SMS786
Senior Member
How does one access this debug info?
This debug doesn't work for me.
Resolved: I turned off dnssec and rebind protection. The test works!This debug doesn't work for me.
DNSleaktest shows no leaks
Config I'm sure is like described
Cannot figure this out
Thank you for the great tutorial!!Do not use Cloudflare DNS for now, use another DNS server, read my post:
https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-53#post-420342
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
DNS Leak and Spoofability Test:
DNSSEC Test:
DNSSEC validation: (v384.6 or Newer)
- Check in the System Log -> General Log that this message does not appear:
Code:Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
DNSCrypt encrypted Test:
Only the ISP knows the answer
01. DNSSEC validation by dnsmasq Test: (need the firmware v384.6 or Newer for test)
LAN -> DHCP Server:
- Enable DNSSEC support: Yes
- Enable DNS Rebind protection: Yes
- After Enable both, you have to Apply.
This message does not have to appear in the System Log, after doing the test or when surfing the Web:
- Now you have to do this Test: https://rootcanary.org/test.html
(and if this message appears or in Network Map -> Internet status shows Disconnected or the internet not work, it means that your DNS server does not have full suppport with DNSSEC)Code:Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
This is totally awesome!For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code:Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
If you restart the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, the internet does not work. That happens because:
I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.
I also recommend this:
01. LAN -> DHCP Server:
- Enable DNSSEC support: Yes
- Enable DNS Rebind protection: Yes
02. WAN:
- Connect to DNS Server automatically: No
- DNS Server1: 8.8.8.8 (because this DNS server has full support with DNSSEC)
- DNS Server2: 8.8.4.4 (because this DNS server has full support with DNSSEC)
03. Administration -> System:
- Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
04. In DNSCrypt v2 these are the only DNS servers that support DoH and two of them (aaflalo-me and cloudflare) do not have full support with DNSSEC for now, I recommend using another DNS server than these two. (I tested one by one with DNSSEC enabled, the DNS servers that had less than 200 ping and works without problems)
05. When you install DNSCrypt and select a DNS server Manually, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use: 8.8.8.8 (Full support with DNSSEC) [Do not use 1.1.1.1]
06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
Thanks to @RMerlin @snakebite3 @pattiri and @XIII
There is NO problem with cloudflare !!!Is anyone in contact with Cloudflare to help fix this? They claim to support DNSSEC so I would think they would have interest in ironing this out.
Has anyone tried without DNScrypt in the middle to isolate the issue?
I’d investigate, but can only reach CF via IPv6 which introduces a whole host of caveats to troubleshooting.
There is NO problem with cloudflare !!!
Any recommended NON LOGGING DNS servers other than Google?For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code:Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
If you restart the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, the internet does not work. That happens because:
I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.
I also recommend this:
01. LAN -> DHCP Server:
- Enable DNSSEC support: Yes
- Enable DNS Rebind protection: Yes
02. WAN:
- Connect to DNS Server automatically: No
- DNS Server1: 8.8.8.8 (because this DNS server has full support with DNSSEC)
- DNS Server2: 8.8.4.4 (because this DNS server has full support with DNSSEC)
03. Administration -> System:
- Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
04. In DNSCrypt v2 these are the only DNS servers that support DoH and two of them (aaflalo-me and cloudflare) do not have full support with DNSSEC for now, I recommend using another DNS server than these two. (I tested one by one with DNSSEC enabled, the DNS servers that had less than 200 ping and works without problems)
05. When you install DNSCrypt and select a DNS server Manually, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use: 8.8.8.8 (Full support with DNSSEC) [Do not use 1.1.1.1]
06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
Thanks to @RMerlin @snakebite3 @pattiri and @XIII
There is not a reproducible problem with cloudflare that *everyone* can replicate AFAIK.With DNSSEC & DNS rebind protection both turned on, I had random problems with only some sites being unreachable. Not many, just some.
Both with, & without dnscrypt.
Removed dnscrypt, replaced Cloudflare with Quad9 & all is fixed. (DNSSEC & dns rebind protection still turned on).
There is not a reproducible problem with cloudflare that *everyone* can replicate AFAIK.
I am simply countering the 'cloudflare is broken ..... do not touch' message, of late, which is unfair as not everyone is having a problem.
I would suggest 1st try it (cloudflare) and see if there is a problem for you !!!
I am sure I am not the only one who is not having any issues using cloudflare.
I just feel it is a bit quick to tell everyone to avoid cloudflare when it might be a local problem or something else all together.
(Note: You are in Australia and I am in the UK, so different points of access to cloudflare and most other DNS providers, so not dealing with like for like.)
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!