[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[rk8531]

One more question. Can I use both Google and cloudflare as DNS resolvers for DOT or should I stick with only one resolver?

 

[Swistheater]

Can anybody please suggest me what settings should I enable to use Stubby and bypass my ISP transparent DNS proxy server . Earlier I was using the Stubby script without changing the default DNS server and the script was able to bypass the ISP Proxy server. However, this alpha build isn't able to do that. My router is RT-86U.
If I enable DNS over TLS settings on this alpha build then internet stops. I am a bit confused with so many DNS settings under LAN, WAN and DNS filtering .

Edit- Isn't just enabling the TLS protocol sufficient to bypass the ISP Proxy server? Do I also have to change the DNSSEC settings? And what does this DNS rebound protection do? If I enable it then what would change?

You need to add resolvers to the list of resolvers before hitting apply otherwise you will.have no internet

 

[L&LD]

Unmounted USB and formatted it to FAT32, then hard reset the router before installing the Alpha build. Again hard reset the router after the Alpha build was installed. Internet works only till I enable DOT.

Your steps are not complete or clear.

I would suggest the following:

• Unmount and remove the USB drive and format it using a computer to NTFS.
• Do not insert it into the router yet.
• Using the GUI, do a full reset to factory defaults including checking the box that says 'initialize all settings'.
• After it reboots, do not change any settings in the WAN section except to get connected to your ISP, if any are required.
• Enable SSH in the router. Enable jffs scripts. Change the USB mode to USB 2.0. Reboot the router and wait for 10 minutes after it has booted up.
• Install amtm on the jffs partition.
• Insert the USB drive.
• Using the amtm 'fd' command, format the USB drive to Ext4 with journaling and make sure to Label the drive too. The router will reboot.
• Enable the disk checker utility in amtm with the 'dc' command.
• Create a swap file on the drive using amtm with the 'sw' command.
• Install Stubby using amtm.

At this point, you should have a working set up.

 

[dave14305]

Your steps are not complete or clear.

I would suggest the following:

• Unmount and remove the USB drive and format it using a computer to NTFS.
• Do not insert it into the router yet.
• Using the GUI, do a full reset to factory defaults including checking the box that says 'initialize all settings'.
• After it reboots, do not change any settings in the WAN section except to get connected to your ISP, if any are required.
• Enable SSH in the router. Enable jffs scripts. Change the USB mode to USB 2.0. Reboot the router and wait for 10 minutes after it has booted up.
• Install amtm on the jffs partition.
• Insert the USB drive.
• Using the amtm 'fd' command, format the USB drive to Ext4 with journaling and make sure to Label the drive too. The router will reboot.
• Enable the disk checker utility in amtm with the 'dc' command.
• Create a swap file on the drive using amtm with the 'sw' command.
• Install Stubby using amtm.

At this point, you should have a working set up.

Except don’t install Stubby since this is the alpha thread.

 

[Swistheater]

Those generic instructions work for everything dave .

 

[L&LD]

Except don’t install Stubby since this is the alpha thread.

Yes, normally, yes.

But he can't get what he requires from this Alpha yet. Maybe without messing with the new knobs and dials, and using what he's comfortable with, he can.

 

[djrm]

All tests using DOT and DNSSEC working great for me with Alpha 3 on AX88u
Web UI looks great as well and IMO COT config really easy to set for any user.

 

[dave14305]

I have formatted the usb and started from the scratch. Unmounted USB then formatted it to FAT32. Hard reset the router and then installed the Alpha build 3. Then again hard rest the router after installing the Alpha build. Everything works fine till I enable DNS over TLS.

Post a shot of your WAN page. Alpha 3 includes an update that has stubby use the WAN dns as the initial resolver, so if your WAN DNS settings aren’t valid before enabling DoT, that could be an issue. If you’re just using your ISP DNS automatically maybe it’s unpredictable how it will behave, since they’re using a transparent proxy.

 

[RMerlin]

One more question. Can I use both Google and cloudflare as DNS resolvers for DOT or should I stick with only one resolver?

You can, as long you keep in mind that they may all be used. So if you add a specific server for its filtering capabilities (like AdGuard), then only queries using that specific server will benefit from it.

But if you just want redundancy, you can add up to 8 servers without any problem (probably a bit less if on an RT-AC86U or RT-AX88U due to nvram size limitations).

 

[dave14305]

You need to add resolvers to the list of resolvers before hitting apply otherwise you will.have no internet

I was surprised I was able to apply with DNS Privacy enabled, but no resolvers in the table. I would consider that an alpha bug safety feature not yet implemented?

it wrote an incomplete config:

# cat /etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
tls_ca_file: "/etc/ssl/certs/ca-certificates.crt"
appdata_dir: "/var/lib/misc"
resolvconf: "/tmp/resolv.conf"
edns_client_subnet_private: 1
dnssec_return_status: GETDNS_EXTENSION_TRUE
round_robin_upstreams: 1
idle_timeout: 9000
tls_connection_retries: 2
tls_backoff_time: 900
timeout: 3000
listen_addresses:
  - 127.0.1.1@53
upstream_recursive_servers:

 

[Swistheater]

I was surprised I was able to apply with DNS Privacy enabled, but no resolvers in the table. I would consider that an alpha bug?

it wrote an incomplete config:

# cat /etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
tls_ca_file: "/etc/ssl/certs/ca-certificates.crt"
appdata_dir: "/var/lib/misc"
resolvconf: "/tmp/resolv.conf"
edns_client_subnet_private: 1
dnssec_return_status: GETDNS_EXTENSION_TRUE
round_robin_upstreams: 1
idle_timeout: 9000
tls_connection_retries: 2
tls_backoff_time: 900
timeout: 3000
listen_addresses:
  - 127.0.1.1@53
upstream_recursive_servers:

Yes and I believe it will cause you to lose connection. I thought of this because there is no pre configured servers like the stubby install script here has with cloudflare.

 

[Swistheater]

I imagine some people install the stubby script without ever touching stubby.yml.

 

[rk8531]

You can, as long you keep in mind that they may all be used. So if you add a specific server for its filtering capabilities (like AdGuard), then only queries using that specific server will benefit from it.

But if you just want redundancy, you can add up to 8 servers without any problem (probably a bit less if on an RT-AC86U or RT-AX88U due to nvram size limitations).

As stated earlier in other post, my ISP is using transparent ISP proxy server and in order to bypass that i was using the stubby script via AMTM terminal. Now, with this Alpha build i aspire to achieve the same thing (i.e. bypassing my ISP transparent proxy server) and route all the traffic to either Cloudflare or Google DNS because the DNS which my ISP uses gives poor pings while gaming.

So, once again i installed the Alpha 3 firmware on my RT-86U router and this time i configured it properly by following the L&D's guide.

Now, i am using all the default DNS settings along with the DOT protocol enabled for cloudflare DNS. The good thing with this build is that i am able to bypass the ISP transparent proxy server without using any other script.
However, every time i reboot the router the DOT protocol stops working (though it remains enabled in web ui) but instead of the cloudflare's DNS my ISP's DNS shows on https://www.dnsleaktest.com/

So. in order to bypass the ISP proxy after every reboot of the router, i have to manually disable and then re-enable the DOT setting in the router's Web UI.

 

[Swistheater]

As stated earlier in other post, my ISP is using transparent ISP proxy server and in order to bypass that i was using the stubby script via AMTM terminal. Now, with this Alpha build i aspire to achieve the same thing (i.e. bypassing my ISP transparent proxy server) and route all the traffic to either Cloudflare or Google DNS because the DNS which my ISP uses gives poor pings while gaming.

So, once again i installed the Alpha 3 firmware on my RT-86U router and this time i configured it properly by following the L&D's guide.

Now, i am using all the default DNS settings along with the DOT protocol enabled for cloudflare DNS. The good thing with this build is that i am able to bypass the ISP transparent proxy server without using any other script.
However, every time i reboot the router the DOT protocol stops working (though it remains enabled in web ui) but instead of the cloudflare's DNS my ISP's DNS shows on https://www.dnsleaktest.com/

So. in order to bypass the ISP proxy after every reboot of the router, i have to manually disable and then re-enable the DOT setting in the router's Web UI.

Well it is good you are coming out with this now maybe they can include a fix in the alpha for such a situation.

 

[Swistheater]

As stated earlier in other post, my ISP is using transparent ISP proxy server and in order to bypass that i was using the stubby script via AMTM terminal. Now, with this Alpha build i aspire to achieve the same thing (i.e. bypassing my ISP transparent proxy server) and route all the traffic to either Cloudflare or Google DNS because the DNS which my ISP uses gives poor pings while gaming.

So, once again i installed the Alpha 3 firmware on my RT-86U router and this time i configured it properly by following the L&D's guide.

Now, i am using all the default DNS settings along with the DOT protocol enabled for cloudflare DNS. The good thing with this build is that i am able to bypass the ISP transparent proxy server without using any other script.
However, every time i reboot the router the DOT protocol stops working (though it remains enabled in web ui) but instead of the cloudflare's DNS my ISP's DNS shows on https://www.dnsleaktest.com/

So. in order to bypass the ISP proxy after every reboot of the router, i have to manually disable and then re-enable the DOT setting in the router's Web UI.

Maybe try turning on DNS FILTER mode and Choose global option to be router. Then reboot your router. see if your back to your ISP DNS or if you are using Cloudflare.

 

[rk8531]

Maybe try turning on DNS FILTER mode and Choose global option to be router. Then reboot your router. see if your back to your ISP DNS or if you are using Cloudflare.

i just tried the same thing and it works
thanks bro! for your help.

 

[Swistheater]

i just tried the same thing and it works
thanks bro! for your help.

I Figured it would break the transparent proxy. The cool thing about the DNS filter is let's say you have a device that is required to use the transparent proxy you can always add that device by its mac address and turn on No -filter for it individually.

 

[MarkRH]

Also, here is an example of the DNSSEC plugin available in Firefox:

View attachment 17085

Green color means that DNSSEC is enabled on the website. Red color means the website does not support DNSSEC. You may be surprised at how many websites don't support DNSSEC.

Yeah, according to https://scoreboard.verisignlabs.com/ only like 1% of domains support DNSSEC. They also have a domain tester at https://dnssec-debugger.verisignlabs.com/ . So, for 99% of the sites out there, DNSSEC is more or less useless it would seem. It's not even enabled at google.com. I did find out I could enable it on my sites at my webhost.

 

[Swistheater]

it is an extra security blanket, that can be weaponized if you have it, but are not verifying it.

 

[Jack Yaz]

NTP server working as intended.
View attachment 17088

But do you have graphs of the accuracy? ;-)


https://www.snbforums.com/threads/ntpmerlin-installer-for-kvic-ntp-daemon.55756