What's new

DNS over TLS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jfjm

New Around Here
I apologize if this question is already answered, but I was not able search for it as it was reported these were too commons words.

Will Asuswrt-Merlin official add the feature DNS over TLS? I saw multiple efforts that successfully add this feature, but they are either forks or install scripts.
 
  • Like
Reactions: Phk
I apologize if this question is already answered, but I was not able search for it as it was reported these were too commons words.

Will Asuswrt-Merlin official add the feature DNS over TLS? I saw multiple efforts that successfully add this feature, but they are either forks or install scripts.

Probably not unless Asus implements into the official releases.
 
I understand the primary goal of Asuswrt-Merlin is not about adding many features, but to enhance and fix some of the known issues and limitations. DNS over TLS feels like it falls under the latter category of known limitations...
 
I understand the primary goal of Asuswrt-Merlin is not about adding many features, but to enhance and fix some of the known issues and limitations. DNS over TLS feels like it falls under the latter category of known limitations...

Not our call to make. :)

We may both be pleasantly surprised by Eric though. But the options available are more than enough right now. ;)
 
I understand the primary goal of Asuswrt-Merlin is not about adding many features, but to enhance and fix some of the known issues and limitations. DNS over TLS feels like it falls under the latter category of known limitations...

Adding DOT is definitely out of scope of Asuswrt-merlin project but I agree with you ASUS should get on to releasing this feature to stock firmware because even GL-iNet routers (running open-wrt) now support DOT out-of-the-box (and wireguard, just for the record). Alas let's at least be happy stubby is very good option for us right now; stable and well maintained. Early adopters should use it. AMTM makes it fast and simple to do that. Jump on board with the rest of us! Let's just not hassle Merlin about adding DOT because it really is a job for ASUS.

B2YDJs7.jpg
 
Last edited:
DoT is included in John's fork... Works quite well with no scripts or USB drive needed!

Sent from my SM-T380 using Tapatalk
 
pfSense is another firmware that has it dialed in. I just had to add the code:

Code:
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

In the Custom Options box on the DNS Resolver (aka Unbound) gui.

Yes, Asus needs to add this feature to their GUI.

But one of the forum members wrote an installer script to assist users with the setup until Asus catches up with the rest of the world. :D
 
No decision yet, waiting for the technology to mature a bit more before taking a look at it.
 
No decision yet, waiting for the technology to mature a bit more before taking a look at it.
It would be so nice to have a built in solution. I love Stubby but built in would be nice!! ;):)
 
I applaud OpenWRT for adding the DNS over TLS feature to their firmware. But one still needs to SSH into the router to customize the settings. @john9527 went all out and added other options in the GUI to customize things like DNSSEC and the ability to select other DNS over TLS providers.

upload_2019-4-4_8-23-45.png
 
I applaud OpenWRT for adding the DNS over TLS feature to their firmware. But one still needs to SSH into the router to customize the settings. @john9527 went all out and added other options in the GUI to customize things like DNSSEC and the ability to select other DNS over TLS providers.

View attachment 16854
Very Nice!! ;):)
 
I have been using my gl*iNet AR300M travel router that past several weeks while on my current road trip. This was a good discussion as it prompted me that I needed to add the "proxy-dnssec" setting in dnsmasq (bottom of code snip). dnsmasq configs use slightly different syntax on OpenWRT when compared to Asuswrt-Merlin.

/etc/config/dhcp:
Code:
config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option localservice '1'
    option filterwin2k '1'
    option strictorder '1'
    list addnhosts '/tmp/adblock_hosts'
    option rebind_protection '1'
    option resolvfile '/tmp/resolv.conf.auto'
    option serversfile '/tmp/adb_list.overall'
    option noresolv '1'
    list server '127.0.0.1#53535'
    option 'proxy-dnssec'
<snip>

And after making changes, bounce dnsmasq:
Code:
killall dnsmasq
/etc/init.d/dnsmasq start
 
No decision yet, waiting for the technology to mature a bit more before taking a look at it.
I for one applaud this approach. I'm attracted to your firmware precisely because you are very conservative in adding new features. One or two DNS providers having DoT doesn't really seem worth the hassle to you to add it just yet. Time will tell if it's going to be more than a niche utility. Yes, I use it, but I also have a stratum 1 time server on my homie network, so I'm hardly an "average" user.
 
I also really like the approach Merlin took so this firmware is really close to stock and only address issues and limitations. With that said, DNS over TLS is picking up steam. Cloudflare, Google, Quad9 and some smaller public DNS providers are already supporting it. PowerDNS also added that support. Android Pie has this built-in as a client. Granted this is a niche feature for "average" user, but I suspect it is in much higher demand for people that flash router firmware.
 
I apologize if this question is already answered, but I was not able search for it as it was reported these were too commons words.

Will Asuswrt-Merlin official add the feature DNS over TLS? I saw multiple efforts that successfully add this feature, but they are either forks or install scripts.

Actually I was searching for the same thing. Dont know why DOT isn't supported since 1.1.1.1 is actually good and dnscrypt-proxy via entware breaks sometimes.
@RMerlin can you help?

Thanks
 
I'm loving that people are asking and implementing this in increasing numbers of late, but I'm choosing for time being to implement it on individual devices/machines as necessary.
the cloudflare 1.1.1.1 app (which lets you choose between DoT or DoH), which seems to be positioning itself to become a paid service with the announcment of Warp - they're implementing a WireGuard VPN as well - works well on my phone, as does stubby on my desktop.
If I had my way, having tried both DoT and WireGuard, I'd love to see them in Merlin without having to resort to scripts. but while we're scripting and letting Merlin and Asus dance, I'd like to suggest to the devs like @Jack Yaz and @thelonelycoder that the next addition to amtm be WireGuard implementation options, both client and server, like we have for OpenVPN. Or, better, the option to join the hyperboria (or maybe a Merlin?) meshnet via cjdns, now that most current asus routers can handle it.

https://www.snbforums.com/threads/experimental-wireguard-for-rt-ac86u.46164/

https://docs.meshwith.me/meshlocals/diy.html
 
Last edited:

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top