[Fork] Asuswrt-Merlin 374.43 LTS - DNS over TLS Beta - CLOSED

[underdose]

I've just switched over from Asuswrt-Merlin 380.70 to TLS-B6 fork of yours and this is the result:

Thanks a lot!

 

[john9527]

I've just switched over from Asuswrt-Merlin 380.70 to TLS-B6 fork of yours and this is the result:

Thanks a lot!

Are you running a browser where you turned on DoH? Nothing I did supports that

 

[john9527]

Any brave volunteer tried the N16? Would like to get verification there prior to making this a general release. Thanks!

 

[underdose]

Are you running a browser where you turned on DoH? Nothing I did supports that

I know your fork doesn't support DoH (yet) I've set Firefox to use DoH for extra privacy/security.

 

[john9527]

I know your fork doesn't suppoer DoH (yet) I've set Firefox to use DoH for extra privacy/security.

Thanks for confirming that.....just wanted to double check

 

[blueshark]

finally installed on mine [emoji4] thanks John.

edit: how to check if DoT is working

 

[joe a]

Hmm. I'm noticing one more thing in the log I'm curious about:

"stubby-proxy: configured no-TLS mode"

 

[john9527]

Hmm. I'm noticing one more thing in the log I'm curious about:

"stubby-proxy: configured no-TLS mode"

Sharp eye When you are booting the router and the clock hasn't been set yet, you can't use TLS. So stubby first starts in normal TCP/UDP mode to allow you to resolve your NTP server, then is restarted in TLS "strict' mode when the clock is set.

 

[bbunge]

RT-AC66U_B1 When i set just WAN DNS servers without selecting DNSSEC it still asks to set a DoT server.

Sent from my P01M using Tapatalk

 

[john9527]

RT-AC66U_B1 When i set just WAN DNS servers without selecting DNSSEC it still asks to set a DoT server.

Sent from my P01M using Tapatalk

Thanks for the report! Fix written

b7c5000dc webui: do not force stubby server selection if stubby not enabled

Workaroumd....
Enable DoT
Make sure at least one DoT server is selected
Disable DoT

Change any other settings, then click Apply

 

[JWoo]

I invested some time in this. I started from scratch as if baking biscuits and cleared NVRAM. As I was setting up the router on 374.43_34B6j9527 from scratch I checked the log after each change, and with a clean NVRAM I do not get the log message about "syslog: password for 'admin' changed". So seems like no problemo. Thanks John for making kick butt software!

 

[john9527]

finally installed on mine

thanks John.

edit: how to check if DoT is working

Easiest way.....the cloudfare test site works with any server
Turn off dnssec (the cloudflare test site doesn't like dnssec)
go to https://cloudflare-dns.com/help/
Turn on dnssec...to test
got to https://dnssec.vs.uni-due.de/

 

[john9527]

I invested some time in this. I started from scratch as if baking biscuits and cleared NVRAM. As I was setting up the router on 374.43_34B6j9527 from scratch I checked the log after each change, and with a clean NVRAM I do not get the log message about "syslog: password for 'admin' changed". So seems like no problemo. Thanks John for making kick butt software!

Thanks for the feedback and effort you put in....would still like to figure it out
Any chance at some point that you may have used a password that was longer than 16 characters? Do you use a password manager in your browser?

 

[soeren]

I kept an eye on https://github.com/getdnsapi/stubby/issues/124 as you were working on it. I am so impressed with the time and effort you put into adding features and making this firmware work for all of us. Thanks a lot! I just updated to B6, and it works as expected.

 

[john9527]

I kept an eye on https://github.com/getdnsapi/stubby/issues/124 as you were working on it. I am so impressed with the time and effort you put into adding features and making this firmware work for all of us. Thanks a lot! I just updated to B6, and it works as expected.

Thanks for the kind words. Things like this become like a 'quest' for me I have a hard time admitting defeat when I think I should be able to find an answer.

 

[bbunge]

Thanks for the report! Fix written

b7c5000dc webui: do not force stubby server selection if stubby not enabled

Workaroumd....
Enable DoT
Make sure at least one DoT server is selected
Disable DoT

Change any other settings, then click Apply

Do not need the workaround as I am using the DoT with Quad9 and DNSSEC. Am questioning my use of only one server. Chose Quad9 for the supposed malware blocking but would entertain comments on this approach and recommendations from the crew...
With this I am back to Asus from a WRT1900AC with Openwrt. Was not entirely pleased with Openwrt.

Sent from my P01M using Tapatalk

 

[jrmwvu04]

Do not need the workaround as I am using the DoT with Quad9 and DNSSEC. Am questioning my use of only one server. Chose Quad9 for the supposed malware blocking but would entertain comments on this approach and recommendations from the crew...

I’ve also been using that exact setup for the duration of the DoT betas. I tend to try to keep things simple and that setup has worked without issue so far.

 

[john9527]

Do not need the workaround as I am using the DoT with Quad9 and DNSSEC. Am questioning my use of only one server. Chose Quad9 for the supposed malware blocking but would entertain comments on this approach and recommendations from the crew...
With this I am back to Asus from a WRT1900AC with Openwrt. Was not entirely pleased with Openwrt.

Sent from my P01M using Tapatalk

If you are using a server from one of the 'big' guys, in general you should be OK since they have redundant servers automatically.
If you are concerned, you can switch to ordered mode and select the servers in the order you want them accessed. Then you will always try your first selected server first, and only go to the next server in the event of a failure. (This is how I'm set up with two servers selected).

 

[bbunge]

John, is it possible to configure a second Quad9 server in stubby?
149.112.112.112:853
2620:fe::9:853

Edit: There are Quad9 secure and insecure servers listed in the latest stubby config:
https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example
I feel including all the Quad9 servers would give more options to the DoT as Quad9 does use DNSSEC.

Oh, this Beta is working well for me and it is fun to have something new that works to learn!

 

[JWoo]

Hi John. Spoke too soon. I am still getting the "syslog: password for 'admin' changed" message when I have DoT configured. I have played around with killing processes and starting them up manually to replicate this (it is not my browser as the log messages are happening during the boot cycle for the router). I killed haveged (random number generator) manually and started it manually and no dice; cannot replicate. I have to be surprised if I am the only one seeing this as it is happening during the boot cycle and I don't have any crazy configuration whatsoever. Please check your log files colleagues and let's see why this message is happening!

Dec 31 18:00:30 stop_nat_rules: apply the redirect_rules!
Dec 31 18:00:30 stop_nat_rules: (/tmp/redirect_rules) success!
Dec 31 18:00:30 WAN_Connection: ISP's DHCP did not function properly.
Dec 31 18:00:30 haveged: haveged starting up
Dec 31 18:00:30 syslog: password for 'admin' changed
Dec 31 18:00:30 stubby-proxy: configured no-TLS mode
Dec 31 18:00:30 stubby-proxy: configured server 'Cloudflare' at address 1.1.1.1:853
Dec 31 18:00:30 stubby-proxy: configured server 'Cloudflare_alt' at address 1.0.0.1:853
Dec 31 18:00:30 stubby-proxy: configured server 'Quad 9' at address 9.9.9.9:853
Dec 31 18:00:32 stubby-proxy: start stubby (0)

Processes in and around haveged

PID USER VSZ STAT COMMAND
1 admin 2312 S /sbin/preinit
2 admin 0 SW [kthreadd]
3 admin 0 SW [ksoftirqd/0]
4 admin 0 SW [kworker/0:0]
5 admin 0 SW [kworker/u:0]
6 admin 0 SW [migration/0]
7 admin 0 SW [migration/1]
8 admin 0 SW [kworker/1:0]
9 admin 0 SW [ksoftirqd/1]
10 admin 0 SW< [khelper]
11 admin 0 SW [kworker/u:1]
57 admin 0 SW [sync_supers]
59 admin 0 SW [bdi-default]
60 admin 0 SW< [kblockd]
114 admin 0 SW [kswapd0]
161 admin 0 SW [fsnotify_mark]
169 admin 0 SW< [crypto]
241 admin 0 SW [mtdblock0]
246 admin 0 SW [mtdblock1]
251 admin 0 SW [mtdblock2]
256 admin 0 SW [mtdblock3]
282 admin 0 SW [kworker/0:1]
283 admin 0 SW [kworker/1:1]
286 admin 0 SW [mtdblock4]
291 admin 0 SW [mtdblock5]
295 admin 664 S hotplug2 --persistent --no-coldplug
342 admin 2300 S console
345 admin 1420 S /bin/sh
351 admin 0 SWN [jffs2_gcd_mtd4]
360 admin 1412 S syslogd -m 0 -O /tmp/syslog.log -S -s 256 -l 8
363 admin 1412 S /sbin/klogd
365 admin 0 SW [khubd]
479 admin 0 SW< [usbhid_resumer]
575 admin 2308 S /sbin/wanduck
579 admin 6536 S /usr/sbin/haveged -r0 -d32 -i32 -w2048
580 admin 1312 S protect_srv