[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[john9527]

Forgot to ask, that variable default is stubby_proxy=0 , dnspriv_enable=0 respectively, not empty like 'variable= '?
Is that also correct?

Correct for my fork....
You can check the defaults (both Merlin and my fork) in
release/src/router/shared/defaults.c

 

[thelonelycoder]

Correct for my fork....
You can check the defaults (both Merlin and my fork) in
release/src/router/shared/defaults.c

Bingo, same for Merlin. Thanks.

 

[themiron]

@john9527 and @RMerlin can you confirm that this test would return true for Stubby/DoT to be available on latest (john's) or alpha (merlin's) fw and future releases?
First is merlin's equivalent variable:

[ "$(nvram get dnspriv_enable)" ] || [ "$(nvram get stubby_proxy)" ]

dnspriv_enable default is "0", with DoT enabled from web ui - "1", more numeric values are possible in the future (i.e for DoH).
so, I guess, correct check for now & possibly compatible with upcoming values would be

[ "$(nvram get dnspriv_enable)" = "1" ]

 

[thelonelycoder]

dnspriv_enable default is "0", with DoT enabled from web ui - "1", more numeric values are possible in the future (i.e for DoH).
so, I guess, correct check for now & possibly compatible with upcoming values would be

[ "$(nvram get dnspriv_enable)" = "1" ]

Perfect, thanks. I only need to know if the installed firmware supports native DoT, so my original test will do.

 

[RMerlin]

@john9527 and @RMerlin can you confirm that this test would return true for Stubby/DoT to be available on latest (john's) or alpha (merlin's) fw and future releases?
First is merlin's equivalent variable:

[ "$(nvram get dnspriv_enable)" ] || [ "$(nvram get stubby_proxy)" ]

In DNSPrivacy's case, rely on rc_support:

# nvram get rc_support | tr ' ' '\n' | grep dnspriv
dnspriv

Otherwise, you might have a stray nvram variable from people changing firmware versions.

 

[thelonelycoder]

In DNSPrivacy's case, rely on rc_support:

# nvram get rc_support | tr ' ' '\n' | grep dnspriv
dnspriv

Otherwise, you might have a stray nvram variable from people changing firmware versions.

You mean when downgrading? The dnspriv_enable variable is not present in 384.10 and older.

 

[dave14305]

You mean when downgrading? The dnspriv_enable variable is not present in 384.10 and older.

Or dorks like me who switch between Merlin and John’s fork on a whim.

 

[thelonelycoder]

Or dorks like me who switch between Merlin and John’s fork on a whim.

In that case, the dork would be the loser.
The test disables features in amtm that are natively available in the firmware.

 

[dave14305]

In that case, the dork would be the loser.

The story of my life...

John's fork includes stubby in rc_support if you want to go that route.

# nvram get rc_support | tr ' ' '\n' | grep stubby
stubby

 

[DroidST]

Will this be an option (DNS over TLS) in DNSFilter eventually?

I was curious about this few months back:
https://www.snbforums.com/threads/question-about-dns-filtering.47739/#post-446236

.

 

[EmeraldDeer]

Will this be an option in DNSFilter eventually?

I was curious about this few months back:
https://www.snbforums.com/threads/question-about-dns-filtering.47739/#post-446236

Colin's replies make sense
https://www.snbforums.com/threads/question-about-dns-filtering.47739/#post-446239

The DNS over HTTPS request is not plausible.

The DNS over TLS request was just fulfilled in 384.11 if:

• LAN clients use the router's DNS forwarder dnsmasq via DNSFilter Global Filter Mode "Router"
• with the router's new stubby DNS over TLS

 

[DroidST]

I've switched to DoT back then after reading more about it vs DoH. I edited my post above to be specific for DoT.

What I want to do is still keep the default DNS to OpenDNS for their family filter and use DNSFilter to have my personal clients use DoT (Cloudflare's servers).

This way, if anyone adds a new client on my network, they are forced to still use the family filter on OpenDNS. There are two homes on my network here.

Right now, I have OpenDNS servers under WAN DNS Setting (DNSFilter Global Filter Mode set to OpenDNS Home servers) and for my own clients, DNSFilter is set to No Filtering - I run other solutions on each of my clients to use DoT with Cloudflare. Would be great to have the router handle all that and eliminate those options on each client.

But from what you posted, may not be possible to do this
LAN clients use the router's DNS forwarder dnsmasq via DNSFilter Global Filter Mode "Router"

Was hoping I could keep the DNSFilter Global Filter Mode to OpenDNS Home and set a specific LAN client to use the DoT option.
.

 

[RMerlin]

Forward local domain queries to upstream DNS option on WAN page defaults back to off when applied.

Thanks, fixed. Hidden issue that only appeared when the setting was moved to the WAN page, I had to rename the nvram variable to avoid mishandling by httpd.

 

[RMerlin]

You mean when downgrading? The dnspriv_enable variable is not present in 384.10 and older.

Existing variables do not get removed when downgrading.

 

[RMerlin]

Posts cleaned up. This thread is specifically about DNS Privacy, not about Asus GPL releases. I've given ample warning already, so offending posts were simply deleted.

 

[bluepoint]

I've switched to DoT back then after reading more about it vs DoH. I edited my post above to be specific for DoT.

What I want to do is still keep the default DNS to OpenDNS for their family filter and use DNSFilter to have my personal clients use DoT (Cloudflare's servers).

This way, if anyone adds a new client on my network, they are forced to still use the family filter on OpenDNS. There are two homes on my network here.

Right now, I have OpenDNS servers under WAN DNS Setting (DNSFilter Global Filter Mode set to OpenDNS Home servers) and for my own clients, DNSFilter is set to No Filtering - I run other solutions on each of my clients to use DoT with Cloudflare. Would be great to have the router handle all that and eliminate those options on each client.

But from what you posted, may not be possible to do this
LAN clients use the router's DNS forwarder dnsmasq via DNSFilter Global Filter Mode "Router"

Was hoping I could keep the DNSFilter Global Filter Mode to OpenDNS Home and set a specific LAN client to use the DoT option.
.

You can leave Global Filter to "no filtering" then just add clients that you want filtered with Opendns. With this setup clients not listed in the DNSFilter will use the DOT configured in WAN settings.

 

[RMerlin]

Was hoping I could keep the DNSFilter Global Filter Mode to OpenDNS Home and set a specific LAN client to use the DoT option.

Just set those clients to "Router" to force them to use DoT. In theory, the global OpenDNS mode should still bypass DoT for any client that doesn't get explicitly told to use the Router instead.

 

[DroidST]

You can leave Global Filter to "no filtering" then just add clients that you want filtered with Opendns. With this setup clients not listed in the DNSFilter will use the DOT configured in WAN settings.

But new client hardware (kid borrows a friend's, etc?) wouldn't be forced to use the OpenDNS Home family filter when connected to my network..

Of course, I could go to allow by MAC but that creates more work when it's time to reset to default and re-enter settings.

 

[DroidST]

Just set those clients to "Router" to force them to use DoT. In theory, the global OpenDNS mode should still bypass DoT for any client that doesn't get explicitly told to use the Router instead.

I think I see what you are writing about.

Under WAN | WAN DNS Setting, setup DNS for Cloudflare and DoT.
Under DNSFilter, keep that Global Filter Mode to OpenDNS Home
For my specific clients, change from "No Filtering" to "Router".

This will still 'force' all clients to OpenDNS except if the client is entered in the DNSFilter Client List or that client is using a DoT or DoH config/app locally.

I will have to test the theory out.

 

[bluepoint]

But new client hardware (kid borrows a friend's, etc?) wouldn't be forced to use the OpenDNS Home family filter when connected to my network..

Of course, I could go to allow by MAC but that creates more work when it's time to reset to default and re-enter settings.

Then you can do the reverse. Global Filtering to OpenDNS then add clients you want to use DOT using "router" for filtering.