Swistheater
Very Senior Member
I did notice I received a lot of errors running the two together
[Preview] Asuswrt-Merlin 384.11 with DNS over TLS
- Thread starter RMerlin
- Start date
- Status
dave14305
Part of the Furniture
It's added if you enable DNSSEC on the router. Are you asking for it to be included even if DNSSEC is off on the router?
Swistheater
Very Senior Member
It turns out it is even adding the proper dnssec extension to the stubby.yml file too. Just confirmed.
It already is... Just enable DNSSEC on the webui.
stubby.postconf will be the place to do it.
When I use "AdGuard" (any) I get random "page not found" type messages. Everything else like Google or Cloudfare for example is Ok.
Merlin, could we please have SafeDNS added (these do DNS over TLS + Content filtering) - this seems to be closest to OpenDNS (as OpenDNS don't do safe browsing in search engines or DNSSec or DNS over TLS). Also Cleanbrowsing do DNS over TLS but their filtering does adult+malicious+ads+safe search but doesn't allow blocking of dating web sites for example.
Also I was initially confused over how the section in WAN related to the DNS Filter section. In DNS Filter, you can set providers and then exclude for certain computers. With the section in WAN, it was assumed to apply to anything. Also getting DNS automatically - shouldn't this be greyed out if the option for DNS over TLS is then chosen?
Merlin, could we please have SafeDNS added (these do DNS over TLS + Content filtering) - this seems to be closest to OpenDNS (as OpenDNS don't do safe browsing in search engines or DNSSec or DNS over TLS). Also Cleanbrowsing do DNS over TLS but their filtering does adult+malicious+ads+safe search but doesn't allow blocking of dating web sites for example.
Also I was initially confused over how the section in WAN related to the DNS Filter section. In DNS Filter, you can set providers and then exclude for certain computers. With the section in WAN, it was assumed to apply to anything. Also getting DNS automatically - shouldn't this be greyed out if the option for DNS over TLS is then chosen?
All stubby does is point at their servers. If they randomly fail to resolve things, that's outside the scope of the router.
I don't want to fill up the preset dropdown with 40+ presets which will have to be updated every few months as old services disappear and new one appears. I chose to go with a subset of the most popular ones - the webui is open enough for anyone to easily enter their preferred services instead.
DNSFilter is unrelated to DNS Privacy - two completely different features.
No, because until Stubby comes up, you still need the WAN servers, for example to setup the router's clock, or to act as fallback.
Ah rats! DNSSEC was not enabled
When I did enable it Q9 would not resolve. Switched to CF, rebooted, works now!Guess I need to concentrate on one thing at a time. Was also working on Windows Insider build 1903 which failed on my test PC. Back to Ubuntu...
Sent from my SM-T380 using Tapatalk
john9527
Part of the Furniture
By my understanding, proxy-dnssec should only be included if stubby is doing the dnssec validation (dnssec in stubby.yml) or dnssec is not set in either dnsmasq or stubby (the upstream stubby server is doing the validation). If dnsmasq is doing the dnssec validation, proxy-dnssec should not be specified.
unrelated. I've checked cf with more reliable tools like dig.
isn't "dnssec" too strict? unlike "dnssec_return_status" it'll drop all the GETDNS_DNSSEC_INTERMEDIATE replies.
Swistheater
Very Senior Member
So are you on the fence does it need to be turned on or off? I notice CF does do dnssec, but the router is the only thing that can mark the AD flag on the dig and drill test.
Swistheater
Very Senior Member
So i have noticed something inside the Stubby.yml file
stubby -i | grep -i dnssec
Code:
[15:57:31.853532] STUBBY: Read config from file /etc/stubby/stubby.yml
"dnssec": GETDNS_EXTENSION_FALSE,
"dnssec_allowed_skew": 0,
"dnssec_return_all_statuses": GETDNS_EXTENSION_FALSE,
"dnssec_return_full_validation_chain": GETDNS_EXTENSION_FALSE,
"dnssec_return_only_secure": GETDNS_EXTENSION_FALSE,
"dnssec_return_status": GETDNS_EXTENSION_TRUE,
"dnssec_return_validation_chain": GETDNS_EXTENSION_FALSE,
"trust_anchors_verify_email": <bindata of "[email protected]">,would one still want to have validate unsigned DNSSEC replies turned on inside the the GUI as well... Wouldn't that be over kill?
john9527
Part of the Furniture
The sub-options are only active if the first plain "dnssec" option is turned on (TRUE)
Swistheater
Very Senior Member
that is interesting how does dig and drill test come back with the AD flag, if this is not true as far as the main Dnssec option up top.
proxy-dnssec is turned on in dnsmasq.conf and "dnssec_return_status": GETDNS_EXTENSION_TRUE is on inside stubby.yml
EmeraldDeer
Very Senior Member
My guess is:
Choose one and only one:
- DNSSEC proxy by dnsmasq set by proxy-dnssec in /etc/dnsmasq.conf
- or
- DNSSEC direct by dnsmasq set by Merlin GUI LAN > DHCP Server > Enable DNSSEC support
- or
- DNSSEC direct by stubby set by dnssec: GETDNS_EXTENSION_TRUE and dnssec_return_all_statuses: GETDNS_EXTENSION_TRUE in stubby.yml
Swistheater
Very Senior Member
To me this would seem the correct approach that you listed above... but the new firmware alpha is
using DNSSEC Proxy in dnsmasq when you enable the gui on merlin----- and it is also placing dnssec_return_all_statuses: GETDNS_EXTENSION_TRUE in stubby.yml ----- this is not really giving you a choice on which approach to use.
and no where in any of this process does it turn on dnssec: GETDNS_EXTENSION_TRUE
john9527
Part of the Furniture
Is the gui dnssec option turned off?
Swistheater
Very Senior Member
no it is turned on. and once it is turned on
dnssec_return_all_statuses: GETDNS_EXTENSION_TRUE gets populated inside stubby.yml
and DNSSEC Proxy gets placed inside DNSMASQ.conf
dnssec_return_all_statuses: GETDNS_EXTENSION_TRUE gets populated inside stubby.yml
and DNSSEC Proxy gets placed inside DNSMASQ.conf
Swistheater
Very Senior Member
So I took the high road on this one and turned all DNSSEC off in the GUI and just added
proxy-dnssec to the dnsmasq.conf.add file all dig and drill test come back proper and the Cloudflare test comes back good.
proxy-dnssec to the dnsmasq.conf.add file all dig and drill test come back proper and the Cloudflare test comes back good.
Swistheater
Very Senior Member
I see why you place three DNSSEC options inside your GUI instead of just the one.
- Status
Similar threads
Similar threads
Similar threads
-
-
Does minidlna get installed by default (asuswrt-merlin 3006.102.5)
- Started by chrisisbd
- Replies: 2
-
-
-
Throughput/bandwidth of asuswrt-merlin supported routers
- Started by chrisisbd
- Replies: 18
-
Is changing Iptables in Asuswrt-Merlin considered acceptable network management practice?
- Started by CornfieldWin
- Replies: 11
-
-
Looking for advice: Would I benefit from installing Asuswrt-Merlin on my setup?
- Started by Jarenback
- Replies: 4
-
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!