DNS over TLS

[Darren Rockach]

Hi,
I've just installed firmware 384.11 on my AX88 and have configured DNS over TLS using both the google servers, 8.8.8.8 and 8.8.4.4.
Is there any way to test this to make sure it's working correctly?
I've tried running tcpdump filtering for tcp port 853 and udp 53 against interface br0 and also eth0.
When run against interface br0 I only see standard udp DNS and nothing at all on eth0.

Any guidance would be much appreciated.

Oh and yes the upgrade from 384.10 went very smoothly on both my AC87 and AX88 so many tahnsk to RMerlin for more great work.

Thanks in advance.

 

[Treadler]

Hi,
I've just installed firmware 384.11 on my AX88 and have configured DNS over TLS using both the google servers, 8.8.8.8 and 8.8.4.4.
Is there any way to test this to make sure it's working correctly?
I've tried running tcpdump filtering for tcp port 853 and udp 53 against interface br0 and also eth0.
When run against interface br0 I only see standard udp DNS and nothing at all on eth0.

Any guidance would be much appreciated.

Oh and yes the upgrade from 384.10 went very smoothly on both my AC87 and AX88 so many tahnsk to RMerlin for more great work.

Thanks in advance.

How I do it (I’m no expert, so might be incorrect):

Go to Network Tools, then Netstat. Select TCP sockets & Dont Resolve Names.
Under the Foreign Address column, you should see your DNS server/s suffixed with “:853”.
Eg. 1.1.1.1:853

 

[Darren Rockach]

How I do it (I’m no expert, so might be incorrect):

Go to Network Tools, then Netstat. Select TCP sockets & Dont Resolve Names.
Under the Foreign Address column, you should see your DNS server/s suffixed with “:853”.
Eg. 1.1.1.1:853

Excellent, many thanks for that. Works a treat.
DNS over TLS confirmed to be working for me using the google DNS servers.

 

[RMerlin]

tcpdump must be checked on eth0, as the clients on br0 will still be using 53. The router is the one that generates the port 853 requests.

 

[skeal]

tcpdump must be checked on eth0, as the clients on br0 will still be using 53. The router is the one that generates the port 853 requests.

My interface is listed as br1 if I do a tcpdump on br1 for port 53 and port 853 in separate windows I see all the traffic going to 853. If I do a tcpdump on br0 on port 53 am I seeing local traffic here? Is this the traffic that gets caught by DNSFilter and sent out through br1 port 853 in my instance here?

 

[Swistheater]

tcpdump -ni eth0 -p port 53 or port 853

Is the command you want to use
Port 853 is DoT traffic
Port 53 is regular traffic

 

[Swistheater]

You can also look at a post where I did tcpdump and then inspected endpoints with wireshark showing tls encryption
https://www.snbforums.com/threads/r...-384-11-is-available.56501/page-4#post-488698

 

[RMerlin]

My interface is listed as br1 if I do a tcpdump on br1 for port 53 and port 853 in separate windows I see all the traffic going to 853. If I do a tcpdump on br0 on port 53 am I seeing local traffic here? Is this the traffic that gets caught by DNSFilter and sent out through br1 port 853 in my instance here?

br1 should not be a WAN interface, unless you have a rather weird configuration (br = bridge).

nvram get wan0_ifname

br0 is local traffic, yes. Br0 is the network bridge that contains the Ethernet ports + wifi interfaces. It's basically your router's LAN interface.

 

[Swistheater]

br1 should not be a WAN interface, unless you have a rather weird configuration (br = bridge).

nvram get wan0_ifname

br0 is local traffic, yes. Br0 is the network bridge that contains the Ethernet ports + wifi interfaces. It's basically your router's LAN interface.

Yea I am with merlin on this one br0 would show the communication going from router to devices lan side. Where as eth0 would show the communication going from router to internet-it would show what devices are making the request as well

 

[skeal]

br1 should not be a WAN interface, unless you have a rather weird configuration (br = bridge).

nvram get wan0_ifname

br0 is local traffic, yes. Br0 is the network bridge that contains the Ethernet ports + wifi interfaces. It's basically your router's LAN interface.

When I run this command I get this:

 nvram get wan0_ifname
br1

I use IPTV VLAN configuration to get DHCP address from my ISP (Fibre connection with no modem). The VLAN I use is "vlan1000" prio is "0" when I watch Skynet launch it shows br1 as my interface. Is this a problem I should be worried about or? Thanks for the help.

 

[skeal]

The above info is the only way I can get a public facing address by DHCP from my ISP, if I use a modem bridged it fails to receive a address, if I use the modem as a modem/router I get the double nat problem. Hope this helps explain my predicament.

 

[Swistheater]

When I run this command I get this:

 nvram get wan0_ifname
br1

I use IPTV VLAN configuration to get DHCP address from my ISP (Fibre connection with no modem). The VLAN I use is "vlan1000" prio is "0" when I watch Skynet launch it shows br1 as my interface. Is this a problem I should be worried about or? Thanks for the help.

This might be customary for you because of how you get internet

 

[skeal]

This configuration seems pretty stable so far. I only have the one issue. That being IPTV settings get loaded very late in the router's startup, so no IP for a long long time in the startup.

 

[Swistheater]

This configuration seems pretty stable so far. I only have the one issue. That being IPTV settings get loaded very late in the router's startup, so no IP for a long long time in the startup.

Kudos for you to being a patient one. Me, I hardly have enough patience to wait for logging in after a reboot.

 

[skeal]

Kudos for you to being a patient one. Me, I hardly have enough patience to wait for logging in after a reboot.

Yeah it's either this or a private IP on the router. I'm kind of regretting giving up my static IP now. I got rid of it to simplify things and now I am right back into complexity. LOL!

 

[Mutzli]

I just checked with this command:
tcpdump -ni eth0 -p port 53 or port 853

and get the following: (my IP removed)

14:38:17.119292 IP > 1.1.1.1.853: Flags [P.], seq 37240:37392, ack 72980, win 1592, length 152
14:38:17.132226 IP 1.1.1.1.853 > : Flags [P.], seq 72980:73132, ack 37392, win 198, length 152
14:38:17.132310 IP > 1.1.1.1.853: Flags [.], ack 73132, win 1592, length 0
14:38:19.770204 IP > 162.253.220.20.53: 23778+ A? rsyslog.ooma.com. (34)
14:38:19.770326 IP > 208.83.246.21.53: 23778+ A? rsyslog.ooma.com. (34)
14:38:19.781075 IP > 208.83.246.20.53: 23778+ A? rsyslog.ooma.com. (34)
14:38:19.781914 IP > 162.253.220.20.53: 49818+ AAAA? rsyslog.ooma.com. (34)
14:38:19.782052 IP > 208.83.246.21.53: 49818+ AAAA? rsyslog.ooma.com. (34)
14:38:19.782655 IP > 208.83.246.20.53: 49818+ AAAA? rsyslog.ooma.com. (34)

Does this mean it's not working correctly for ooma.com since it shows Ooma.com on port 53?

 

[sinshiva]

When I run this command I get this:

 nvram get wan0_ifname
br1

I use IPTV VLAN configuration to get DHCP address from my ISP (Fibre connection with no modem). The VLAN I use is "vlan1000" prio is "0" when I watch Skynet launch it shows br1 as my interface. Is this a problem I should be worried about or? Thanks for the help.

out of curiousity, mind posting the output of

brctl show

 

[EmeraldDeer]

I just checked with this command:
tcpdump -ni eth0 -p port 53 or port 853

and get the following: (my IP removed)

14:38:17.119292 IP > 1.1.1.1.853: Flags [P.], seq 37240:37392, ack 72980, win 1592, length 152
14:38:17.132226 IP 1.1.1.1.853 > : Flags [P.], seq 72980:73132, ack 37392, win 198, length 152
14:38:17.132310 IP > 1.1.1.1.853: Flags [.], ack 73132, win 1592, length 0
14:38:19.770204 IP > 162.253.220.20.53: 23778+ A? rsyslog.ooma.com. (34)
14:38:19.770326 IP > 208.83.246.21.53: 23778+ A? rsyslog.ooma.com. (34)
14:38:19.781075 IP > 208.83.246.20.53: 23778+ A? rsyslog.ooma.com. (34)
14:38:19.781914 IP > 162.253.220.20.53: 49818+ AAAA? rsyslog.ooma.com. (34)
14:38:19.782052 IP > 208.83.246.21.53: 49818+ AAAA? rsyslog.ooma.com. (34)
14:38:19.782655 IP > 208.83.246.20.53: 49818+ AAAA? rsyslog.ooma.com. (34)

Does this mean it's not working correctly for ooma.com since it shows Ooma.com on port 53?

It means you do not have DNSFilter enabled in Global Filter Mode Router

 

[Mutzli]

It means you do not have DNSFilter enabled in Global Filter Mode Router

Do I choose 'Router' in Global Filter Mode? I assume this will use DoT as configured under WAN. No need to enter custom DNS servers?

 

[EmeraldDeer]

Do I choose 'Router' in Global Filter Mode?

Yes

I assume this will use DoT as configured under WAN. No need to enter custom DNS servers?

It redirects DNS requests to the router's dnsmasq. No need for custom DNS servers because I want all LAN client DNS traffic cached by the router and filtered by Diversion.