[Preview] 380.57 alpha test builds for all models

[RMerlin]

Make sure your upstream DNS servers do support DNSSEC. The feature itself definitely works, and there isn't much to it, beside a checkbox that tells dnsmasq to enable it.

Also, don't forget that DNS resolution get cached at multiple levels. If you enable on the webui and you immediately try to re-access the same test site, chances are your browser AND your computer both already have the previous result in their cache, so you will still access the broken site - you won't even have asked your router for the website's IP.

 

[RMerlin]

Hostname doesn't change automatically. It reads continuing the hostname of the past..
PC hostname automatical changed, but Mobile hostname dosen't change automatically.

Can you fix this problem?

That dropdown doesn't show the current hostname, it shows whatever is entered on the networkmap, either manually, or from a previous network scan.

 

[shooter40sw]

Hi, opendns does not support dnssec, if you search they favor dnscrypt, also in the dnscrypt resolvers if you check you can see that they dont do dnssec validation.
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

I too have enabled the DNSSEC and it does not work. What other things need to be done other than turning it on? I've set DNS to OpenDNS servers on the WAN page. Nothing else on the LAN->DHCP page.

 

[shooter40sw]

Hi @XIII how did you enable DNSSEC on the 56_2 ?, Im still on that version of merlins. thanks

I get a green checkmark ("You are protected") using that link, while I'm still running 378.56_2... I'm using DNSSEC enabled DNScrypt.eu DNS servers though.

What would be a better test? And where can I read more about DNSSEC, specifically about the router's role? (client?)

 

[dlandon]

Hi, opendns does not support dnssec, if you search they favor dnscrypt, also in the dnscrypt resolvers if you check you can see that they dont do dnssec validation.
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

Good information. Thank you.

I switched from OpenDNS to the default Time Warner DNS in my area and it seems to be working now.

 

[RMerlin]

Hi, opendns does not support dnssec, if you search they favor dnscrypt, also in the dnscrypt resolvers if you check you can see that they dont do dnssec validation.
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

That's interesting. I re-checked their FAQ, and looks like it was a bit misleading, as they say that DNSSEC and DNSCrypt can work together just fine, and that they were complementary. Looks like they felt that it wasn't complementary enough for them to support both...

 

[bayern1975]

hmm, what now? i am using dnscrypt from soltysiak with dnssec enabled? is this secure and works both together or not?

 

[XIII]

Hi @XIII how did you enable DNSSEC on the 56_2 ?, Im still on that version of merlins. thanks

I did not. That's why I was surprised about the result of the test and asking for documentation and a better test...

 

[RMerlin]

hmm, what now? i am using dnscrypt from soltysiak with dnssec enabled? is this secure and works both together or not?

It's not about whether the two of them can work together or not (they can), it's about whether the DNS servers you use support both of them or not.

 

[bayern1975]

It's not about whether the two of them can work together or not (they can), it's about whether the DNS servers you use support both of them or not.

so, there is curenntly no dns servers to support both....i tested 5 different dnscrypt servers with enabled dnssec and no one has dnssec support....

 

[dead_screem]

i'm curious what the new dnssec support is supposed to do, as im on official firmware and using comcast dns and dnssec has always worked on my ac3200. and yes my router is being used for dns, my clients all use 192.168.1.1 for the dns server.

 

[XIII]

so, there is curenntly no dns servers to support both....i tested 5 different dnscrypt servers with enabled dnssec and no one has dnssec support....

Have you tried DNSCrypt.eu? ("A free DNSSEC enabled, non-logged and uncensored DNSCrypt service by Simon Clausen")

(I'm planning to try that one later tonight)

 

[XIII]

http://www.dnssec-failed.org/

Even with 378.56_2 I get "Firefox can't find the server at www.dnssec-failed.org." (the page opened fine at work) which is not what I would expect...

I was trying to perform a "Test Driven Installation": first let it fail with 378.56_2, then letting it pass with 380.57a3... What do I do/think wrong?

 

[lancethepants]

@XIII Not being able to load www.dnssec-failed.org is a sign that dnssec is working.

All these browser checks are hokey I think anyway. Here's a definitive way to check, either on a device behind the router, or on the router itself. You can get the dig command from entware.

dig verisign.com +dnssec

If you see the 'ad' flag, you're good.

 

[jsmiddleton4]

As I understand it DNSSEC is not that big a deal anyway. I turned it off. Nothing I did worked and got failed at both test sites.

 

[Marc66]

@RMerlin: can you move the DNSsec conversation to a different thread?


Sent using Tapatalk

 

[Authority]

Ad blocking is something that Merlin has said he wil not be implementing, if not for the simple reason that it's the ads on this forum that helps pay for the running of it. And to implement ad blocking under such circumstances would not be right.

Is this his forum?? I guess that would make sense.

I have to say I'd really like this feature if there was a way to do it, even if it was less than perfect. Sure we can all have blockers in our web browsers, but there are ads in so many other connected devices, tablets, game consoles, apps, it'd really be nice.

I'd pay for the feature, just throwing that out there.

 

[XIII]

@XIII Not being able to load www.dnssec-failed.org is a sign that dnssec is working.

I know. I thought DNSSEC support was new in 380.57 and not supported yet in 378.56_2?

 

[martinr]

Is this his forum?? I guess that would make sense.
.

Just look at how many times Merlin has posted on this forum, and compare that with the number of postings by the rest of us. On that alone, it would be his forum. God knows when he sleeps.

As to adblocking - malicious domain blocking is a better description - there are quite a few alternatives. I use a Raspberry Pi. You could also try searching for Pihole: that also uses a Raspberry Pi. And there are other methods also covered in some long, active threads on this forum.

 

[RMerlin]

Is this his forum?? I guess that would make sense.

It's not. But thiggins has no problem hosting us for free here. He pays the bills, and does the site maintenance. The least I could do is not to make it easy for people to take away whatever financial compensation he gets out of our traffic.