[Fork] Asuswrt-Merlin 374.43 LTS - DNS over TLS Beta - CLOSED

[john9527]

The cause seems like the DNS Rebind Protection. When it's set to YES, Web UI can't fetch connection status.

Try making a /jffs/configs/dnsmasq.conf.add with the following line (or add it to your existing add file)

rebind-localhost-ok

I add that option when using DoT, but maybe it's affecting rebind in general.

 

[underdose]

I think the info I gave previously is not 100% accurate, at least after a reboot. Enabling DNS Rebind protection and hitting Apply causes a "Disconnected" status, but a reboot fixes it.

I enabled Strict mode after enabling rebind protection, hit Apply one more time, rebooted and everything seems fine for now except I got locked out of Web UI till I delete cookies for 192.168.1.1

 

[joe a]

If they did, it would also put us out of work

Good point, and thanks to you as well, kind sir!

 

[JWoo]

On 34B6. I have DNSSEC and DNS rebind protection disabled and I am using Cloudfare and Quad 9 for DNS over TLS. Performance seems very good. CPU load is low on my RT-AC68U. NVRAM usage looks fine (42K), no excessive memory usage. No unexpected log file entries. Internet performance seems very good also. Well done.

 

[blueshark]

On 34B6. I have DNSSEC and DNS rebind protection disabled and I am using Cloudfare and Quad 9 for DNS over TLS. Performance seems very good. CPU load is low on my RT-AC68U. NVRAM usage looks fine (42K), no excessive memory usage. No unexpected log file entries. Internet performance seems very good also. Well done.

the same config for me and so far no issues. cross fingers

 

[bbunge]

Sorry to hear that. For me, moving from DNSCrypt to DoT (Cloudfare) gave me a noticeable improvement in web browsing. QOS can be touchy and need to be tuned for your environment. If you care to try again, there are a couple of users that really have wrung out the fork QOS that may be able to help.

trying to find a pause in internet use to go back to this version. Although, am expecting an official release shortly?

 

[jrmwvu04]

FYI I've stopped using DoT since yesterday. The reason being I was slightly irritated with Chrome occasionally flashing up it's "This site can’t be reached" error page before replacing it with the actual page.

I'm assuming it does this when there hasn't been any upstream DoT requests for a long enough period that the session is disconnected. It then needs to reestablish the session before answering the new query, which introduces a longer than normal delay.

I didn’t stop using it, but I did have similar problems. I suspected the dns was the problem and I switched from quad9 to cloudflare, no issues in the 2 days since.

 

[john9527]

I didn’t stop using it, but I did have similar problems. I suspected the dns was the problem and I switched from quad9 to cloudflare, no issues in the 2 days since.

The standard Quad 9 'secure' servers are filtering....maybe it was blocking some ads or other web elements that caused a problem. I've added the 'insecure' Quad 9 for the final release which is non-filtering.

 

[jrmwvu04]

The standard Quad 9 'secure' servers are filtering....maybe it was blocking some ads or other web elements that caused a problem. I've added the 'insecure' Quad 9 for the final release which is non-filtering.

I had considered it, but the connection issues were getting really frequent so.. who knows. I gather trying the non filtering servers should clear that up one way or the other, though. Will try when that goes out.

 

[JWoo]

Uncensored DNS from Denmark is a poor performer. Does not resolve common sites including this one.

 

[bluepoint]

Uncensored DNS from Denmark is a poor performer. Does not resolve common sites including this one.

Uncensored DNS(Quad9) does not support DNSSEC, if you have it enabled specially in "strict" mode, it will not resolve anything.
https://www.quad9.net/faq/#Does_Quad9_implement_DNSSEC

 

[JWoo]

Not using DNSSEC whatsoever. Uncensored DNS from Denmark is not Quad 9. Quad 9 is a large company consortium. Uncensored DNS is found on https://blog.uncensoreddns.org/ which is a cool idea but did not work well for me (Uncensored DNS is unicast.censurfridns.dk from Denmark = DK).

 

[bluepoint]

Not using DNSSEC whatsoever. Uncensored DNS from Denmark is not Quad 9. Quad 9 is a large company consortium. Uncensored DNS is found on https://blog.uncensoreddns.org/ which is a cool idea but did not work well for me (Uncensored DNS is unicast.censurfridns.dk from Denmark = DK).

I see, wrong assumption on my part, I taught you were referring to Quad9's uncensored DNS 9.9.9.10.

 

[bbunge]

Got back to the Beta last night. I had taken a backup of the Beta settings and /jffs file which made it easier to set up. I did have to do a factory reset as the stock Asus left a lot of stuff in NVRAM. Decided to do a test of the default QOS settings and while it did not improve bufferbloat as much as I think it should it seems to allow browsing when Windows decides to do updates (which I was looking to do in the first place). Also seems to tame bitorrent enough to do web browsing.

 

[bbunge]

Just checked my router with the web GUI and it said the internet status was disconnected. But, it wasn't as I could browse anywhere.
I had enabled DNS Rebind protection earlier this morning and had no issues uploading or downloading. So, I disabled DNS Rebind protection and the Internet status changed to Connected and all the values were shown on the Internet Status column.
Bug (even though the pop up warning says it will prevent resolving queries to non-routable IP)?

 

[john9527]

Bug (even though the pop up warning says it will prevent resolving queries to non-routable IP)?

Do you actually have DoT enabled? If not, try what is in this post
https://www.snbforums.com/threads/f...ts-dns-over-tls-beta.48115/page-8#post-424313

 

[bbunge]

Do you actually have DoT enabled? If not, try what is in this post
https://www.snbforums.com/threads/f...ts-dns-over-tls-beta.48115/page-8#post-424313

Yes, DoT enabled with my patched server list. DNSSEC enabled strict. Added the file /jffs/configs/dnsmasq.conf.add to configs with content rebind-localhost-ok Enabled Rebind protection, rebooted router and internet status shows connected.
bb

 

[Deleted member 27741]

John, I think you covered this in a past post but is the production version of this going to have an option to enter a custom DoT server? If not, is there a way (perhaps a file to modify) to add a custom server to the DoT server list? Thanks.

 

[john9527]

John, I think you covered this in a past post but is the production version of this going to have an option to enter a custom DoT server? If not, is there a way (perhaps a file to modify) to add a custom server to the DoT server list? Thanks.

I've decided that the servers included in the firware build and supplied by my updater in the final release will be those documented in either the stubby source or at dnsprivacy.org (the updated list is now about 30 servers, including those that also run on port 443).

If you need/want to add another server, you can run the updater, then edit the source csv file which will now be located in /jffs/etc/stubby-resolvers.csv There's a header line in the file that documents each of the fields.

 

[bbunge]

John, I think you covered this in a past post but is the production version of this going to have an option to enter a custom DoT server? If not, is there a way (perhaps a file to modify) to add a custom server to the DoT server list? Thanks.

Copy /rom/stubby-resolvers.csv to /jffs/configs/stubby-resolvers.csv

Edit /jffs/configs/stubby-resolvers.csv and add/delete entries of your choice

In a terminal do:

nvram set stubby_csv=/jffs/configs/stubby-resolvers.csv

nvram commit

In the WAN GUI select your new servers.