[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[dizzyikea]

Oh BTW guys thanks for the quick and helpful responses

 

[dave14305]

@dave14305 Ok i did that and it seems now when i do an ipconfig /all it only shows my router as the DNS which is probably working as it should be i'm still resolving IPs ok so it must be getting the DNS form the DoT section now brill.

So after changing those things i tried the test again and got

We weren’t able to detect whether you were using a DNS resolver over secure transport. Contact your DNS provider or try using 1.1.1.1 for fast & secure DNS.

I assumed (rightly or wrongly) that CF would only validate the sDNS if you used their server so back in the asuswrt i choose CF as my DNS provider and tried again. Same result so now i have no DNS in the LAN DHCP and i only have CF selected in the asuswrt gui still the above message.

Anything else i have missed?

Your PC or browser may still be caching DNS entries from earlier. Close your browser and run ipconfig /flushdns. Start by testing here: https://1.1.1.1/help Then try the other site.

Are you using DNSFilter?

 

[dizzyikea]

Ok thanks again dave14305 but now i'm even more confused.
I have no DNS set in the traditional space for DHCP server and i only have CF set in the DoT section of Asuswrt. I had already done a flush DNS but just done a reboot to to be sure. I also tried both websites on my phone incase the PC was doing something wacky, same results. The 2nd screen shot below really confuses me as if i'm not using 1.1.1.1 where on earth am i resolving?

 

[ColinTaylor]

@ColinTaylor I think that is the most upto date version it's dated 18th april it's a dev release a day after the last E3 release, am i missing something again? I did think maybe the dev build has issues so i tried V39E3 the one from 17 april in the first post on this thread. Still the same.

Sorry, my mistake. I thought you were running 38D3j9527 from 10-January-2019, which is the one that had the problems. Ignore my post.

 

[dave14305]

Ok thanks again dave14305 but now i'm even more confused.
I have no DNS set in the traditional space for DHCP server and i only have CF set in the DoT section of Asuswrt. I had already done a flush DNS but just done a reboot to to be sure. I also tried both websites on my phone incase the PC was doing something wacky, same results. The 2nd screen shot below really confuses me as if i'm not using 1.1.1.1 where on earth am i resolving?

View attachment 17284
View attachment 17285
View attachment 17286

It's probably working just fine, but the CloudFlare sites have issues when DNSSEC is enabled. If you really want to pass the site checks by disabling DNSSEC, feel free, but it looks like a good setup to me. I would just add the CloudFlare secondary server for round-robin redundancy.

See here for cloudflare's issue with DNSSEC: https://community.cloudflare.com/t/is-cf-cloudflareresolve-com-is-not-a-valid-dnssec-zone/64805

EDIT: The screenshot showing WoodyNet implies to me that you are using Quad9. Is DNSFilter enabled with Quad9?

 

[dizzyikea]

Ah yes i did disable DNSSEC just to see the result which works (i'll turn it back on) still have that forth check box to tick, though i think that one is not a big worry right?
PM me your paypal details Dave i owe you a beer

 

[dave14305]

Ah yes i did disable DNSSEC just to see the result which works (i'll turn it back on) still have that forth check box to tick, though i think that one is not a big worry right?

The Strict enforcement is where the real benefit comes from DNSSEC, so leave it enabled. Do you still see WoodyNet when you try https://1.1.1.1/help ? That seemed odd to me.

PM me your paypal details Dave i owe you a beer

Thanks, but no thanks. If you feel generous, you can send something Merlin's way @ https://asuswrt.lostrealm.ca/

 

[dizzyikea]

No it's showing CF now thanks for the help!

 

[jonathan_892]

Hi all,

Long time user of Merlin firmware, and moved to Johns when support ended for my router model.

dizzy, your post made me investigate my own setup. I had similar results to you using cloudfare with the same dns settings in my router. Using firefox 66.0.3 with the following settings in about:config :

security.tls.version.min;3 (this one may be default value and not be necessary to set)
network.security.esni.enabled;true
network.trr.mode;2

I achieved all four green ticks in the cloudfare ssl sni test you referenced above

I am a novice in this, but followed the 'Learn more' links below each section.

I have not investigated how to do this for other browsers, and have to question whether this level of security can work for other apps that use the internet if userspace configuration is required as well as our router settings.

Anyhow, that is probably enough for my first post on this forum.

 

[dave14305]

network.trr.mode;2

Welcome to where all the cool people hang out!

FYI, setting the above setting instructs Firefox to use its own DNS-over-HTTPS, bypassing the router and DoT. So it tests your browser only.

 

[jonathan_892]

dave, thanks for explaining that. So what do you recommend in the network.trr option?

 

[EmeraldDeer]

I hereby inform you that I am classifying this DoH information as need to know. If this information got out, it could could lead to dozens of uninformative posts in the DoT thread

By the way, my name is not Dave, but I will leave these DoH settings on in Firefox as a curiosity because I rarely use it. For my main browser Chrome, I have no desire to circumvent DoT.

 

[dave14305]

dave, thanks for explaining that. So what do you recommend in the network.trr option?

It’s a tough call for a laptop. I might want it disabled while on my home LAN with DoT, but enabled when I’m mobile on public networks. Maybe the ideal setting would be 1 (let FF pick the fastest mode). But in general I’d leave it at zero to avoid confusion later in life.

https://wiki.mozilla.org/Trusted_Recursive_Resolver

By the way, my name is not Dave...

Me neither!

 

[EmeraldDeer]

It’s a tough call for a laptop. I might want it disabled while on my home LAN with DoT, but enabled when I’m mobile on public networks. Maybe the ideal setting would be 1 (let FF pick the fastest mode). But in general I’d leave it at zero to avoid confusion later in life.

https://wiki.mozilla.org/Trusted_Recursive_Resolver

It is interesting that, when I changed network.trr.mode to 1, "Using DNS over TLS (DoT)" became "No"

I guess in a way this is accurate.

Update: Reloaded the webpage and now "Using DNS over TLS (DoT)" became "Yes".

 

[BloodFX]

Think I'm having same sort of problem as above on n66u v39e3.

My config:

Dnssec on:

Dnssec off :

https://1.1.1.1/help#eyJpc0NmIjoiTm...iOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

I can't get the last 2 to light up no matter what I do, tried mozilla and chrome.

I tried from the posts above but last 2 turn to orange instead ?:
security.tls.version.min;4
network.security.esni.enabled;true
network.trr.mode;1

This is with mozilla.

https://1.1.1.1/help#eyJpc0NmIjoiWW...tZSI6IkNsb3VkZmxhcmUiLCJpc3BBc24iOiIxMzMzNSJ9

 

[EmeraldDeer]

Think I'm having same sort of problem as above on n66u v39e3.

My config:

Dnssec on:

Dnssec off :

https://1.1.1.1/help#eyJpc0NmIjoiTm...iOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

I can't get the last 2 to light up no matter what I do, tried mozilla and chrome.

I tried from the posts above but last 2 turn to orange instead ?:
security.tls.version.min;4
network.security.esni.enabled;true
network.trr.mode;1

This is with mozilla.

https://1.1.1.1/help#eyJpc0NmIjoiWW...tZSI6IkNsb3VkZmxhcmUiLCJpc3BBc24iOiIxMzMzNSJ9

Another possibility is security software browser extensions intercepting https to scan but only supporting TLS 1.2

 

[BloodFX]

Another possibility is security software browser extensions intercepting https to scan but only supporting TLS 1.2

My mozilla was fresh install no addons and chrome I tried in incognito with same results.

Would eset smart security premium interfere with dns over tls?

https://forum.eset.com/topic/19120-status-of-tls-13-support/

I don't know if this has been known before but just saw this on cloudflare forum.

https://community.cloudflare.com/t/is-cf-cloudflareresolve-com-is-not-a-valid-dnssec-zone/64805

Its the 2nd post with the 2 test links, it basically lets you test without disabling dnssec in your router.

 

[DoubleD]

Hi,
is this firmware also valid for ASUS RT-AC57U?
Thank you!

 

[ColinTaylor]

Hi,
is this firmware also valid for ASUS RT-AC57U?
Thank you!

No. The RT-AC57U has completely different hardware.

 

[L&LD]

Hi,
is this firmware also valid for ASUS RT-AC57U?
Thank you!

No, see the first post.