What's new

[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
I always read that test as a "Final" Resolver Test, meaning that if you have say cloudflare selected as your end DNS resolver (in DoT or otherwise) it will come back positive, as Cloudflare support DNSSEC.
 
That site works fine with cloudfare and stubby as well - with DNSSEC configured in stubby
That site does not check your DNSSEC. It checks your configured upstream resolvers aka your DNS servers. You need to use Dig to check your DNSSEC. Plenty of discussion on this in the Stubby thread.

Sent from my SM-T380 using Tapatalk
 
New test builds have been uploaded. Changes since alpha 2:

  • Fixed DNSSEC not getting enabled/disabled without manually restarting dnsmasq
  • Numerous webui fixes and enhancements (warnings shown when using DNSFilter or custom DHCP DNS, presets rendering on Firefox, and a few other fixes)
  • Fixes for DNSSEC interaction with dnsmasq
  • Fixes for IPv6 DOT servers

The commit log since alpha 2:
Code:
29af573d44 rc: fix dot with dns_local coexistance
ef28fd4b6a Bump revision to alpha 3
cc7e0d278b httpd: fix potential buffer overrun in alloc_string() (backport from 384_45708)
c00f19e19f webui: restart dnsmasq if user changes any related settings on the WAN page
2c4d4e93ad libvpn: remove unused code in reset_ovpn_setting()
5d5b9d617d webui: do not restart router's time service when issuing a WoL request
41ba8262dc webui: fix layout issue caused by long SANs on DDNS page
a23576df16 webui: enhancements to DNSPrivacy content
7044c273c8 rc: fix ipv6 dot servers validation
43c891cb5e rc: fix dot+dnssec startup & proxying
72f61e1067 webui: do not attempt to apply values if selecting the "Please select" entry in the DoT presets dropdown
33ca4ab60d webui: fix optgroup rendering in Firefox

Please retest things surrounding DoT.
 
We point them at the code, make our case for it, and hope they a) like it, b) feel it fits within their plans, and c) decide to go for it.

I did it in the past with the IPv6 firewall implementation, I pitched a case about them integrating it upstream after I implemented it in my firmware, and they decided to go with it. They also sometime pick up parts of my code on their own - the initial OpenVPN support in Asuswrt came from my firmware. They rewrote most of it with 382_xxxx, but a lot of the server webui code is still from that original design.

Wow! do they at least pay you an honorarium for all your work in making Asus's product great?
 
Last edited:
The new beta 3 ipv6 runs solely by itself --I confirmed testing with only ipv6 and ipv6 resolvers--- note it takes a few moments to take effect.
Has anybody confirmed the DNSSEC features that were modified?
 
The new beta 3 ipv6 runs solely by itself --I confirmed testing with only ipv6 and ipv6 resolvers--- note it takes a few moments to take effect.
Has anybody confirmed the DNSSEC features that were modified?

DNSSEC doesn’t break my WAN connection now! :)
 
i can confirm network reboots with dnssec enabled
 
Alright, I went to https://nil.uniza.sk/how-install-dig-dns-tool-windows-7 and installed dig on my system to test if DNSSEC was actually working since those test sites seem to just test the DNS resolver you are using and what it supports.

With DNS-over-TLS and DNSSEC enabled, then it breaks https://1.1.1.1/help/ where it says No everywhere. So, is it actually using both at that time and the test just can't tell, since DNSSEC by itself does not encrypt anything?

Well, looking at Netstat on the router, it has:
Code:
tcp        0      0 (ip):41519     1.1.1.1:853             ESTABLISHED 4417/stubby

So, it looks like it is still doing DNS over TLS.
 
Last edited:
Alright, I went to https://nil.uniza.sk/how-install-dig-dns-tool-windows-7 and installed dig on my system to test if DNSSEC was actually working since those test sites seem to just test the DNS resolver you are using and what it supports.

With DNS-over-TLS and DNSSEC enabled, then it breaks https://1.1.1.1/help/ where it says No everywhere. So, is it actually using both at that time and the test just can't tell, since DNSSEC by itself does not encrypt anything?
it is actually doing double work in fact it is testing what the server has already tested ( just assuming you are using dnssec enabled server) -- this is a good feature though just incase someone highjacks the server you are using and sends you fake signed
 
Code:
a23576df16 webui: enhancements to DNSPrivacy content
This is very nice and will help many people I think who may test/trial DoT in the future. Would be useful to have a similar warning/note on the LAN>DHCP page if a DNS Server is added and/or not blank.
 
Updated from 384.10_2 to 384.11_alpha3 went really smooth and did a complete uninstall on dnscrypt-proxy, Enabled DNS Privacy Protocol (DoT) and set CF servers to test it out, Did a reboot and all looking good, Did a test without DNSSec and did a check on https://cloudflare-dns.com/help/ all well
But then i noticed Diversion no longer working tried to enable but got stuck on restarting dnsmasq did a another reboot went in thru amtm and Diversion enabled it again but now it said enabled(unmounted) tried to reinstall Diversion and another reboot same thing.
Disabled firmware DoT and Reinstalled DNSCrypt-proxy and now Diversion works again
DNS-Filter set to Global Filter Mode: Router

edit:
Maybe missed something.. Not the best day to try out new things (Been hunting Wild boar all night)
 
Last edited:
@RMerlin GPL 384.5951 for Ax88u has been released and have few interesting fixes like for the network map related and IPTV VLAN issues... any chance to merge it in the coming .11? :)

Thanks!
 
@RMerlin GPL 384.5951 for Ax88u has been released and have few interesting fixes like for the network map related and IPTV VLAN issues... any chance to merge it in the coming .11? :)

Thanks!

From Changelog:
- UPDATED: RT-AX88U to 384_5951 GPL.
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top