[Fork] Asuswrt-Merlin 374.43 LTS - DNS over TLS Beta - CLOSED

[jrmwvu04]

Several days with cloudflare DoT, no issues like I had with quad9. Other than the Insecure DS reply errors that I've seen elsewhere and expected, but I'm made to understand that's a cloudflare issue.

 

[Deleted member 27741]

Excellent answers john9527 and bbunge regarding the server list. Thanks. John, you deserve a raise. Nice work. It's amazing what one guy can do with this firmware.

 

[HowIFix]

I still hope that this firmware has support for DNSCrypt DoH, to use it.

 

[bbunge]

I still hope that this firmware has support for DNSCrypt DoH, to use it.

See first post

Support for DNSCrypt v1 has been removed and replaced with DNS over TLS (DoT)

This version uses Stubby proxy which, in time, will have support for DoH. Hope this ports over to this firmware.

I have been back to this version for several days running DoT to Quad9 and the alt Quad9 resolvers. No complaints from the home crew (they know I'm up to something involving net security but don't want to know what it is as long as it works). Have QOS turned on and that has tamed Microsoft updates (I fix PC's for folks and test some open source Linux software). Discovered yesterday the easy way to move the OpenVPN certs from NVRAM to /jffs (really cool)! Have two RT-AC68U's in a commercial application that I'm eagerly awaiting the final firmware release to improve security!

 

[bbunge]

Have had a couple of times today when the browser, Edge or Firefox, would not get a web page on the first try. Have been using Quad9 servers with DoT and DNSSEC. Switching to Cloudflare servers with DoT and DNSSEC seems to work better. I've been using Quad9 servers with "normal" DNS successfully for some time before this Beta.

 

[PeterR]

I've been running 34B6 on an AC66U, from shortly after it was released; from my memory, my router has never performed better.

Thanks John!

 

[bbunge]

Still playing with settings and features. This morning I set up IPV6 via 6RD (Centurylink is dragging native IPV6), DoT via Quad9 with Quad9_alt in a custom /jffs/stubby-resolvers.csv, Strict DNSSEC Enforcement enabled, IPV6 DoT servers enabled and DoT server access ordered. Have turned off DDNS and OpenVPN for now. No issues noted so far and no complaints from the girls.
How soon to the "final" release or is there another Beta to play with?

 

[Deleted member 27741]

I have noticed-
Using the webpage https://cloudflare-dns.com/help/ to check for DNS over TLS works with only cloudflare servers for me. Any other server always results in a "No" for "Using DNS over TLS (DoT)".

I have tried to add another server to the stubby-resolvers.csv file with this line:

"Cleanbrowsing",185.228.168.10,,853,adult-filter-dns.cleanbrowsing.org,,,yes,yes

However, I am not sure it or any of the other servers are working since they all give a "No" when I check DNS over TLS on that webpage. Anyone else observe this or am I the only one?

Is there any (other) simple way to check if DNS over TLS is working? Perhaps I have missed something and that webpage only works to check the cloudflare servers?

 

[john9527]

Any other server always results in a "No" for "Using DNS over TLS (DoT)".

Turn off DNSSEC when using the Cloudflare test site.

 

[ColinTaylor]

Using the webpage https://cloudflare-dns.com/help/ to check for DNS over TLS works with only cloudflare servers for me. Any other server always results in a "No" for "Using DNS over TLS (DoT)".

Yes I noticed this as well.

Turn off DNSSEC when using the Cloudflare test site.

Makes no difference. Appears to be just a test to Cloudfare (kinda makes sense, I'm not sure how they could test your traffic to someone else's server).

 

[Deleted member 27741]

Guys I think you could figure out DNS over TLS status in the firmware- sort of like the VPN-status page for the VPNs? Each selected server could have an indicator for whether DNS over TLS was running. Well, that would be epic if it were possible.

 

[bbunge]

I have noticed-
Using the webpage https://cloudflare-dns.com/help/ to check for DNS over TLS works with only cloudflare servers for me. Any other server always results in a "No" for "Using DNS over TLS (DoT)".

I have tried to add another server to the stubby-resolvers.csv file with this line:

"Cleanbrowsing",185.228.168.10,,853,adult-filter-dns.cleanbrowsing.org,,,yes,yes

However, I am not sure it or any of the other servers are working since they all give a "No" when I check DNS over TLS on that webpage. Anyone else observe this or am I the only one?

Is there any (other) simple way to check if DNS over TLS is working? Perhaps I have missed something and that webpage only works to check the cloudflare servers?

Here are the entries for the stubby-resolvers.csv for CleanBrowsing:

"Cleanbrowsing-Security",185.228.168.9:853,2a0d:2a00:1::2,853,security-filter-dns.cleanbrowsing.org,,,yes,yes
"Cleanbrowsing-Security_alt",185.228.169.9:853,2a0d:2a00:2::2,853,security-filter-dns.cleanbrowsing.org,,,yes,yes
"Cleanbrowsing-Family",185.228.168.168:853,2a0d:2a00:1::,853,family-filter-dns.cleanbrowsing.org,,,yes,yes
"Cleanbrowsing-Family_alt",185.228.168.169:853,2a0d:2a00:2::,853,family-filter-dns.cleanbrowsing.org,,,yes,yes
"Cleanbrowsing-Adult",185.228.168.10:853,2a0d:2a00:1::1,853,adult-filter-dns.cleanbrowsing.org,,,yes,yes
"Cleanbrowsing-Adult_alt",185.228.168.11:853,2a0d:2a00:2::1::,853,adult-filter-dns.cleanbrowsing.org,,,yes,yes

 

[john9527]

Makes no difference. Appears to be just a test to Cloudfare (kinda makes sense, I'm not sure how they could test your traffic to someone else's server).

I know their test site used to work on other sites (I used it during development), but sure enough, it's not working now. Maybe Cloudflare made a change.

Guys I think you could figure out DNS over TLS status in the firmware- sort of like the VPN-status page for the VPNs? Each selected server could have an indicator for whether DNS over TLS was running. Well, that would be epic if it were possible.

Would need to have something implemented in stubby to provide a status.

 

[john9527]

Here are the entries for the stubby-resolvers.csv for CleanBrowsing:

As I mentioned before, after some thought I'm reluctant to include servers that haven't been verified and listed by either the stubby developers or dnsprivacy.org After all, it could be a dns hijack disguised as a DoT server.

Two possibilities
- If you like these servers, send a note to the owners asking them to contact dnsprivacy.org and have them officially recognized
- I could add an 'unverified' servers section with a hidden setting to activate them.

 

[bbunge]

As I mentioned before, after some thought I'm reluctant to include servers that haven't been verified and listed by either the stubby developers or dnsprivacy.org After all, it could be a dns hijack disguised as a DoT server.

Two possibilities
- If you like these servers, send a note to the owners asking them to contact dnsprivacy.org and have them officially recognized
- I could add an 'unverified' servers section with a hidden setting to activate them.

CleanBrowsing is listed by dnsprivacy.org by means of a link to github. But I agree with your approach to verify.

Sent from my P01M using Tapatalk

 

[Deleted member 27741]

It seems like stubby will suffer from the same "am I connected or not?" feeling I sometimes get using vpn. Vpn is pretty easy to check, though. Would some command like this:
netstat -lnptu | grep stubby
Give information as to whether stubby is working?
Edit-
It does work in that it at least tells me whether stubby is listening or not. Not sure if that exactly equates to "working" but it's something.

 

[john9527]

CleanBrowsing is listed by dnsprivacy.org by means of a link to github.

I'll double check....I didn't see it in the server list.

 

[ColinTaylor]

It seems like stubby will suffer from the same "am I connected or not?" feeling I sometimes get using vpn. Vpn is pretty easy to check, though. Would some command like this:
netstat -lnptu | grep stubby
Give information as to whether stubby is working?
Edit-
It does work in that it at least tells me whether stubby is listening or not. Not sure if that exactly equates to "working" but it's something.

What kind of failure scenario are you trying to detect?

@john9527 You probably explained this before but I can't find it ATM . What happens if stubby can't connect (or looses connection) to its servers? Do you just get DNS lookup failures. If so then it's like any other DNS server failure and doesn't require a specific "status" page IMHO.

 

[Deleted member 27741]

Not really worried about any failure scenario- just being a nerd. I like to know what's going on under the hood.

If all selected DNS over TLS servers go down or don't work (probably most often because people like me bork the config file syntax) I think the router would just revert to regular old DNS... that assumption may not be true.

 

[john9527]

@john9527 You probably explained this before but I can't find it ATM . What happens if stubby can't connect (or looses connection) to its servers? Do you just get DNS lookup failures. If so then it's like any other DNS server failure and doesn't require a specific "status" page IMHO.

If you have more than one server configured, it will try the next server. The failing server will not be used again for 2sec (a TLS failure) to 15min (a totally dead server). If all the DoT servers are dead, it's just like any other DNS failure and your connection won't be able to resolve anything (it doesn't fall back to the old defaults).

EDIT: I'd have to go through the stubby code to see what happens when only one server is configured. I'd guess the 'dead server' timeout doesn't apply anymore.