[Beta] Asuswrt-Merlin 384.7 Beta is now available

[RMerlin]

Best way IMHO to test dnssec is to look at the flags you get from a dig response. You can use asuswrt.lostrealm.ca for testing - my domain is DNSSEC-signed. This is a working dnssec:

merlin@ubuntu-dev:~$ dig asuswrt.lostrealm.ca @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> asuswrt.lostrealm.ca @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 204
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;asuswrt.lostrealm.ca.        IN    A

;; ANSWER SECTION:
asuswrt.lostrealm.ca.    299    IN    A    72.55.186.51

;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 05 14:09:56 EDT 2018
;; MSG SIZE  rcvd: 65

This is a NON-working one:

merlin@ubuntu-dev:~$ dig asuswrt.lostrealm.ca @208.67.222.222

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> asuswrt.lostrealm.ca @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20738
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;asuswrt.lostrealm.ca.        IN    A

;; ANSWER SECTION:
asuswrt.lostrealm.ca.    300    IN    A    72.55.186.51

;; Query time: 15 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Oct 05 14:08:37 EDT 2018
;; MSG SIZE  rcvd: 65

The difference is on the flags line. the "ad" flag indicates the reply was authenticated by dnssec.

 

[skeal]

The difference is on the flags line. the "ad" flag indicates the reply was authenticated by dnssec.

Thank you sir, that answers my question!

 

[Zastoff]

All works good here on 384.7_beta3-gc44f112e3

 

[LudoK]

Is it possible to replace norton safeconnect's services with those of Cleanbrowsing?

 

[GHammer]

I just built new test releases with the latest dnsmasq changes. I don't want to go through a full beta cycle just for these, but I'd appreciate it if people could give them a test run. They should appear in https://asuswrt.lostrealm.ca/test-builds in the next couple of minutes.

Seems that dnsmasq is fine here.
I don't recall seeing these entries in the log. Not to say they weren't ever there, just that I don't recall them.

May  5 01:05:11 lldpd[914]: cannot get ethtool link information with GLINKSETTINGS (requires 4.9+): Operation not permitted
May  5 01:05:12 WAN_Connection: ISP's DHCP did not function properly.
May  5 01:05:13 rc_service: udhcpc 992:notify_rc start_firewall
May  5 01:05:13 wan: finish adding multi routes
May  5 01:05:14 rc_service: udhcpc 992:notify_rc stop_upnp
May  5 01:05:14 rc_service: waitting "start_firewall" via udhcpc ...
May  5 01:05:14 odhcp6c[994]: Failed to send DHCPV6 message to ff02::1:2 (Cannot assign requested address)

 

[RMerlin]

Is it possible to replace norton safeconnect's services with those of Cleanbrowsing?

Never heard about them. I will need to review to determine if they're worth it. For now I did add Quad9 to compensate for the loss of one option.

 

[Treadler]

All works good here on 384.7_beta3-gc44f112e3

+1

 

[Howard_inGA]

+1

+ 1 more...

 

[SMS786]

Best way IMHO to test dnssec is to look at the flags you get from a dig response. You can use asuswrt.lostrealm.ca for testing - my domain is DNSSEC-signed. This is a working dnssec:

merlin@ubuntu-dev:~$ dig asuswrt.lostrealm.ca @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> asuswrt.lostrealm.ca @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 204
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;asuswrt.lostrealm.ca.        IN    A

;; ANSWER SECTION:
asuswrt.lostrealm.ca.    299    IN    A    72.55.186.51

;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 05 14:09:56 EDT 2018
;; MSG SIZE  rcvd: 65

This is a NON-working one:

merlin@ubuntu-dev:~$ dig asuswrt.lostrealm.ca @208.67.222.222

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> asuswrt.lostrealm.ca @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20738
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;asuswrt.lostrealm.ca.        IN    A

;; ANSWER SECTION:
asuswrt.lostrealm.ca.    300    IN    A    72.55.186.51

;; Query time: 15 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Oct 05 14:08:37 EDT 2018
;; MSG SIZE  rcvd: 65

The difference is on the flags line. the "ad" flag indicates the reply was authenticated by dnssec.

Does anyone know if the dig function is available on our routers through ssh? I get an error when I try the command. Apologies in advance if this is a noob question...still getting familiar with linux here..

 

[M@rco]

Does anyone know if the dig function is available on our routers through ssh? I get an error when I try the command. Apologies in advance if this is a noob question...still getting familiar with linux here..

It's in an entware package:
https://www.snbforums.com/threads/b...ta-is-now-available.48856/page-16#post-435524

 

[Billy J]

Never heard about them. I will need to review to determine if they're worth it. For now I did add Quad9 to compensate for the loss of one option.

Symantec have retired their Norton DNS service and are actually recommending Neustar UltraDNS as an alternative (which is very good in my testing )
I am giving CleanBrowsing a go at the moment and am also very happy with their performance.
My recommendation would be twofold:
1) Add Cloudflare 1.1.1.1, Quad 9, Neustar Ultra DNS, CleanBrowsing to DNS presets.
2) Increase custom presets from 3 to say 5, and have the option to have the DNS IP to have a descriptive value such as the DNS service name.
You may find the the following recent thread on Malwaretips interesting:
https://malwaretips.com/threads/phishing-protection — comparing-dns-security-filters.86412/

 

[Alfsu]

If you want to verify DNSSEC is working, just visit https://dnssec.vs.uni-due.de/ for example, and press 'Start test'.

Other options for testing DNSSEC are:

http://www.dnssec-or-not.com/
http://en.conn.internet.nl/connection/

 

[RMerlin]

Symantec have retired their Norton DNS service and are actually recommending Neustar UltraDNS as an alternative (which is very good in my testing )
I am giving CleanBrowsing a go at the moment and am also very happy with their performance.
My recommendation would be twofold:
1) Add Cloudflare 1.1.1.1, Quad 9, Neustar Ultra DNS, CleanBrowsing to DNS presets.
2) Increase custom presets from 3 to say 5, and have the option to have the DNS IP to have a descriptive value such as the DNS service name.
You may find the the following recent thread on Malwaretips interesting:
https://malwaretips.com/threads/phishing-protection — comparing-dns-security-filters.86412/

Everyone has their own favorite services, I don't want to make it a separate project on its own just having to manage and maintain a bunch of different services, because for instance it's a headache for me to deal with services being retired, like the Norton one. Therefore I try to limit it to only a few popular ones. Same reason why I do not provide an endless list of services for DDNS.

I see little point in adding even more custom settings. I fail to see why anyone would want to use more than three different services on their LAN in addition to the built-in ones already available. If you feel the need to use 4-5 different DNS providers, then you need to rethink your network.

Cloudflare isn't going to be added because it doesn't add anything to your security (same reason why I don't include Google or Level3's DNS servers). I only want to add services that provide enhanced security.

 

[RAH-66]

RMerlin, tell me, please, how far to new release 384.7?

 

[octopus]

This is normal. ddns.cache is only used by the firmware itself, not by inadyn. Inadyn has its own cache in /tmp/inadyn.cache for determining if an IP needs to be updated or not.

Just updated to new beta3-gc44f112e3 and now I se /tmp/inady.cache/xxxxxxx.xxxxx.se.cache
Now I realize it was a folder, inady.cache missed that. Now it contain my vpn1 ip-nummer as I use for update configured with /jffs/configs/inadyn.conf.add
Where can I find my cached wan ip-number?

 

[M@rco]

RMerlin, tell me, please, how far to new release 384.7?

Yesterday another beta 3 was released, which needs testing:

I just built new test releases with the latest dnsmasq changes. I don't want to go through a full beta cycle just for these, but I'd appreciate it if people could give them a test run. They should appear in https://asuswrt.lostrealm.ca/test-builds in the next couple of minutes.

It'll be a couple of days at most, if not sooner. When it's ready, this thread will be closed and a new Release thread for 384.7 will be created, so keep an eye on the main index.

 

[KnightRider]

https://www.snbforums.com/threads/a...rt-ac86u_3-0-0-4-384-32797.48520/#post-425767

Seems fix is included with this firmware ?

I see there is 384.32799 is this going to be incorporated into 384.8?

 

[scjr]

I see there is 384.32799 is this going to be incorporated into 384.8?

It could be, but it will depend if and when Asus makes the source code available to @RMerlin.

 

[truglodite]

+ 1 more...

+1 more

 

[SMS786]

It's in an entware package:
https://www.snbforums.com/threads/b...ta-is-now-available.48856/page-16#post-435524

Thanks! Flag line showing "ad." Looks like dnscrypt configures Cloudflare with DoH and DNSSEC *thumbs up*