I see when flexing the ntp setting in the UI and applying is the one related to ntp stopped.

To test whether your router is redirecting what I did I just used my computer and forced it to do a time sync and I noticed on the system logs page the connections tab showed that I had a connection to that devices ip being directed at the routers default ip via port 123 it was at the very bottom of the connections page

 

[Swistheater]

I would show you a screen shot of what it looks like so you can verify for yourself, but I am not at my computer maybe someone else on here can take five seconds to show you a screenshot of what this would look like.

 

[Swistheater]

This is an example of what you will see on the connections table at the bottom

 

[Swistheater]

My one question is does redirection start after the time sync is successfully completed on the router after a reboot or does it automatically start before?

 

[L&LD]

My one question is does redirection start after the time sync is successfully completed on the router after a reboot or does it automatically start before?

I remember that 'after' was stated previously in this thread.

 

[LiFePO4]

Question - I am coming from 384.8_2 and am not interested in diving into any of the DoT stuff; can I upgrade and keep my plain/vanilla setup and not have to go and do anything special to disable all of this new stuff? I use some of Merlins features but still have a basic setup (and I have Comcast Business and their DNS serves me just fine).

 

[CriticJay]

Question - I am coming from 384.8_2 and am not interested in diving into any of the D0T stuff; can I upgrade and keep my plain/vanilla setup and not have to go and do anything special to disable all of this new stuff? I use some of Merlins features but still have a basic setup (and I have Comcast Business and their DNS serves me just fine).

Yes. That's exactly what I did. See my last post in this thread.

 

[Swistheater]

Question - I am coming from 384.8_2 and am not interested in diving into any of the DoT stuff; can I upgrade and keep my plain/vanilla setup and not have to go and do anything special to disable all of this new stuff? I use some of Merlins features but still have a basic setup (and I have Comcast Business and their DNS serves me just fine).

none of the new settings are forced on you- your settings will remain the same as they are now unless you decide to adjust them.

 

[LiFePO4]

Yes. That's exactly what I did. See my last post in this thread.

none of the new settings are forced on you- your settings will remain the same as they are now unless you decide to adjust them.

Thanks!

 

[Xentrk]

Hi Xentrk.

Here my results. Tested in Edge with no adbockers or additional tools. If something isnt clear, let me know.


Test Case 1
-----------
Settings:
Redirect Internet Traffic = Policy Rules or Policy Rules (Strict)
Accept DNS Configuration = Disabled
Results:
1.1.1.1/help DoT reports a (Yes or No): ? Yes
dnsleak.com reports a DNS Leak (Yes or No): ? Yes
dnsleak.com reports DNS is Cloudflare (Yes or No): ? Yes
dnsleak.com reports DNS is from VPN provider (Yes or No): ? No
Diversion blocks ads (Yes or No): ? Yes
Test Case 2
-----------
Settings:
Redirect Internet Traffic = Policy Rules or Policy Rules (Strict)
Accept DNS Configuration = Strict
Results:
1.1.1.1/help DoT reports a (Yes or No): ? Yes
dnsleak.com reports a DNS Leak (Yes or No): ? Yes
dnsleak.com reports DNS is Cloudflare (Yes or No): ? Yes
dnsleak.com reports DNS is from VPN provider (Yes or No): ? No
Diversion blocks ads (Yes or No): ? Yes
Test Case 3
-----------
Settings:
Redirect Internet Traffic = Policy Rules or Policy Rules (Strict)
Accept DNS Configuration = Exclusive
Results:
1.1.1.1/help DoT reports a (Yes or No): ? No
dnsleak.com reports a DNS Leak (Yes or No): ? No
dnsleak.com reports DNS is Cloudflare (Yes or No): ? No
dnsleak.com reports DNS is from VPN provider (Yes or No): ? Yes
Diversion blocks ads (Yes or No): ? No
Test Case 4
-----------
Settings:
Redirect Internet Traffic” = All
Accept DNS Configuration = Exclusive
Results:
1.1.1.1/help DoT reports a (Yes or No): ? No
dnsleak.com reports a DNS Leak (Yes or No): ? Yes
dnsleak.com reports DNS is Cloudflare (Yes or No): ? Yes
dnsleak.com reports DNS is from VPN provider (Yes or No): ? Yes
Diversion blocks ads (Yes or No): ? Yes

Thanks for taking the time to perform the test and report results. Everything appears to work as expected except for Test Case 4. I would have expected dnsleak.com to not report a leak and for the VPN tunnel to use the DNS of the provider and not Cloudflare DoT. I will run the test once I cut over. I should be able to cut over to the beta after I finish the development project this weekend.

A few weeks ago, I noticed that my provider TorGuard started using Cloudflare DNS !

 

[Gar]

I use QOS but thought CTF was on, now it's not. Any chance it should be on? If so, wondering maybe new f/w shut it off...? Could be I'm wrong.

Edit: Disregard

 

[jasonho]

DNSSEC + openvpn server + oepnvpn client outside


when connect with wifi / lan cable to the router, I test dnssec is enabled.
but when I connect outside with openvpn, I test dnnsec is not enabled. How to get dnnsec enable with openvpn client outside to openvpn server installed in router?
Thanks!

 

[EeK]

I use Cloudflare in DoT, and my country server is per the "https://www.cloudflarestatus.com/" re-routed to Vienna, Austria:
View attachment 17393
And Steam site works just fine...

Google dns?
Quad9 and CF both don’t have edns.
By the way, by default, stubby disable edns. U need to change the setting in yml.
edns_client_subnet_private : 1 —> 0

No issues or problems with Steam from my side.

As someone pointed out, the stubby implementation is also done to disable sending such info by default, so just switching resolver might not be enough. You would have to either disable it in stubby through a postconf, or stop using DNS Privacy.

Thanks for the replies, everyone.

If Stubby disables EDNS by default and Steam probably requires it (due to their aforementioned regional pricing and geo-blocking practices), that's most likely what's causing issues with the service.

I won't be using Stubby anymore, since @RMerlin's latest firmware already has a DoT implementation. For that, I'd only have to select a resolver that supports both DoT and EDNS and that's it?

I don't know. Check Wikipedia, I remember it has a page with a list of public DNS resolvers and their features, I don't remember however if they also specified EDNS support.

I spent over an hour researching this last night with only two results about public DNS resolvers using DNS over TLS and supporting EDNS. This Wikipedia link has good info, but nothing on EDNS.
https://en.wikipedia.org/wiki/Public_recursive_name_server

I searched each public DNS provider site for EDNS info, no provider offered EDNS info. The only EDNS results I found was this from Google. I found nothing about the duration of the "experiment" start / end dates, nothing more.
https://developers.google.com/speed/public-dns/docs/dns-over-tls

Yeah, that's the same Wikipedia article I listed before. Thanks for the further research, @Butterfly Bones. Guess I'll be limited to Google's DNS, then, as it seems to be the only one that supports both DoT and EDNS and also has datacenters in my country.

 

[EeK]

On a separate note, I disabled the 5G radio on my RT-AC86U yesterday (left 2.4GHz on for emergencies only, if I need to connect to it directly), and almost immediately after that, I've had this issue where I can't login to its GUI in any way.

It happened twice - once yesterday, and now today (with an interval of about 24 hours between them).

I still have internet, can still ping the router using the command prompt, but I can't login to the its GUI using any browser, either connected via Ethernet or Wi-Fi. I have to reboot it via PuTTY, then I can access it normally.

It's a brand new router, and I haven't had any other issues since a couple weeks ago, when it was delivered. What gives?

P.S.: I'm on 384.10_2, as previously mentioned.

 

[#TY]

Will the .11 firmware update require a fresh install or will we be able to simply update? Also, are there any @L&LD type steps recommended to take before/after the update? (i.e. uninstalling Stubby before updating, etc.) Thanks. I would like to be properly prepared when the time comes

 

[Xentrk]

Will the .11 firmware update require a fresh install or will we be able to simply update? Also, are there any @L&LD type steps recommended to take before/after the update? (i.e. uninstalling Stubby before updating, etc.) Thanks. I would like to be properly prepared when the time comes

I use the guide Asuswrt-Merlin Firmware Upgrade when performing an upgrade so I don't miss a step. You should always be prepared for the worst case scenario just to be safe (Murhpy's Law).

Some have "dirty" flashed over 384.10 and have been okay. But be prepared to factory reset. I have four routers to support and have a folder on my hard drive for each one with screen pics of all my settings just in case.

 

[DonnyJohnny]

Thanks for the replies, everyone.

If Stubby disables EDNS by default and Steam probably requires it (due to their aforementioned regional pricing and geo-blocking practices), that's most likely what's causing issues with the service.

I won't be using Stubby anymore, since @RMerlin's latest firmware already has a DoT implementation. For that, I'd only have to select a resolver that supports both DoT and EDNS and that's it?





Yeah, that's the same Wikipedia article I listed before. Thanks for the further research, @Butterfly Bones. Guess I'll be limited to Google's DNS, then, as it seems to be the only one that supports both DoT and EDNS and also has datacenters in my country.

Wrong, Merlin is still using Stubby just that it is integrated into the firmware. And by default the edns is still disable by default.
You may need to use /jffs/scripts/stubby.postconf to amend the stubby.yml

There is another issue, a few posts back, someone mentioned Google DOT may not be supporting edns as it is in experimental stage. Not sure if it ended the stage.