[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

Wow....I think I may have figured this out......

- The ordered retry bug I described earlier is real and my recommendations there stands

- Now, why does roundrobin work on some sites that have an invalid dnssec configuration and fail with dnsmasq dnssec strict?

nrsforu.com is marked as invalid dnssec by both
https://dnssec-analyzer.verisignlabs.com/nrsforu.com
http://dnsviz.net/d/www.nrsforu.com/dnssec/

It turns out getdns/stubby has an equivalent (undocumented) setting to dnsmasq strict mode which is not being set (dnssec_return_only_secure which is currently set to FALSE)! Once this is set, nrsforu.com also fails with the recommended roundrobin configuration with either Cloudflare or Quad9. Like the dnsmasq setting, this basically invalidates the use of dnssec.
@phx28777
So, my conclusion for the nrsforu.com site is that it should NOT resolve with a fully functional dnssec.

- I'll be making an update to the code to expose the 'strict' mode setting for the stubby dnssec support, similar to dnsmasq dnssec, to be used for diagnostic purposes only (default will be strict mode).

@Xentrk FYI

 

[Deleted member 27741]

Nice work!

 

[RMerlin]

The growing pains of dealing with new technology...

 

[treboR2Robert]

So for the time being,

Using "ordered" is more secure and the better option ?

Unless we want to visit nrsforu.com

 

[john9527]

The growing pains of dealing with new technology...

And think of all the fun with DoH (I enjoyed reading your posts/references in the other thread).

 

[john9527]

So for the time being,

Using "ordered" is more secure and the better option ?

Unless we want to visit nrsforu.com

Between a rock and a hard place....with ordered I believe any failure may not be retried, not only dnssec fails. This may be related to those that have intermittent problems when resolving known good sites.

But in the end, it's basically going to come down to a choice of what's more important to you. If you have a site that you absolutely have to visit with a misconfigured dnssec, you're not going to be able to use dnssec until they fix it.

 

[jeff288]

Is anyone else having issue with "bandwidth limiting" with the past few releases on N66U? I don't see anything unusual in my logs. It doesn't seem to work anymore but does when I create a new entry with the same device and seemed to stop again. One weird issue I recall lately when a guest was over was that something was eating all my bandwidth but no device showed up in the traffic page. I'll test some more to try to narrow this down. I've tried every new release for the past two years and didn't notice any issues with it until the past month and a half. I was kind of waiting for someone else to make a post so I can confirm but since it's just me maybe it's my router being quirky. Other than that, I just use the basic features and everything's worked just wonderfully.

 

[blueshark]

Update-37B4 with Cloudflare roundrobin

 

[fatspirit]

What servers from DNS Filtering tab have DNSSec support?

And I have minor priority cosmetic request. Is it possible to add a space after "Please wait,"?

 

[Bob.Dig]

Support for Double-NAT for DDNS (some additional tweaks from 37B1)

Thank you, works like a charm, really had missed this feature.

 

[john9527]

Thank you, works like a charm, really had missed this feature.

Which DDNS service?

 

[bbunge]

What servers from DNS Filtering tab have DNSSec support?

And I have minor priority cosmetic request. Is it possible to add a space after "Please wait,"?

If you want to use DNS filtering with DoT use Clean Browsing Adult or Family in the DoT (Stubby) settings in WAN settings. Would not recommend using the DNS Filter area with DNSSEC.

 

[bbunge]

Using https://www.nrsforu.com/ I got a Site Maintenance message. DoT ordered with DNSSEC Quad9, Quad9 Alt, Cloudflare Primary. Using 36EA and 384.7_2 with Stubby.

 

[john9527]

Using https://www.nrsforu.com/ I got a Site Maintenance message. DoT ordered with DNSSEC Quad9, Quad9 Alt, Cloudflare Primary. Using 36EA and 384.7_2 with Stubby.

Yes, they had the announcement up earlier today (I'm still running some tests and saw it)

 

[bbunge]

Yes, they had the announcement up earlier today (I'm still running some tests and saw it)

Do you have dnssec-proxy in the dnsmasq.conf?

Sent from my SM-T380 using Tapatalk

 

[john9527]

Do you have dnssec-proxy in the dnsmasq.conf?

Sent from my SM-T380 using Tapatalk

No.....but I do have proxy-dnssec
(when stubby is active)

 

[Bob.Dig]

Which DDNS service?

Only tested since yesterday, but so far so good with dyndns (dyn.com).

It would be nice if the whole WAN-IP check of the router (not only DDNS) could be made externally but I guess that is much to complicated.

 

[fatspirit]

Would not recommend using the DNS Filter area with DNSSEC.

Why?

 

[M1ch43lk]

Hi everyone,

Anyone else having wifi problems with 374.43_36EAj9527?

I came from RT-AC68U_374.43_36E4j9527 and even did full factory default reset but have problems with wifi clients freezing or having poor wifi performance?

Any hints?

Thanks in advance,

Michael

 

[fatspirit]

poor wifi performance?

What do you mean by that?