[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[ColinTaylor]

Thanks, however I am looking to see if possible to do this at the router level as oppose to disabling it on Chrome. the main reason is, I am trying to prevent ANY device (some that I might not know) to use any DNS other than my PiHole.

That's not possible. The whole point of DoH is that it is indistinguishable from regular HTTPS traffic.

 

[Raul_77]

That's not possible. The whole point of DoH is that it is indistinguishable from regular HTTPS traffic.

Thanks, well that sucks lol ! I am just wondering if more and more apps/devices use what Chrome is doing, then I guess PiHole is going to be less relevant.

 

[RMerlin]

That's not possible. The whole point of DoH is that it is indistinguishable from regular HTTPS traffic.

Actually, it's possible. Block port 443 for any known DoH server. There is no website on 1.1.1.1 or 9.9.9.9, so no reason they need to be reachable over port 443.

 

[dave14305]

Actually, it's possible. Block port 443 for any known DoH server. There is no website on 1.1.1.1 or 9.9.9.9, so no reason they need to be reachable over port 443.

Perhaps a feature for the firmware as an enhanced "Prevent client DoH" (without the auto)?

 

[ColinTaylor]

Actually, it's possible. Block port 443 for any known DoH server. There is no website on 1.1.1.1 or 9.9.9.9, so no reason they need to be reachable over port 443.

I did think about suggesting that but he did say he wanted to block all clients. In which case he'd have to block all possible DoH servers that may be used now and in the future - and hope that they don't share the same IP address as a web site they need to access.

EDIT: Actually, you are correct. If you were to block on IP address and port number (rather than just IP address) that could work. So "all" you need to do is create a block list of every DoH server in the world and keep it up to date. That sounds like a task more suited to Skynet.

 

[john9527]

EDIT: Actually, you are correct. If you were to block on IP address and port number (rather than just IP address) that could work. So "all" you need to do is create a block list of every DoH server in the world and keep it up to date.

And hope the client will fall back to standard DNS on port 53 if DoH is unavailable.

 

[ColinTaylor]

And hope the client will fall back to standard DNS on port 53 if DoH is unavailable.

If the endgame of the DoH evangelists is to replace DNS with DoH, how long I wonder before IoT devices from the likes of Android, Amazon, Roku, Samsung, LG, etc. come with DOH addresses hard-coded (like they do with 8.8.8.8 today) with no fall back. Meh, I'll probably be beyond caring by then.

 

[joe a]

Meant what firmware level? 44E5?

I cleared some cookies, uploaded settings, and restarted and it seems fine now. Something similar has happened before. My router may be a bit wonky. Sorry for the false alarm.

 

[jrmwvu04]

@luni - It's easy to get into the weeds with ipv6.....it gives me a headache.

I cleared some cookies, uploaded settings, and restarted and it seems fine now. Something similar has happened before. My router may be a bit wonky. Sorry for the false alarm.

Well I didn’t do any of that, just retried enabling it since I saw your message and it’s working. Something must have been malfunctioning on Comcast’s end yesterday.

 

[joe a]

Well I didn’t do any of that, just retried enabling it since I saw your message and it’s working. Something must have been malfunctioning on Comcast’s end yesterday.

Sorry I responded to my post on different page. Sorry for the confusion.

 

[jrmwvu04]

Sorry I responding to my post on different page. Sorry for the confusion.

No, it’s my fault. It’s been a long week.

 

[john9527]

I cleared some cookies, uploaded settings, and restarted and it seems fine now. Something similar has happened before. My router may be a bit wonky. Sorry for the false alarm.

Thanks for taking the time to report back and happy it's resolved.
Now, just need to figure out what happened to Comcast IPv6

 

[john9527]

Well I didn’t do any of that, just retried enabling it since I saw your message and it’s working. Something must have been malfunctioning on Comcast’s end yesterday.

Now I'm confused (I'm beginning to think that's my normal state)
Just to double check.....Comcast IPv6 now working for you?

 

[dave14305]

I did think about suggesting that but he did say he wanted to block all clients. In which case he'd have to block all possible DoH servers that may be used now and in the future - and hope that they don't share the same IP address as a web site they need to access.

EDIT: Actually, you are correct. If you were to block on IP address and port number (rather than just IP address) that could work. So "all" you need to do is create a block list of every DoH server in the world and keep it up to date. That sounds like a task more suited to Skynet.

I think Cloudflare would be an outlier because at least for me, https://cloudflare-dns.com/ doesn’t resolve to 1.1.1.1 or 1.0.0.1. The other big providers are more predictable for IP-based blocking.

Maybe a combination of hosts-based blocking of the DoH URL hostname during bootstrapping and IP based blocking of IP:443.

 

[jrmwvu04]

Now I'm confused (I'm beginning to think that's my normal state)
Just to double check.....Comcast IPv6 now working for you?

Yeah. Works on Native with all the default settings. I did change the one you mentioned but it works without that change as well, as in years prior. But for one or another reason it did not last night. I noticed the same behavior as @luni though - the LAN address began with 2001 something last night and today that it’s back to working it’s 2601 - I have never taken note of that prior because I don’t use ipv6 but can now corroborate that observation. Whether it means anything, truly I don’t know.

 

[jrmwvu04]

COVID 19 has proven to be an absolute nightmare to try to troubleshoot internet/networking hiccups.

 

[RMerlin]

And hope the client will fall back to standard DNS on port 53 if DoH is unavailable.

If it doesn't, then it's that client user's problems, not yours.

 

[john9527]

Yeah. Works on Native with all the default settings.

Thanks for confirming....sounds like Comcast had a hiccup...
Hopefully it's now working for @luni now as well.

Just as an FYI....on Cox my address starts with 2600

 

[Gar]

Running fine on my AC56, thanks again.

I never noticed before but, in the system log it says (referring to Skynet): "Firewall detected but Custom Scripts Disabled". Is that because of the differences between 384.xx and 374.43? Or do I have a problem? The Skynet data is supposed to be in the Add0ns tab I realize, but it's empty.

 

[dave14305]

Running fine on my AC56, thanks again.

I never noticed before but, in the system log it says (referring to Skynet): "Firewall detected but Custom Scripts Disabled". Is that because of the differences between 384.xx and 374.43? Or do I have a problem? The Skynet data is supposed to be in the Add0ns tab I realize, but it's empty.

Are jffs custom scripts and configs enabled on the Admin / System tab?