[Beta] Asuswrt-Merlin 384.11 Beta is now available

[RMerlin]

Merlin - alot of the servers inside that list that you have put on the list of supported are not main stream servers - most of them are test servers.

The mainstream ones are there (CF, Quad9, etc...).

The only "test" servers that should be there are because I wanted at least one entry that uses port 443. The other test servers that were there during alpha should have been removed by now.

If you feel that some are still mis-labeled as production, then I suggest contacting the Getdns devs about it, as I based my choice on their own config file.

 

[Howard_inGA]

I wouldn't use Firefox's implementation since its running through a proprietary DoH on Firefox's own servers circumventing your DNS implementation. I would wait with eSNI until its an accepted standard.

Ahhh...Now I see a little better. I'll just be patient...

 

[Swistheater]

Eric, I tried 3 different browsers, all with the same result regarding Encrypted SNI. All return the same result on this web site...
https://www.cloudflare.com/ssl/encrypted-sni/

encrypted sni is not fully implemented on browsers, it is mainly only used by web servers atm.

 

[RMerlin]

Eric, I tried 3 different browsers, all with the same result regarding Encrypted SNI. All return the same result on this web site...
https://www.cloudflare.com/ssl/encrypted-sni/

What OS are you using?

All I can say is this has nothing to do with the router. This is purely a client-side thing.

 

[RMerlin]

https://cleanbrowsing.org/guides/dnsovertls

Thanks, found it afterward. Definitely worth considering since their service is available for free, and it's already been added to DNSFilter as a replacement for Norton DNS.

 

[Swistheater]

The mainstream ones are there (CF, Quad9, etc...).

The only "test" servers that should be there are because I wanted at least one entry that uses port 443. The other test servers that were there during alpha should have been removed by now.

If you feel that some are still mis-labeled as production, then I suggest contacting the Getdns devs about it, as I based my choice on their own config file.

oh no one is disputing that they are legit servers. - just that they are only in locations that they are based out of where other dns servers like the main stream have dns servers all over the world.

 

[RMerlin]

oh no one is disputing that they are legit servers. - just that they are only in locations that they are based out of where other dns servers like the main stream have dns servers all over the world.

I had added AdGuard because I wanted at least one service that focused on filtering. If I add CleanBrowsing, then I can remove the AdGuard ones (as I suspect they are not very well known).

The Getdns entry that was there during alpha was removed (I needed it to test a particular scenario at the time).

Will check for missing Quad 9 - I thought I only found the secure and non-secure 9.9.9.x entries, didn't notice any secondary server.

Anything else specific?

 

[Howard_inGA]

What OS are you using?

All I can say is this has nothing to do with the router. This is purely a client-side thing.

Win 10, 64B. I think that I'll have to wait for my main browser to catch up...that's Chrome.

 

[Swistheater]

- address_data: 1.1.1.1
tls_port: 853
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_port: 853
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1111
tls_port: 853
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1001
tls_port: 853
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::64
tls_port: 853
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::6400
tls_port: 853
tls_auth_name: "cloudflare-dns.com"
- address_data: 8.8.8.8
tls_port: 853
tls_auth_name: "dns.google"
- address_data: 8.8.4.4
tls_port: 853
tls_auth_name: "dns.google"
- address_data: 2001:4860:4860::8888
tls_port: 853
tls_auth_name: "dns.google"
- address_data: 2001:4860:4860::8844
tls_port: 853
tls_auth_name: "dns.google"
- address_data: 2001:4860:4860::64
tls_port: 853
tls_auth_name: "dns.google"
- address_data: 2001:4860:4860::6464
tls_port: 853
tls_auth_name: "dns.google"
- address_data: 9.9.9.9
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.112
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::fe
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::fe:9
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.9
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::9
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 185.228.168.9
tls_port: 853
tls_auth_name: "security-filter-dns.cleanbrowsing.org"
- address_data: 185.228.169.9
tls_port: 853
tls_auth_name: "security-filter-dns.cleanbrowsing.org"
- address_data: 2a0d:2a00:1::2
tls_port: 853
tls_auth_name: "security-filter-dns.cleanbrowsing.org"
- address_data: 2a0d:2a00:2::2
tls_port: 853
tls_auth_name: "security-filter-dns.cleanbrowsing.org"

here is some of the servers that are pretty good. the clean browsing ones listed below are only security filtered and the quad 9 are the secure dnssec ones. also there are the google ones that support dnssec.
one would question why use google but their dns-over -tls supports multi-pooling of servers great for extra redundancy- and also the cloud-flare ones.

 

[Gar]

There is no need for an Apply button, the change is applied asynchronously to the router when you change it. Using an Apply button would require a rewrite of a large portion of that page, and isn't worth it.

Asus uses the same async method with the redesigned Virtual Server page now.



Which one specifically?

I based the preset list on what was in the Stubby example config file.

I didn't know this, no Apply needed. Been using it for all changes.

 

[dave14305]

Thanks, found it afterward. Definitely worth considering since their service is available for free, and it's already been added to DNSFilter as a replacement for Norton DNS.

I tried them once with DoT on John's fork, as a comparable replacement for regular OpenDNS, and didn't last long with them because of what I perceived to be reliability issues.

Will check for missing Quad 9 - I thought I only found the secure and non-secure 9.9.9.x entries, didn't notice any secondary server.

https://quad9.net/faq/#Does_Quad9_support_DNS_over_TLS
Secure IP: 9.9.9.9 Provides: Security blocklist, DNSSEC, No EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 149.112.112.112

Not as intuitive as other services' secondary addresses. 112 doesn't roll off the tongue.

 

[Swistheater]

the only thing quad 9 lacks is Qname minimization support.
here is all the secure ones for quad 9.
- address_data: 9.9.9.9
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.112
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::fe
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::fe:9
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.9
tls_port: 853
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::9
tls_port: 853
tls_auth_name: "dns.quad9.net"

 

[RMerlin]

here is some of the servers that are pretty good. the clean browsing ones listed below are only security filtered and the quad 9 are the secure dnssec ones. also there are the google ones that support dnssec.
one would question why use google but their dns-over -tls supports multi-pooling of servers great for extra redundancy- and also the cloud-flare ones.

Quad9, CF and Google are already there. I don't want to overcrowd the list with 4-5 different servers per provider, as it makes little sense (they are often anycasts/load balanced anyway, so you don't really get much redundancy by adding more of the same). Too many options will completely confuse the average user who would have no idea what to add.

The addition of Cleanbrowsing is already planned, as I like the idea of having one filtered server available in the preset list (it will probably replace AdGuard).

The preset list is mostly intended to provide a starting point for the majority of users. More advanced users who for some reason want more exotic servers or have a specific one in mind - it's pretty easy to add them manually in the server list, just have to enter a name, IP, optional port, TLS name, and optional hash.

If for some reason someone wanted to customize the preset list itself, the preset list syntax is pretty straightforward. The file is located in /rom/dot-servers.dat, it can be replaced through a bind mount. The file gets parsed every time you access the WAN page on the webui.

 

[RMerlin]

Secure IP: 9.9.9.9 Provides: Security blocklist, DNSSEC, No EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 149.112.112.112

Notice the "if your DNS software requires" in their sentence. I bet it points to the same server farm, it's just there in case your software has a hardcoded requirement of two servers.

 

[Swistheater]

you can also add them via the stubby.add connection if it was necessary, but it is just nice to know what is out there maybe someone could make a thread of compiled servers kind of like a one stop shop for who ever wants to customize their list.

 

[EmeraldDeer]

Perhaps things have improved since I was testing a few months back, but neither CleanBrowsing or Quad9 DNS over TLS were reliable, only Cloudflare.

Also the server side timeouts of CleanBrowsing and Quad9 were 2 seconds as opposed to Cloudflare's 10 seconds, so you need the following in stubby.yml:

idle_timeout: 1900

If you neglect to do this and have nvram stubby_debug set, you will see incrementing Conn_shuts. Here are normal results:

=================================================================================================================================================================
[00:55:01.541371] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[00:55:11.518171] STUBBY: 1.1.1.1                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9900
[00:55:11.518224] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Resps=  1236, Timeouts  =     0, Best_auth =Success
[00:55:11.518246] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Conns=   444, Conn_fails=     0, Conn_shuts=      2, Backoffs     =     0
=================================================================================================================================================================
[00:56:01.713815] STUBBY: 1.0.0.1                                  : Verify passed : TLS
[00:56:11.695165] STUBBY: 1.0.0.1                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9900
[00:56:11.695213] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Resps=  1236, Timeouts  =     0, Best_auth =Success
[00:56:11.695245] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Conns=   444, Conn_fails=     0, Conn_shuts=      2, Backoffs     =     0
=================================================================================================================================================================
[00:56:14.756647] STUBBY: 2606:4700:4700::1111                     : Verify passed : TLS
[00:56:24.728211] STUBBY: 2606:4700:4700::1111                     : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9900
[00:56:24.728260] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Resps=  1235, Timeouts  =     1, Best_auth =Success
[00:56:24.728281] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Conns=   441, Conn_fails=     0, Conn_shuts=      2, Backoffs     =     0
=================================================================================================================================================================
[00:56:14.795690] STUBBY: 2606:4700:4700::1001                     : Verify passed : TLS
[00:56:24.757123] STUBBY: 2606:4700:4700::1001                     : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9900
[00:56:24.757168] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Resps=  1236, Timeouts  =     0, Best_auth =Success
[00:56:24.757187] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Conns=   442, Conn_fails=     0, Conn_shuts=      2, Backoffs     =     0
=================================================================================================================================================================

 

[RMerlin]

you can also add them via the stubby.add connection if it was necessary

Why? Just enter them throught he webui.

 

[Swistheater]

cleanbrowsing works okay you just have to configure them like their site says- with the right addresses. quad 9 is okay- especially if there are servers near you. the main features they lack is the Qname minimization like cloudflare has which really helps its performance over the others.

 

[Swistheater]

Why? Just enter them throught he webui.

View attachment 17269

you are correct i am implying if you are using more than 8 servers.

 

[RMerlin]

the main features they lack is the Qname minimization like cloudflare has which really helps its performance over the others.

On the other hand, lack of EDNS support means Cloudflare can potentially degrade your overall network performance by pointing you at non-optimal CDN servers.

It's one of the reasons why, personally, after I'm done implementing and testing DoT, I intend to disable it, and go back to my ISP DNS.