What's new

[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thanks, however I am looking to see if possible to do this at the router level as oppose to disabling it on Chrome. the main reason is, I am trying to prevent ANY device (some that I might not know) to use any DNS other than my PiHole.
That's not possible. The whole point of DoH is that it is indistinguishable from regular HTTPS traffic.
 
That's not possible. The whole point of DoH is that it is indistinguishable from regular HTTPS traffic.
Thanks, well that sucks lol ! I am just wondering if more and more apps/devices use what Chrome is doing, then I guess PiHole is going to be less relevant.
 
That's not possible. The whole point of DoH is that it is indistinguishable from regular HTTPS traffic.

Actually, it's possible. Block port 443 for any known DoH server. There is no website on 1.1.1.1 or 9.9.9.9, so no reason they need to be reachable over port 443.
 
Actually, it's possible. Block port 443 for any known DoH server. There is no website on 1.1.1.1 or 9.9.9.9, so no reason they need to be reachable over port 443.
Perhaps a feature for the firmware as an enhanced "Prevent client DoH" (without the auto)?
 
Actually, it's possible. Block port 443 for any known DoH server. There is no website on 1.1.1.1 or 9.9.9.9, so no reason they need to be reachable over port 443.
I did think about suggesting that but he did say he wanted to block all clients. In which case he'd have to block all possible DoH servers that may be used now and in the future - and hope that they don't share the same IP address as a web site they need to access.

EDIT: Actually, you are correct. If you were to block on IP address and port number (rather than just IP address) that could work. So "all" you need to do is create a block list of every DoH server in the world and keep it up to date. That sounds like a task more suited to Skynet.
 
Last edited:
EDIT: Actually, you are correct. If you were to block on IP address and port number (rather than just IP address) that could work. So "all" you need to do is create a block list of every DoH server in the world and keep it up to date.
And hope the client will fall back to standard DNS on port 53 if DoH is unavailable.
 
And hope the client will fall back to standard DNS on port 53 if DoH is unavailable.
If the endgame of the DoH evangelists is to replace DNS with DoH, how long I wonder before IoT devices from the likes of Android, Amazon, Roku, Samsung, LG, etc. come with DOH addresses hard-coded (like they do with 8.8.8.8 today) with no fall back. Meh, I'll probably be beyond caring by then.:rolleyes::D
 
Meant what firmware level? 44E5?
I cleared some cookies, uploaded settings, and restarted and it seems fine now. Something similar has happened before. My router may be a bit wonky. Sorry for the false alarm.
 
@luni - It's easy to get into the weeds with ipv6.....it gives me a headache.
I cleared some cookies, uploaded settings, and restarted and it seems fine now. Something similar has happened before. My router may be a bit wonky. Sorry for the false alarm.
Well I didn’t do any of that, just retried enabling it since I saw your message and it’s working. Something must have been malfunctioning on Comcast’s end yesterday.
 
Well I didn’t do any of that, just retried enabling it since I saw your message and it’s working. Something must have been malfunctioning on Comcast’s end yesterday.
Sorry I responded to my post on different page. Sorry for the confusion.
 
Last edited:
I cleared some cookies, uploaded settings, and restarted and it seems fine now. Something similar has happened before. My router may be a bit wonky. Sorry for the false alarm.
Thanks for taking the time to report back and happy it's resolved.
Now, just need to figure out what happened to Comcast IPv6 :confused:
 
Well I didn’t do any of that, just retried enabling it since I saw your message and it’s working. Something must have been malfunctioning on Comcast’s end yesterday.
Now I'm confused (I'm beginning to think that's my normal state) :)
Just to double check.....Comcast IPv6 now working for you?
 
I did think about suggesting that but he did say he wanted to block all clients. In which case he'd have to block all possible DoH servers that may be used now and in the future - and hope that they don't share the same IP address as a web site they need to access.

EDIT: Actually, you are correct. If you were to block on IP address and port number (rather than just IP address) that could work. So "all" you need to do is create a block list of every DoH server in the world and keep it up to date. That sounds like a task more suited to Skynet.
I think Cloudflare would be an outlier because at least for me, https://cloudflare-dns.com/ doesn’t resolve to 1.1.1.1 or 1.0.0.1. The other big providers are more predictable for IP-based blocking.

Maybe a combination of hosts-based blocking of the DoH URL hostname during bootstrapping and IP based blocking of IP:443.
 
Now I'm confused (I'm beginning to think that's my normal state) :)
Just to double check.....Comcast IPv6 now working for you?
Yeah. Works on Native with all the default settings. I did change the one you mentioned but it works without that change as well, as in years prior. But for one or another reason it did not last night. I noticed the same behavior as @luni though - the LAN address began with 2001 something last night and today that it’s back to working it’s 2601 - I have never taken note of that prior because I don’t use ipv6 but can now corroborate that observation. Whether it means anything, truly I don’t know.
 
COVID 19 has proven to be an absolute nightmare to try to troubleshoot internet/networking hiccups.
 
And hope the client will fall back to standard DNS on port 53 if DoH is unavailable.

If it doesn't, then it's that client user's problems, not yours.
 
Running fine on my AC56, thanks again.

I never noticed before but, in the system log it says (referring to Skynet): "Firewall detected but Custom Scripts Disabled". Is that because of the differences between 384.xx and 374.43? Or do I have a problem? The Skynet data is supposed to be in the Add0ns tab I realize, but it's empty.
 
Running fine on my AC56, thanks again.

I never noticed before but, in the system log it says (referring to Skynet): "Firewall detected but Custom Scripts Disabled". Is that because of the differences between 384.xx and 374.43? Or do I have a problem? The Skynet data is supposed to be in the Add0ns tab I realize, but it's empty.
Are jffs custom scripts and configs enabled on the Admin / System tab?
 
  • Like
Reactions: Gar

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top