[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[djrm]

From Changelog:
- UPDATED: RT-AX88U to 384_5951 GPL.

Oh! thanks @Zastoff I didn't see it (obviously)

good

 

[Xentrk]

You can also use the package "drill" to test DNSSEC using the -D parameter. You need to look at the line with the ;;flags: qr rd ra ad ...

If the command returns the "ad" flag, then DNSSEC is working:

# drill -D x3mtek.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 12543
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; x3mtek.com.  IN      A

;; ANSWER SECTION:
x3mtek.com.     300     IN      A       104.27.172.243
x3mtek.com.     300     IN      A       104.27.173.243
x3mtek.com.     300     IN      RRSIG   A 13 2 300 20190418130227 20190416110227 34505 x3mtek.com. qvhw2g1b9YrdhvNzmJ98rCBkmFCxYpneX4wtMwXqgFNnHqfYFnCeb73uWDc3tSjsCJAsY4DF52mJhaRfiCec/w==

<snip>

 

[Xentrk]

Also, here is an example of the DNSSEC plugin available in Firefox:

Green color means that DNSSEC is enabled on the website. Red color means the website does not support DNSSEC. You may be surprised at how many websites don't support DNSSEC.

 

[Swistheater]

Great job Rmerlin and theMiron on the new alpha fixes. Reporting everything running as should or as expected. Do you plan on including the option to be able to choose to use the GetDNS features kind of like john did on his fork?

 

[dave14305]

Loaded alpha 3 and everything is looking good, including the Firefox dropdown groupings. And perhaps @themiron gave into my whining about resolv.conf for alpha3.

I'm bucking the SNB mainstream by configuring DoT with Quad9 (and manually adding it's secondary 149.112.112.112), to see how it performs. I used to use OpenDNS to keep kids honest on the Net, but I'll settle for malware filtering by Quad9 for testing purposes.

I considered CleanBrowsing, but didn't really find a sweet spot with their 3 options and wasn't confident in their infrastructure scale. But it does remind me that since CleanBrowsing is an option in DNSFilter and supports DoT, it would be consistent to include it in the DoT dropdown as well.

 

[Swistheater]

Loaded alpha 3 and everything is looking good, including the Firefox dropdown groupings. And perhaps @themiron gave into my whining about resolv.conf for alpha3.

I'm bucking the SNB mainstream by configuring DoT with Quad9 (and manually adding it's secondary 149.112.112.112), to see how it performs. I used to use OpenDNS to keep kids honest on the Net, but I'll settle for malware filtering by Quad9 for testing purposes.

I considered CleanBrowsing, but didn't really find a sweet spot with their 3 options and wasn't confident in their infrastructure scale. But it does remind me that since CleanBrowsing is an option in DNSFilter and supports DoT, it would be consistent to include it in the DoT dropdown as well.

Good thought process on the clean browsing part they have alot of issues and kinks.

 

[Clark Griswald]

Alpha 3 updated smoothly and no issues with connectivity.
Following the test from @Xentrk (post #189) DNSSEC appears to be working, although Cloudflare still returns:

Connected to 1.1.1.1 No
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center SMF
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 Yes
2606:4700:4700::1001 Yes

 

[RMerlin]

Alright, I went to https://nil.uniza.sk/how-install-dig-dns-tool-windows-7 and installed dig on my system to test if DNSSEC was actually working since those test sites seem to just test the DNS resolver you are using and what it supports.

With DNS-over-TLS and DNSSEC enabled, then it breaks https://1.1.1.1/help/ where it says No everywhere. So, is it actually using both at that time and the test just can't tell, since DNSSEC by itself does not encrypt anything?

Well, looking at Netstat on the router, it has:

tcp        0      0 (ip):41519     1.1.1.1:853             ESTABLISHED 4417/stubby

So, it looks like it is still doing DNS over TLS.

Best way to tell if DNS over TLS is used is to install tcpdump on the router, then look for traffic going through either port 53 or 853. There shouldn't be any traffic through 53 (unless a client is hardcoded to use its own DNS, in which case DNSFilter could take care of that).

@RMerlin GPL 384.5951 for Ax88u has been released and have few interesting fixes like for the network map related and IPTV VLAN issues... any chance to merge it in the coming .11?

Please keep this thread on topic.

 

[Elmer]

Great news! Thanks for putting effort into this!

(AC88) Tried DNScrypt and had some instability. Stubby was slightly better, but still needed to auto-reboot the modem twice a week. Hoping this code is both secure and a bit more stable. Just loaded it and set it for quad9 primary and secondary (9.9.9.9 & 149.112.112.112). Ran https://dnssec.vs.uni-due.de/dig-sigok (a dnssec validater) and got:

; <<>> DiG 9.7.3 <<>> sigok.verteiltesysteme.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6176
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139

;; AUTHORITY SECTION:
verteiltesysteme.net. 3600 IN NS ns2.verteiltesysteme.net.
verteiltesysteme.net. 3600 IN NS ns1.verteiltesysteme.net.

;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 3600 IN A 134.91.78.139
ns2.verteiltesysteme.net. 3600 IN A 134.91.78.141

;; Query time: 125 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 7 00:32:48 2012
;; MSG SIZE rcvd: 128

and, https://dnssec.vs.uni-due.de/dig-sigfail :

; <<>> DiG 9.7.3 <<>> sigfail.verteiltesysteme.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23131
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sigfail.verteiltesysteme.net. IN A

;; Query time: 27 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 7 00:32:55 2012
;; MSG SIZE rcvd: 46

Would like to see a test buttom with popup in the UI. It's easy to forget to shift a button or two. Thanks again, hope it goes mainstream with Asus.

 

[rk8531]

Can anybody please suggest me what settings should I enable to use Stubby and bypass my ISP transparent DNS proxy server . Earlier I was using the Stubby script without changing the default DNS server and the script was able to bypass the ISP Proxy server. However, this alpha build isn't able to do that. My router is RT-86U.
If I enable DNS over TLS settings on this alpha build then internet stops. I am a bit confused with so many DNS settings under LAN, WAN and DNS filtering .

Edit- Isn't just enabling the TLS protocol sufficient to bypass the ISP Proxy server? Do I also have to change the DNSSEC settings? And what does this DNS rebound protection do? If I enable it then what would change?

 

[Gar]

Easy update to A3 and DoT/DNSSEC are working. Added Cleanbrowsing data and tests are all ok. Thanks again.

 

[L&LD]

Can anybody please suggest me what settings should I enable to use Stubby and bypass my ISP transparent DNS proxy server . Earlier I was using the Stubby script without changing the default DNS server and the script was able to bypass the ISP Proxy server. However, this alpha build isn't able to do that. My router is RT-86U.
If I enable DNS over TLS settings on this alpha build then internet stops. I am a bit confused with so many DNS settings under LAN, WAN and DNS filtering .

Either disable the router settings or disable Stubby. They won't/can't work together.

 

[rk8531]

Either disable the router settings or disable Stubby. They won't/can't work together.

I beg your pardon but which settings should I disable?

 

[dave14305]

Can anybody please suggest me what settings should I enable to use Stubby and bypass my ISP transparent DNS proxy server . Earlier I was using the Stubby script without changing the default DNS server and the script was able to bypass the ISP Proxy server. However, this alpha build isn't able to do that. My router is RT-86U.
If I enable DNS over TLS settings on this alpha build then internet stops. I am a bit confused with so many DNS settings under LAN, WAN and DNS filtering .

Edit- Isn't just enabling the TLS protocol sufficient to bypass the ISP Proxy server? Do I also have to change the DNSSEC settings? And what does this DNS rebound protection do? If I enable it then what would change?

Did you uninstall the Stubby script before configuring? You may have old workarounds from the script still in place that are interfering. But as long as you are using the same DoT servers as before, there should be no reason to think it wouldn’t continue to work through/around the ISP proxy.

 

[L&LD]

I beg your pardon but which settings should I disable?

I am not testing these features at this time, but I do have the Alpha 3 installed on three of my routers. I know that Stubby is not compatible with this firmware anymore. I have disabled on all three systems and don't have any issues.

Maybe a full reset of the router and leave everything at defaults, followed by a full (clean) install of Stubby will get you back to where you were?

 

[rk8531]

Did you uninstall the Stubby script before configuring? You may have old workarounds from the script still in place that are interfering. But as long as you are using the same DoT servers as before, there should be no reason to think it wouldn’t continue to work through/around the ISP proxy.

I have formatted the usb and started from the scratch. Unmounted USB then formatted it to FAT32. Hard reset the router and then installed the Alpha build 3. Then again hard rest the router after installing the Alpha build. Everything works fine till I enable DNS over TLS.

 

[rk8531]

I am not testing these features at this time, but I do have the Alpha 3 installed on three of my routers. I know that Stubby is not compatible with this firmware anymore. I have disabled on all three systems and don't have any issues.

Maybe a full reset of the router and leave everything at defaults, followed by a full (clean) install of Stubby will get you back to where you were?

Unmounted USB and formatted it to FAT32, then hard reset the router before installing the Alpha build. Again hard reset the router after the Alpha build was installed. Internet works only till I enable DOT.

 

[dave14305]

I have formatted the usb and started from the scratch. Unmounted USB then formatted it to FAT32. Hard reset the router and then installed the Alpha build 3. Then again hard rest the router after installing the Alpha build. Everything works fine till I enable DNS over TLS.

Did the jffs get erased? Most of the old customizations will be in /jffs/configs/dnsmasq.conf.add.

 

[owine]

Beta 3 dirty flash successful on AC3100.

IPv6 servers are now populating in stubby.yml.

I have DNSFilter Global mode set to Router and no ntp pool entries in dnsmasq.conf.add and had no issues with connectivity on startup. Clearly the router starts up with the default hardware time but then is able to sync ntp per the logs.

 

[rk8531]

Did the jffs get erased? Most of the old customizations will be in /jffs/configs/dnsmasq.conf.add.

Hard reset doesn't erase the jffs?