[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[jasonho]

I set dns over tls (dot) on and dnssec on my AC86U, I test and found dnssec is enabled with direct Wi-Fi connected to router ac86u, but when connect outside with lte and openvpn, dnssec is not enabled. why and to set mobile device outside home to have dnssec enable with openvpn.
Thanks!!

 

[Billy Chaney]

When I set DoT with IPv4 and IPv6 CF servers I get the following.

This is the config I have. Why can't I get the IPv6 servers to show up?

 

[Swistheater]

When I set DoT with IPv4 and IPv6 CF servers I get the following.

View attachment 17111

This is the config I have. Why can't I get the IPv6 servers to show up?

View attachment 17112

check the system logs page -------the IPV6 tab..... what is your wan ipv6 gateway address?

 

[Billy Chaney]

Thank you for the reply.

 

[Swistheater]

Thank you for the reply.

View attachment 17113

make a wan start script or add to the bottom of existing wan start script without the #!/bin/sh part

#!/bin/sh
echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding

make sure the script is executable and reboot.
see if that fixes the issue.
https://www.snbforums.com/threads/384-11_alpha-builds-testing-all-variants.55958/page-8#post-482491
we discussed similar issue here

 

[thelonelycoder]

@john9527 and @RMerlin can you confirm that this test would return true for Stubby/DoT to be available on latest (john's) or alpha (merlin's) fw and future releases?
First is merlin's equivalent variable:

[ "$(nvram get dnspriv_enable)" ] || [ "$(nvram get stubby_proxy)" ]

 

[Billy Chaney]

make a wan start script or add to the bottom of existing wan start script without the #!/bin/sh part

#!/bin/sh
echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding

make sure the script is executable and reboot.
see if that fixes the issue.
https://www.snbforums.com/threads/384-11_alpha-builds-testing-all-variants.55958/page-8#post-482491
we discussed similar issue here

I'm not an advanced user, what is the command to make wan-start script executable? Thanks for your help. I'll let you know if it works.

 

[Swistheater]

did you make the script or add to the script in /jffs/scripts/wan-start?
if so all you need to do is chmod a+rx /jffs/scripts/wan-start
if you need to make the script and don't already have one you can use

cat << EOF > /jffs/scripts/wan-start
#
#!/bin/sh
echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding
EOF

if you use ls /jffs/scripts/wan-start and notice a wan-start script already there you can use
nano /jffs/scripts/wan-start
and copy and paste

echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding

to the bottom of the script
and use ctrl x and press y enter to save

 

[Billy Chaney]

did you make the script or add to the script in /jffs/scripts/wan-start?
if so all you need to do is chmod a+rx /jffs/scripts/wan-start
if you need to make the script and don't already have one you can use

cat << EOF > /jffs/scripts/wan-start
#
#!/bin/sh
echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding
EOF

if you use ls /jffs/scripts/wan-start and notice a wan-start script already there you can use
nano /jffs/scripts/wan-start
and copy and paste

echo "1" > /proc/sys/net/ipv6/conf/all/accept_ra
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo "0" > /proc/sys/net/ipv6/conf/eth0/forwarding

to the bottom of the script
and use ctrl x and press y enter to save

Yeah, I made the script and that didn't work. I'm still getting nothing in the gateway field.

 

[Swistheater]

Yeah, I made the script and that didn't work. I'm still getting nothing in the gateway field.

Did you reboot router ? If so just try disabling ipv6 and re-enabling. Then reboot

 

[Billy Chaney]

Did you reboot router ? If so just try disabling ipv6 and re-enabling. Then reboot

Yes, and I disabled ipv6 and re-enabled it and rebooted and still no luck.

 

[Swistheater]

Do you have jffs script support enabled on the administration page?
Make sure it is enabled if it isnt then the wanstart script isnt executing. If it is then maybe you have to flash back to older 384.10_2 until they fix the ipv6 issue of the rtax88.

 

[Billy Chaney]

Do you have jffs script support enabled on the administration page?

Yes I do. My ISP doesn't have ipv6 but my VPN service does. Does this make a difference?

 

[Swistheater]

Yes that is why you are having issues then. Idk how you would go about using it then. You would have to consult someone with more vpn knowledge than I. I know you can turn on 6to4 feature instead of native but this naturally sucks bc it isnt true ipv6 it is ipv4 covered in ipv6 in attempt to resolve ipv6 internet and runs slow.

 

[Billy Chaney]

Yes that is why you are having issues then. Idk how you would go about using it then. You would have to consult someone with more vpn knowledge than I. I know you can turn on 6to4 feature instead of native but this naturally sucks bc it isnt true ipv6 it is ipv4 covered in ipv6 in attempt to resolve ipv6 internet and runs slow.

Well I guess I'll have to stick with ipv4 then. I appreciate your efforts.

 

[Zastoff]

Can confirm that DNS Privacy Protocol(DoT) is Working with Cleanbrowsing-Security Servers with DNSSec
Tried the Stubby -l command(Ctrl+c to stop output) and it looks good from what i can see

Apr 19 13:35:06 stubby[12867]: DNSSEC Validation is ON
Apr 19 13:35:06 stubby[12867]: Transport list is:
Apr 19 13:35:06 stubby[12867]:   - TLS
Apr 19 13:35:06 stubby[12867]: Privacy Usage Profile is Strict (Authentication required)
Apr 19 13:35:06 stubby[12867]: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
Apr 19 13:35:17 stubby[12867]: 185.228.168.9                            : Upstream   : TLS - Resps=     4, Timeouts  =     0, Best_auth =Success
Apr 19 13:35:17 stubby[12867]: 185.228.168.9                            : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      1, Backoffs     =     0
Apr 19 13:35:17 stubby[12867]: 185.228.169.9                            : Upstream   : TLS - Resps=     3, Timeouts  =     0, Best_auth =Success
Apr 19 13:35:17 stubby[12867]: 185.228.169.9                            : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      1, Backoffs     =     0
Apr 19 13:35:47 stubby[12867]: 185.228.169.9                            : Upstream   : TLS - Resps=     7, Timeouts  =     0, Best_auth =Success
Apr 19 13:35:47 stubby[12867]: 185.228.169.9                            : Upstream   : TLS - Conns=     2, Conn_fails=     0, Conn_shuts=      2, Backoffs     =     0

But already miss the info in syslog that DNSCrypt gave

Spoiler: DNSCrypt Startup

Apr 17 11:31:45 dnscrypt-proxy[11175]: Source [public-resolvers.md] loaded
Apr 17 11:31:45 dnscrypt-proxy[11175]: dnscrypt-proxy 2.0.22
Apr 17 11:31:45 dnscrypt-proxy[11175]: Dropping privileges
Apr 17 11:31:45 dnscrypt-proxy[11175]: Source [public-resolvers.md] loaded
Apr 17 11:31:45 dnscrypt-proxy[11175]: dnscrypt-proxy 2.0.22
Apr 17 11:31:45 dnscrypt-proxy[11175]: Now listening to 127.0.0.1:65053 [UDP]
Apr 17 11:31:45 dnscrypt-proxy[11175]: Now listening to 127.0.0.1:65053 [TCP]
Apr 17 11:31:45 dnscrypt-proxy[11175]: [dnscrypt.eu-dk] OK (crypto v2) - rtt: 7ms
Apr 17 11:31:45 dnscrypt-proxy[11175]: [dnscrypt.nl-ns0] OK (crypto v2) - rtt: 22ms
Apr 17 11:31:45 dnscrypt-proxy[11175]: [dnscrypt.uk-ipv4] OK (crypto v2) - rtt: 37ms
Apr 17 11:31:45 dnscrypt-proxy[11175]: Server with the lowest initial latency: dnscrypt.eu-dk (rtt: 7ms)
Apr 17 11:31:45 dnscrypt-proxy[11175]: dnscrypt-proxy is ready - live servers: 3

Spoiler: DNSCrypt every 4 hours

Apr 18 03:23:05 dnscrypt-proxy[213]: Server with the lowest initial latency: dnscrypt.eu-dk (rtt: 6ms)
Apr 18 07:23:05 dnscrypt-proxy[213]: Server with the lowest initial latency: dnscrypt.eu-dk (rtt: 6ms)

But will try it out

 

[john9527]

@john9527 and @RMerlin can you confirm that this test would return true for Stubby/DoT to be available on latest (john's) or alpha (merlin's) fw and future releases?
First is merlin's equivalent variable:

[ "$(nvram get dnspriv_enable)" ] || [ "$(nvram get stubby_proxy)" ]

Correct....stubby_proxy set to 1 means DoT is active for my fork.

Thanks for keeping my fork in mind as you come up with new scripts!

 

[thelonelycoder]

Correct....stubby_proxy set to 1 means DoT is active for my fork.

Thanks for keeping my fork in mind as you come up with new scripts!

Nothing new, just new features for the upcoming amtm 2.0 release.
Forgot to ask, that variable default is stubby_proxy=0 , dnspriv_enable=0 respectively, not empty like 'variable= '?
Is that also correct?

 

[EmeraldDeer]

Can confirm that DNS Privacy Protocol(DoT) is Working with Cleanbrowsing-Security Servers with DNSSec
Tried the Stubby -l command(Ctrl+c to stop output) and it looks good from what i can see

Apr 19 13:35:06 stubby[12867]: DNSSEC Validation is ON
Apr 19 13:35:06 stubby[12867]: Transport list is:
Apr 19 13:35:06 stubby[12867]:   - TLS
Apr 19 13:35:06 stubby[12867]: Privacy Usage Profile is Strict (Authentication required)
Apr 19 13:35:06 stubby[12867]: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
Apr 19 13:35:17 stubby[12867]: 185.228.168.9                            : Upstream   : TLS - Resps=     4, Timeouts  =     0, Best_auth =Success
Apr 19 13:35:17 stubby[12867]: 185.228.168.9                            : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      1, Backoffs     =     0
Apr 19 13:35:17 stubby[12867]: 185.228.169.9                            : Upstream   : TLS - Resps=     3, Timeouts  =     0, Best_auth =Success
Apr 19 13:35:17 stubby[12867]: 185.228.169.9                            : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      1, Backoffs     =     0
Apr 19 13:35:47 stubby[12867]: 185.228.169.9                            : Upstream   : TLS - Resps=     7, Timeouts  =     0, Best_auth =Success
Apr 19 13:35:47 stubby[12867]: 185.228.169.9                            : Upstream   : TLS - Conns=     2, Conn_fails=     0, Conn_shuts=      2, Backoffs     =     0

But already miss the info in syslog that DNSCrypt gave

Spoiler: DNSCrypt Startup

Apr 17 11:31:45 dnscrypt-proxy[11175]: Source [public-resolvers.md] loaded
Apr 17 11:31:45 dnscrypt-proxy[11175]: dnscrypt-proxy 2.0.22
Apr 17 11:31:45 dnscrypt-proxy[11175]: Dropping privileges
Apr 17 11:31:45 dnscrypt-proxy[11175]: Source [public-resolvers.md] loaded
Apr 17 11:31:45 dnscrypt-proxy[11175]: dnscrypt-proxy 2.0.22
Apr 17 11:31:45 dnscrypt-proxy[11175]: Now listening to 127.0.0.1:65053 [UDP]
Apr 17 11:31:45 dnscrypt-proxy[11175]: Now listening to 127.0.0.1:65053 [TCP]
Apr 17 11:31:45 dnscrypt-proxy[11175]: [dnscrypt.eu-dk] OK (crypto v2) - rtt: 7ms
Apr 17 11:31:45 dnscrypt-proxy[11175]: [dnscrypt.nl-ns0] OK (crypto v2) - rtt: 22ms
Apr 17 11:31:45 dnscrypt-proxy[11175]: [dnscrypt.uk-ipv4] OK (crypto v2) - rtt: 37ms
Apr 17 11:31:45 dnscrypt-proxy[11175]: Server with the lowest initial latency: dnscrypt.eu-dk (rtt: 7ms)
Apr 17 11:31:45 dnscrypt-proxy[11175]: dnscrypt-proxy is ready - live servers: 3

Spoiler: DNSCrypt every 4 hours

Apr 18 03:23:05 dnscrypt-proxy[213]: Server with the lowest initial latency: dnscrypt.eu-dk (rtt: 6ms)
Apr 18 07:23:05 dnscrypt-proxy[213]: Server with the lowest initial latency: dnscrypt.eu-dk (rtt: 6ms)

But will try it out

Should not be seeing Conn_shuts more than 1% of the time. It means the DNS provider closed the connection rather than stubby. For efficiency, you want stubby to stay open until just before the DNS provider would shut it down. Through trial and error, here are the DNS over TLS timeouts:

• CleanBrowsing 2 seconds, so idle_timeout should be 1900
• Cloudflare 10 seconds, so idle_timeout should be 9900
• Quad9 2 seconds, so idle_timeout should be 1900

 

[themiron]

The sub-options are only active if the first plain "dnssec" option is turned on (TRUE)

well, not really, all of them are independent extensions.
the only diff between them - with "dnssec" indeterminate (can't be checked due no root) replies are not returned, with "dnssec_return_status" - still will.
refer https://github.com/getdnsapi/getdns/commit/c1f51815baf43d6c35d8c97f4d12e9708b395aca