[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[bbunge]

RT-AC66U_B1 with Alpha 3 firmware, two CF resolvers set with DNSSEC. Had been running well for a couple of days with no changes. Turned on NAT Acceleration which rebooted the router. While the time on the router was set on boot after a minute of up time the router went to Internet Status: Disconnected. I have Network Monitoring turned off. Will try again with Q9 resolvers...

Edit: Tried one more reboot with CF resolvers with Network Monitoring set to Ping 1.1.1.1. Same as before... router was connected after reboot but showed disconnected after about a minute. Set resolvers to Q9 (9.9.9.9 and 149.112.112.112) and rebooted. Router came up connected and has stayed connected. Anything I can check to find out why? Kind of puzzling why "solid" Cloudflare has problems...

 

[RMerlin]

DNS Privacy? Was this related to previous post?

DNS Privacy is the new firmware feature that provides DNS over TLS - what this thread is about.

I don't usually enforce topics, but this thread was started to help people debug any new issue introduced by this specific feature, so I prefer the thread to stay focused on topic.

 

[Gar]

The Asus app has no idea of DNSFilter or DNS Privacy, neither are supported by the stock firmware.

Now I get it.

 

[Unisoft]

All stubby does is point at their servers. If they randomly fail to resolve things, that's outside the scope of the router.


I don't want to fill up the preset dropdown with 40+ presets which will have to be updated every few months as old services disappear and new one appears. I chose to go with a subset of the most popular ones - the webui is open enough for anyone to easily enter their preferred services instead.



DNSFilter is unrelated to DNS Privacy - two completely different features.



No, because until Stubby comes up, you still need the WAN servers, for example to setup the router's clock, or to act as fallback.

Hi Merlin,

I get not adding LOTS of sites to the drop down list, but SAFEDNS was the only provider I could find that did similar to OpenDNS in that they support DNS over TLS + Web content filtering where you tick the boxes of the categories, manage a white and black list of sites and custom block pages so I think this should be added as the others listed either do no content filtering or basic or do adult but leave dating sites enabled for example.

Is there any easy way to test (say via a web page) that a provider is actually doing DNS over TLS? Cloudflare's DNS over TLS page will only say its successful if you use THEIR service for DNS over TLS (though it does detect other providers DNSSec correctly).

 

[dave14305]

well, not really, all of them are independent extensions.
the only diff between them - with "dnssec" indeterminate (can't be checked due no root) replies are not returned, with "dnssec_return_status" - still will.
refer https://github.com/getdnsapi/getdns/commit/c1f51815baf43d6c35d8c97f4d12e9708b395aca

Is this difference in settings (dnssec vs dnssec_return_status) equivalent to the current DNSSEC Strict Validation parameter? It seems the firmware only toggles dnsmasq settings and not Stubby when this is set.

 

[Swistheater]

Yes NordVpn DNS servers are offline, caused me a lot of problems, worse without getting any warnings.

I cant add them back when they come back online without some sort of warning.

Im reluctantly using OpenDns again, even that is producing strange results, ipleak shows i dont have any DNS servers at all?

ipleak is down, is is currently failing test for multiple different services. i have tried on several different devices using different connection sources for internet.

 

[Swistheater]

Is this difference in settings (dnssec vs dnssec_return_status) equivalent to the current DNSSEC Strict Validation parameter? It seems the firmware only toggles dnsmasq settings and not Stubby when this is set.

Choose one and only one:

• DNSSEC proxy by dnsmasq set by proxy-dnssec in /etc/dnsmasq.conf
  • or
• DNSSEC direct by dnsmasq set by Merlin GUI LAN > DHCP Server > Enable DNSSEC support
  • or
• DNSSEC direct by stubby set by dnssec: GETDNS_EXTENSION_TRUE and dnssec_return_all_statuses: GETDNS_EXTENSION_TRUE in stubby.yml

My firmware is putting dnssec_return_all_statuses: GETDNS_EXTENSION_TRUE in stubby.yml
and also turning on proxy-dnssec in /etc/dnsmasq.conf at the same time when i turn on dnssec in the gui. what do you mean it is not placing it inside stubby?

 

[dave14305]

what do you mean it is not placing it inside stubby?

Since we have a difference in configs between Merlin and John’s fork for dnssec, I’m trying to figure out how big a deal the difference is. It seems Johns fork is more strict, but is this something that could be configurable. In looking at the effect of “Validate unsigned DNSSEC replies” in Alpha 3, it doesn’t really do anything if DoT is enabled. Just wondering if there’s an equivalent configuration change to be made in Stubby regarding unsigned replies.

 

[Swistheater]

Since we have a difference in configs between Merlin and John’s fork for dnssec, I’m trying to figure out how big a deal the difference is. It seems Johns fork is more strict, but is this something that could be configurable. In looking at the effect of “Validate unsigned DNSSEC replies” in Alpha 3, it doesn’t really do anything if DoT is enabled. Just wondering if there’s an equivalent configuration change to be made in Stubby regarding unsigned replies.

what type of test have you run and can you share results and I will rerun test and see what i get via just having proxy-dnssec enabled?

 

[RMerlin]

Is there any easy way to test (say via a web page) that a provider is actually doing DNS over TLS?

No, and even the web-based test from Cloudflare is unreliable, as it has no way of knowing how you retrieved that IP you just resolved if it's not using one of their own servers. The only way is to run tcpdump on the router's WAN interface, and look for traffic using port 853.

 

[RMerlin]

I get not adding LOTS of sites to the drop down list, but SAFEDNS was the only provider I could find that did similar to OpenDNS in that they support DNS over TLS + Web content filtering where you tick the boxes of the categories, manage a white and black list of sites and custom block pages so I think this should be added as the others listed either do no content filtering or basic or do adult but leave dating sites enabled for example.

SafeDNS is not free. As a general policy, I don't add new services that require paying for, first reason being I have no way of testing anything with these. It would also cause issues for people not knowing they have to pay for the service to be able to use it, and generated unnecessary support inquiries on these forums and in my mailbox.

People are still able to manually add it themselves.

 

[DonnyJohnny]

When I enable ipv6 and add a dot ipv6 CF, I am still unable to establish ipv6 connection.
I checked the /etc/stubby/stubby.yml, it didn’t add listening address for ipv6. Only for ipv4 (127.0.1.1:53). Could this be the problem?

In WAN GUI, I am unable to change the option for “Forward local domain queries to upstream DNS”
Is this the fix for it?
https://github.com/RMerl/asuswrt-merlin.ng/commit/bae179bebaf1b8291a3e75215c9a47fcd3429de5

 

[RMerlin]

In WAN GUI, I am unable to change the option for “Forward local domain queries to upstream DNS”
Is this the fix for it?

Yes.

 

[bbunge]

Have been experiencing issues with DNSSEC enabled. Q9 dropped on me last night and I had to quickly get the net back up to placate irate women. Usually my system uses Q9 and CF servers in the ORD data center. Last night CF was hiting the IAD data center and Q9 was going cross country to San Francisco. Something in multicast change? If the data center changes shouldn't stubby pull new root certificates from the new data center?

Also, noticed a parameter in stubby.yml that I can't document in any stubby guide. It is resolvconf: Is it valid and why is it needed if it points to DNS servers that are not used?

Sent from my SM-T380 using Tapatalk

 

[Swistheater]

When I enable ipv6 and add a dot ipv6 CF, I am still unable to establish ipv6 connection.
I checked the /etc/stubby/stubby.yml, it didn’t add listening address for ipv6. Only for ipv4 (127.0.1.1:53). Could this be the problem?

In WAN GUI, I am unable to change the option for “Forward local domain queries to upstream DNS”
Is this the fix for it?
https://github.com/RMerl/asuswrt-merlin.ng/commit/bae179bebaf1b8291a3e75215c9a47fcd3429de5

yea i am noticing after a while of running my router will lose ipv6 connection like all of the stuff that is filled in for it will disappear.- this only happens on occasion though--along with devices randomly losing ipv6 connection. -- i imagine it could be because of the listening address not being present, but i am not a router expert. meh.

 

[Swistheater]

i suppose

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
tls_ca_file: "/etc/ssl/certs/ca-certificates.crt"
appdata_dir: "/var/lib/misc"
resolvconf: "/tmp/resolv.conf"
edns_client_subnet_private: 1
round_robin_upstreams: 1
idle_timeout: 9000
tls_connection_retries: 2
tls_backoff_time: 900
timeout: 3000
listen_addresses:
  - 127.0.1.1@53

is correct for ipv6 v.s.

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
tls_ca_file: "/etc/ssl/certs/ca-certificates.crt"
appdata_dir: "/var/lib/misc"
resolvconf: "/tmp/resolv.conf"
edns_client_subnet_private: 1
round_robin_upstreams: 1
idle_timeout: 9000
tls_connection_retries: 2
tls_backoff_time: 900
timeout: 3000
listen_addresses:
  - 127.0.1.1@53
  - 0::1@53

i wish i knew why the top one will properly work for ipv6 connections where as the bottom one has a separate listening address for ipv4 and ipv6.

 

[bbunge]

yea i am noticing after a while of running my router will lose ipv6 connection like all of the stuff that is filled in for it will disappear.- this only happens on occasion though--along with devices randomly losing ipv6 connection. -- i imagine it could be because of the listening address not being present, but i am not a router expert. meh.

You are correct. The ipv6 listen entry needs to be present in stubby and dnsmasq.
It is interesting that stubby will use the resolver entries in stubby.yml in sequence regardless of the protocol, ipv4 or ipv6, used. What I mean is that if you have four upstream resolvers set in stubby, the first two ipv4 and the last two ipv6 and roundrobbin set to 1, the system will work through each resolver in turn. It does not seem to use ipv4 resolvers for ipv4 and ipv6 resolvers for ipv6.

Sent from my SM-T380 using Tapatalk

 

[dave14305]

Since Stubby only listens on a loopback ip, and doesn’t receive requests directly from ipv6 clients, does it really need to listen on ipv6 for requests coming from dnsmasq only? It seems only dnsmasq needs to listen on ipv6. But I’m happy to learn more about how ipv6 works in this scenario.

 

[Swistheater]

well specifically by design stubby states the need for both even when paired with DNSMASQ for full ipv6 support. maybe they have hard coded it to know to go to one or the other, but i am not seeing that happen.

 

[Swistheater]

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1
  -  0::1
round_robin_upstreams: 1
upstream_recursive_servers:
  - address_data: 185.49.141.38
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      digest: "sha256"
       value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

Additional privacy servers can be specified by adding more entries to the upstream_recursive_servers list above (note a separate entry must be made for the IPv4 and IPv6 addresses of a given server. More DNS Privacy test servers are listed here.

A custom port can be specified by adding the tls_port: attribute to the upstream_recursive_server in the config file.

A custom listen address port can be configured by using the <IP_address>@<port> syntax

straight from this web site
https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby

listen_address: have the Stubbby daemon listen on IPv4 and IPv6 on port 53 on the loopback address