[Preview] Asuswrt-Merlin 384.11 with DNS over TLS
- Thread starter RMerlin
- Start date
- Status
joe scian
Very Senior Member
That site works fine with cloudfare and stubby as well - with DNSSEC configured in stubby
bbunge
Part of the Furniture
That site does not check your DNSSEC. It checks your configured upstream resolvers aka your DNS servers. You need to use Dig to check your DNSSEC. Plenty of discussion on this in the Stubby thread.
Sent from my SM-T380 using Tapatalk
New test builds have been uploaded. Changes since alpha 2:
The commit log since alpha 2:
Please retest things surrounding DoT.
- Fixed DNSSEC not getting enabled/disabled without manually restarting dnsmasq
- Numerous webui fixes and enhancements (warnings shown when using DNSFilter or custom DHCP DNS, presets rendering on Firefox, and a few other fixes)
- Fixes for DNSSEC interaction with dnsmasq
- Fixes for IPv6 DOT servers
The commit log since alpha 2:
Code:
29af573d44 rc: fix dot with dns_local coexistance
ef28fd4b6a Bump revision to alpha 3
cc7e0d278b httpd: fix potential buffer overrun in alloc_string() (backport from 384_45708)
c00f19e19f webui: restart dnsmasq if user changes any related settings on the WAN page
2c4d4e93ad libvpn: remove unused code in reset_ovpn_setting()
5d5b9d617d webui: do not restart router's time service when issuing a WoL request
41ba8262dc webui: fix layout issue caused by long SANs on DDNS page
a23576df16 webui: enhancements to DNSPrivacy content
7044c273c8 rc: fix ipv6 dot servers validation
43c891cb5e rc: fix dot+dnssec startup & proxying
72f61e1067 webui: do not attempt to apply values if selecting the "Please select" entry in the DoT presets dropdown
33ca4ab60d webui: fix optgroup rendering in FirefoxPlease retest things surrounding DoT.
Yes.
mirage221
New Around Here
Wow! do they at least pay you an honorarium for all your work in making Asus's product great?
Xentrk
Part of the Furniture
Here are the DNSSEC Test Site links for those testing it with DoT
For Firefox users, there is a DNSSEC detector plugin you can install what will tell you if the site supports DNSSEC.
For Firefox users, there is a DNSSEC detector plugin you can install what will tell you if the site supports DNSSEC.
Last edited:
Swistheater
Very Senior Member
Swistheater
Very Senior Member
The new beta 3 ipv6 runs solely by itself --I confirmed testing with only ipv6 and ipv6 resolvers--- note it takes a few moments to take effect.
Has anybody confirmed the DNSSEC features that were modified?
Has anybody confirmed the DNSSEC features that were modified?
Treadler
Very Senior Member
Swistheater
Very Senior Member
i can confirm network reboots with dnssec enabled
MarkRH
Senior Member
Alright, I went to https://nil.uniza.sk/how-install-dig-dns-tool-windows-7 and installed dig on my system to test if DNSSEC was actually working since those test sites seem to just test the DNS resolver you are using and what it supports.
With DNS-over-TLS and DNSSEC enabled, then it breaks https://1.1.1.1/help/ where it says No everywhere. So, is it actually using both at that time and the test just can't tell, since DNSSEC by itself does not encrypt anything?
Well, looking at Netstat on the router, it has:
So, it looks like it is still doing DNS over TLS.
With DNS-over-TLS and DNSSEC enabled, then it breaks https://1.1.1.1/help/ where it says No everywhere. So, is it actually using both at that time and the test just can't tell, since DNSSEC by itself does not encrypt anything?
Well, looking at Netstat on the router, it has:
Code:
tcp 0 0 (ip):41519 1.1.1.1:853 ESTABLISHED 4417/stubbySo, it looks like it is still doing DNS over TLS.
Last edited:
Swistheater
Very Senior Member
it is actually doing double work in fact it is testing what the server has already tested ( just assuming you are using dnssec enabled server) -- this is a good feature though just incase someone highjacks the server you are using and sends you fake signed
Skeptical.me
Very Senior Member
This is very nice and will help many people I think who may test/trial DoT in the future. Would be useful to have a similar warning/note on the LAN>DHCP page if a DNS Server is added and/or not blank.
Zastoff
Very Senior Member
Updated from 384.10_2 to 384.11_alpha3 went really smooth and did a complete uninstall on dnscrypt-proxy, Enabled DNS Privacy Protocol (DoT) and set CF servers to test it out, Did a reboot and all looking good, Did a test without DNSSec and did a check on https://cloudflare-dns.com/help/ all well
But then i noticed Diversion no longer working tried to enable but got stuck on restarting dnsmasq did a another reboot went in thru amtm and Diversion enabled it again but now it said enabled(unmounted) tried to reinstall Diversion and another reboot same thing.
Disabled firmware DoT and Reinstalled DNSCrypt-proxy and now Diversion works again
DNS-Filter set to Global Filter Mode: Router
edit:
Maybe missed something.. Not the best day to try out new things (Been hunting Wild boar all night)
But then i noticed Diversion no longer working tried to enable but got stuck on restarting dnsmasq did a another reboot went in thru amtm and Diversion enabled it again but now it said enabled(unmounted) tried to reinstall Diversion and another reboot same thing.
Disabled firmware DoT and Reinstalled DNSCrypt-proxy and now Diversion works again
DNS-Filter set to Global Filter Mode: Router
edit:
Maybe missed something.. Not the best day to try out new things (Been hunting Wild boar all night)
Last edited:
- Status
Similar threads
Similar threads
Similar threads
-
Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices- Started by RMerlin
- Replies: 51
-
Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14
- Started by B0GDAN
- Replies: 1
-
Several Questions Re:Asuswrt-Merlin Feature Implementation
- Started by fenixreign
- Replies: 2
-
-
Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 70
-
-
-
-
-