Menu
What's new
By:
Filters Better Search

DoT w/ DNSSEC

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

V

Volfi

Regular Contributor
When I try to use DoT with DNSSEC, https://1.1.1.1/help reports I am not using DoT.
Switching off DNSSEC makes DoT test as "ON".
Did not dig deeper, but is this test error, my setup error, or firmware error / feature?

dns.png
 
From RMerl's website wiki:
NOTE: There is currently an issue with the popular DoT/DoH test site provided by Cloudflare where it will fail to use properly signed DNSSEC hostnames during the test, causing the test to fail to correctly detect that you are using DoT. This does not indicate that your setup doesn't work, and is something that will hopefully eventually be fixed by Cloudflare. You can avoid this by temporarily disabling validation of unsigned records, however it is recommended to re-enable that option afterward.
Click to expand...
 
Thank you, so my config is correct and I shall continue using it, right?
 
Volfi said:
Thank you, so my config is correct and I shall continue using it, right?
Click to expand...
If you want to make sure your configuration is working use tcpdump on your SSH console to follow your connection:

Code: 
tcpdump -ni eth0 -p port 53 or port 853

All secure connections should be made using port 853. Your log should look like this:
Code: 
13:15:30.647085 IP Your.IP.Address.48415 > 1.1.1.2.853: Flags [P.], seq 1:275, ack 1, win 229, length 274
13:15:30.664337 IP 1.1.1.2.853 > Your.IP.Address.48415: Flags [.], ack 275, win 66, length 0
13:15:30.667557 IP 1.1.1.2.853 > Your.IP.Address.48415: Flags [.], seq 1:1461, ack 275, win 66, length 1460
13:15:30.667610 IP Your.IP.Address.48415 > 1.1.1.2.853: Flags [.], ack 1461, win 251, length 0

You can install tcpdump with the following command:

Code: 
opkg install tcpdump
 
Mutzli said:
If you want to make sure your configuration is working use tcpdump on your SSH console to follow your connection:

Code: 
tcpdump -ni eth0 -p port 53 or port 853

All secure connections should be made using port 853. Your log should look like this:
Code: 
13:15:30.647085 IP Your.IP.Address.48415 > 1.1.1.2.853: Flags [P.], seq 1:275, ack 1, win 229, length 274
13:15:30.664337 IP 1.1.1.2.853 > Your.IP.Address.48415: Flags [.], ack 275, win 66, length 0
13:15:30.667557 IP 1.1.1.2.853 > Your.IP.Address.48415: Flags [.], seq 1:1461, ack 275, win 66, length 1460
13:15:30.667610 IP Your.IP.Address.48415 > 1.1.1.2.853: Flags [.], ack 1461, win 251, length 0

You can install tcpdump with the following command:

Code: 
opkg install tcpdump
Click to expand...
Still does not test DNSSEC. Use Dig to do that.
 
You must log in or register to reply here.

Similar threads

G
DNS Hijack?
Replies
2
Views
799
GoldWing
G
Preskitt.man
DNS Issue?? AX5800 Pro Issue??
Replies
2
Views
283
bbunge
bbunge
RMerlin
  • Locked
Beta Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90)
4 5 6
Replies
102
Views
17K
RMerlin
RMerlin
url004
NXDOMAIN on server but the router can resolve queries
Replies
1
Views
465
url004
url004
Intrepid
DNSSEC DNS on RT-AX86U Pro causing some websites not to load properly
2 3
Replies
59
Views
3K
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
L Suggestion: DNS Director, add optional compatibility with DOT Asuswrt-Merlin 2
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
RMerlin CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled Asuswrt-Merlin 30

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 921 (members: 40, guests: 881)
Top