[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

What is the difference between "GetDNS" , "Dnsmasq" and "Server Only" ?

Maybe another case of too many options
From all the testing I have done, it appears that while DNSSEC is a standard, how strict the various options are in validating the responses is different (particularly with Cloudflare).

There are two options in the firmware for validating DNSSEC.....GetDNS is the library used by stubby/DoT, and Dnsmasq. These both with validate the responses from the selected DoT server. Some sites will give different results based on which one you choose. No data, but by 'feel' GetDNS seems a little bit faster.
Server Only says I am trusting the response given by the server and not doing local validation. I think this may be not be as secure, but in the case of Cloudflare, this allows some sites which fail with local validation to pass....the Cloudflare test site being one of them.

Your choice.....

 

[treboR2Robert]

Thank you for the quick reply, I will give GetDNS a try and see how i get on.

Thanks again

 

[treboR2Robert]

Just realized that I showed everyone which "DoT Local Port" I'm using in that screenshot.

Should I change this now ?

What is the port range for it ?

Thank you

 

[dave14305]

Just realized that I showed everyone which "DoT Local Port" I'm using in that screenshot.

Should I change this now ?

What is the port range for it ?

Thank you

It's the default port in the firmware, but it's only open on your internal network (not internet-facing). It's not considered a secret, so I would leave it alone.

 

[treboR2Robert]

It's the default port in the firmware, but it's only open on your internal network (not internet-facing). It's not considered a secret, so I would leave it alone.

ahh ok thank you.

i worried for a minute as i remember it being quite important to change default ports for plex, transmission and OpenVPN etc which ARE open to the internet.

So the "DoT Local Port" is defiantly not open to the internet ?

Thanks

 

[john9527]

So the "DoT Local Port" is defiantly not open to the internet ?

Definitely....it's what dnsmasq uses to talk to stubby (all local).

 

[treboR2Robert]

cool, thanks everyone

 

[DroidST]

What "DNSSEC validation method" should we be using ?

This is how it was set after updating to 37E4

What is the difference between "GetDNS" , "Dnsmasq" and "Server Only" ?

Thanks

View attachment 15274

So are these options new with this Fork's recent build?

.

 

[ColinTaylor]

So are these options new with this Fork's recent build?

They were added with today's release. DoT in general was added back in August.

 

[DroidST]

I guess no go for my 86U as of now...

 

[ColinTaylor]

I guess no go for my 86U as of now...

...or in the future as John's firmware is not compatible with the 86U.

 

[john9527]

The github repo has been updated to V37E4.

IMPORTANT...IMPORTANT...IMPORTANT

This update rebased the github repository on 29-November-2018 to account for some changes during the stubby/DoT development.
If you have a local repo, you should save any custom changes, clone a new copy, then re-apply your changes.

Any local repositories used for reference only should be deleted and a fresh clone performed.

Thanks for your understanding.

 

[Michael Cherry]

Your screenshot is too small to read.

Sorry about the screenshot size. Here is a snipped version. I did some more digging and reading and found an old thread talking about using channel 1 on 2.4 Ghz is sometimes helpful. I changed my Channel from 11 to 1 and the scale and my watch are both working again. Go figure. Anyway, can you look at the boatload of activity being generated by my OBi 202 and chime in on whether that looks normal or problematic? Thanks!

 

[john9527]

Sorry about the screenshot size. Here is a snipped version. I did some more digging and reading and found an old thread talking about using channel 1 on 2.4 Ghz is sometimes helpful. I changed my Channel from 11 to 1 and the scale and my watch are both working again. Go figure. Anyway, can you look at the boatload of activity being generated by my OBi 202 and chime in on whether that looks normal or problematic? Thanks!

I'm guessing that .103 is the OBi 202? The dest port is cut off in your screen shot, but I'd also guess that it has a common port open to the WAN and is getting scanned by all the script kiddies looking for an exploit.
Only thing you could do is use a differernt, non-standard port if that's possible.

 

[Michael Cherry]

I'm guessing that .103 is the OBi 202? The dest port is cut off in your screen shot, but I'd also guess that it has a common port open to the WAN and is getting scanned by all the script kiddies looking for an exploit.
Only thing you could do is use a differernt, non-standard port if that's possible.

I try to find out if I can change the port. Thanks for the input!

 

[john9527]

Hello John, I'm running 36EA on my AC68R. I'm having a wierd problem with (2) 2.4 ghz devices - a Samsung Gear S3 Frontier and Under Armour scale made by HTC. Both devices refuse to auto-reconnect to the network.

The only one I can think of for this is to try setting 'Enable WMM APSD' to Disabled on the Wireless > Professional tab.

 

[followmsi]

Maybe another case of too many options
From all the testing I have done, it appears that while DNSSEC is a standard, how strict the various options are in validating the responses is different (particularly with Cloudflare).

There are two options in the firmware for validating DNSSEC.....GetDNS is the library used by stubby/DoT, and Dnsmasq. These both with validate the responses from the selected DoT server. Some sites will give different results based on which one you choose. No data, but by 'feel' GetDNS seems a little bit faster.
Server Only says I am trusting the response given by the server and not doing local validation. I think this may be not be as secure, but in the case of Cloudflare, this allows some sites which fail with local validation to pass....the Cloudflare test site being one of them.

Your choice.....

I want to use cloudflare too .. primary and secondary - ordered.

Switched to "server only" and it seems to work fine with cloudflare.

Thanks for all your work!

 

[john9527]

I want to use cloudflare too .. primary and secondary - ordered.

Don't use ordered right now.....it has a bug where it sometimes will not retry a failure when it should.

 

[Builder71]

Thx for the update!

I selected DoT with Cloudflare and have no complaints from the family.

1.1.1.1 testpage works fine with "Server Only" option.
My result.

 

[john9527]

I selected DoT with Cloudflare and have no complaints from the family.

Personal opinion is that your setup is the 'sweet spot' right now (it's also my current setup). I think there is a slight exposure that someone could hijack the Cloudflare addresses, but to me that's minimal.

For me Quad9 is too erratic....sometimes it works great, others it seems as if it's down completely.