[Beta] Asuswrt-Merlin 384.11 Beta is now available

[RMerlin]

1) With DoT enabled, does this filter to the connected clients? Or is DNSFilter needed with "Router" setting on? If it's not, is it only for users who want clients to use a different DNS service/server vs another?

Chain of event:

Normal:
Client => dnsmasq => WAN DNS

DNSFilter:
Client => DNSFilter DNS (enforced)

With DOT:
Client => dnsmasq => Stubby => DoT servers

With DOT + DNSFilter:
Client => DNSFilter DNS (DOT is bypassed)

With DOT + DNSFilter set to "Router":
Client => dnsmasq => Stubby => DOT servers (enforced)

Basically, think of DOT as a replacement for the WAN DNS once Stubby is in a running stage (after the clock is set). Everything else works just as before, except DOT is used instead of the DNS configured on the WAN interface (be it automatically obtained from the ISP, or manually entered on that page).

 

[RMerlin]

2) "Connect to DNS server automatically" -- DoT overrides this, correct? Does it matter if it's left on yes or custom input? Would it be possible to hide this field in later builds if DoT is enabled?

Before DOT can become active, the clock needs to be set. And for the clock to be set, your router needs to connect to a remote NTP server. So, the WAN DNS are still needed for that first stage. That's why the field is not hidden, it's still relevant.

 

[hifiwifi]

On LAN/DCHP Server, all clients are always shown offline. Beta1b.

 

[Reinvented]

Chain of event:

Normal:
Client => dnsmasq => WAN DNS

DNSFilter:
Client => DNSFilter DNS (enforced)

With DOT:
Client => dnsmasq => Stubby => DoT servers

With DOT + DNSFilter:
Client => DNSFilter DNS (DOT is bypassed)

With DOT + DNSFilter set to "Router":
Client => dnsmasq => Stubby => DOT servers (enforced)

Basically, think of DOT as a replacement for the WAN DNS. Everything else works just as before, except DOT is used instead of the DNS configured on the WAN interface (be it automatically obtained from the ISP, or manually entered on that page).

Thank you Eric!

 

[RMerlin]

When an VPN client is set to Exclusive with policy rule, like 192.168.1.0/24 and the client must restart after a reboot and DoT is set. Is DoT an extra layer of security when the VPN (before handshake) asks for connection through WAN?

Yes, DoT will be used to establish the VPN connection, as the router resolves the VPN server's address.

Question regarding DNSSEC. As long as Cloudflare's servers aren't hijacked, will I effectively be protected using DNSSEC which their test page implies? Enabling it on the router protects against Cloudflare being compromised, correct?

I don't know how strict Cloudflare enforces DNSSEC validation on its own, so I'd recommend enabling it on your router.

 

[EmeraldDeer]

Question regarding DNSSEC. As long as Cloudflare's servers aren't hijacked, will I effectively be protected using DNSSEC which their test page implies?

While DNSSEC alone is helpful, it is the combination of:

• DNSSEC certificate validation
  • directly (by dnsmasq or by stubby)
  • or by proxy (dnsmasq proxy-dnssec) *future Asuswrt-Merlin default
• through a DNS over TLS encrypted tunnel

that is effective.

Enabling it on the router protects against Cloudflare being compromised, correct?

To be precise, it does not protect against Cloudflare being compromised, it protects against Cloudflare DNS replies being compromised.

 

[unsynaps]

Yes

# cat /jffs/scripts/wan-start
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
#
#echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
#echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding
#

What is the need of this? Been using ipv6 for months and never had to do anything like this to make it work.

 

[EmeraldDeer]

What is the need of this? Been using ipv6 for months and never had to do anything like this to make it work.

Good for you
[Beta] Asuswrt-Merlin 384.11 Beta is now available

 

[Cycle Mycle]

I've been using beta1 today on my RT-AC88U and it seems fine. The addition of DoT is great and seems to be working properly (alongside Stubby).

The only thing I've noticed is that the Firmware Upgrade tab doesn't seem to have an Apply button (I'm using Firefox) so there is no way to change from the default of Yes for the scheduled check. Am I missing something obvious?

 

[skeal]

I've been using beta1 today on my RT-AC88U and it seems fine. The addition of DoT is great and seems to be working properly (alongside Stubby).

Do you have both Stubby as a script running with DoT set in the webui at the same time? I wouldn't. I would chose one or the other.

 

[Swistheater]

I've been using beta1 today on my RT-AC88U and it seems fine. The addition of DoT is great and seems to be working properly (alongside Stubby).

The only thing I've noticed is that the Firmware Upgrade tab doesn't seem to have an Apply button (I'm using Firefox) so there is no way to change from the default of Yes for the scheduled check. Am I missing something obvious?

what do you mean along side stubby?

 

[skeal]

Either chose the Stubby script and do not set DoT in the webui; or do not run the Stubby script and use the webui for DoT. One or the other.

 

[elnash]

Hi, sure this is already answered but it is not clear to me since I am a newbie in all this. When I activate DNSSEC, it tells me on the CloudFlare page that I'm not using DNS over TLS (DoT). So my question is, you have to activate DNSSEC or keep it disabled. Thanks in advance.

 

[Cycle Mycle]

Either chose the Stubby script and do not set DoT in the webui; or do not run the Stubby script and use the webui for DoT. One or the other.

Ah! Thanks. Yes, alongside was a bit vague. "As well as" would have been a better description.

Thanks to you all for clarifying.

 

[bbunge]

Beta 1b has been working well in spite of my desire to run DNSSEC from Stubby/Getdns. I have successfully modified one stubby.yml setting and have added another via /jffs/scripts/stubby.postconf. Even DNSSEC running through dnsmasq works well.

However, I feel the Preset Servers for DoT should also include those resolvers included in DNSFilter, provided they support DoT, (and the second Quad9 secure server).

 

[Swistheater]

Hi, sure this is already answered but it is not clear to me since I am a newbie in all this. When I activate DNSSEC, it tells me on the CloudFlare page that I'm not using DNS over TLS (DoT). So my question is, you have to activate DNSSEC or keep it disabled. Thanks in advance.

Okay to pass the test you have to have dnssec turned off---- but this only shows you that DoT is enabled. DoT also works in combination with dnssec- it just turns out that the cloudflare test page does not know how to detect that you are using DoT when you have dnssec turned on because the test cloudflare runs does not properly account for dnssec validation by client.

 

[bbunge]

Hi, sure this is already answered but it is not clear to me since I am a newbie in all this. When I activate DNSSEC, it tells me on the CloudFlare page that I'm not using DNS over TLS (DoT). So my question is, you have to activate DNSSEC or keep it disabled. Thanks in advance.

Search all the threads for DNSSEC and you will find the CF Help page test is broken when you enable DNSSEC. Nothing new...

 

[Swistheater]

Beta 1b has been working well in spite of my desire to run DNSSEC from Stubby/Getdns. I have successfully modified one stubby.yml setting and have added another via /jffs/scripts/stubby.postconf. Even DNSSEC running through dnsmasq works well.

However, I feel the Preset Servers for DoT should also include those resolvers included in DNSFilter, provided they support DoT, (and the second Quad9 secure server).

The problem with dnsfilter is that it in itself is a different type of implementation, there would have to be separate instances of stubby running for each one of the servers listed inside the filter just to support DoT via a filter tab, it is best just to run one instance of DoT and use Router option to force it to the clients you want to run under DoT.

However, I do concur with you about there being more servers on the list, simply so end user that may otherwise not be educated say for example -quad 9 ipv6 servers.

 

[elnash]

Okay to pass the test you have to have dnssec turned off---- but this only shows you that DoT is enabled. DoT also works in combination with dnssec- it just turns out that the cloudflare test page does not know how to detect that you are using DoT when you have dnssec turned on because the test cloudflare runs does not properly account for dnssec validation by client.

Thank you very much for clarifying the doubt.

Regards!!!

 

[bbunge]

The problem with dnsfilter is that it in itself is a different type of implementation, there would have to be separate instances of stubby running for each one of the servers listed inside the filter just to support DoT via a filter tab, it is best just to run one instance of DoT and use Router option to force it to the clients you want to run under DoT.

That is not what I mean. For Example, CleanBrowsing supports DoT. It is in the DNSFilter list and should be in the Preset Servers as well to protect the entire LAN via DoT.