[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[Xentrk]

I am using Disabled as well. I am able to use both DOT and DNSSEC but I realize that this will break 1.1.1.1/help which I am not very concerned about. I am just not sure what the impact of Disabled, Relaxed, Exclusive and Strict modes is in Diversion on this new FW -I posted a question on the Diversion thread so I will stay on topic.


Sent from my iPhone using Tapatalk

Use Disabled to force the VPN tunnel to use the DNS settings in the WAN page. See this post for explanation of the Accept DNS Configuration settings.
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

 

[Marin]

Yep, that is what I followed, thank you. I have Accept DNS Configuration as "Disabled".

Also, have "Yes" under the WAN DNS settings but then with Stubby that used to be selected as "No" and router's IP was entered there instead (under DNS 1 field). Do you think I should do the same this time?

 

[Marin]

No, and even the web-based test from Cloudflare is unreliable, as it has no way of knowing how you retrieved that IP you just resolved if it's not using one of their own servers. The only way is to run tcpdump on the router's WAN interface, and look for traffic using port 853.

How do you run tcpdump? Is there something I need to install from Entware first? Thank you.

 

[Marin]

Also, what other validation tests can be run to ensure that DOT is working as it should? Same ones as here: https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin ?

 

[hifiwifi]

Apologies if this is a dumb question, but it has got me curious. When using DoT and a VPN, does the DNS query originate from my VPN or my ISP? Just curious.

 

[Swistheater]

Apologies if this is a dumb question, but it has got me curious. When using DoT and a VPN, does the DNS query originate from my VPN or my ISP? Just curious.

if you are using cloudflare in DOT, you would want to open SSH and type
traceroute 1.1.1.1 and it will answer that question it will show you the order in which things are handled.

when i run that command it always make me feel like my isp is rerouting my traffic, despite having DOT on.

 

[Swistheater]

AH yes Im not seeing any DNS servers listed at all, but another site is showing them https://www.dnsleaktest.com/

yea it even fails on my cellular devices that are running their own providers services which has never happened before.

 

[Gar]

So were you able to route the DNS properly to CB?

I finally found it has. Got an education in this thread!

 

[bbunge]

Apologies if this is a dumb question, but it has got me curious. When using DoT and a VPN, does the DNS query originate from my VPN or my ISP? Just curious.

Assume you mean running router as VPN client? If so it depends on how your VPN provider configures your router. Some force all traffic through the tunnel including DNS. You should be able to modify the config settings.

Sent from my SM-T380 using Tapatalk

 

[Butterfly Bones]

if you are using cloudflare in DOT, you would want to open SSH and type
traceroute 1.1.1.1 and it will answer that question it will show you the order in which things are handled.

when i run that command it always make me feel like my isp is rerouting my traffic, despite having DOT on.

Usually your router must contact your ISP directly and what it does with route through them, so if you run traceroute via router SSH, of course you will see your ISP hops. Run traceroute from a client that you know routed via VPN and you will see different results, as below.

I have router IP 192.168.1.1 directed via WAN with my strict routing in the VPN client config. If I run traceroute from secure shell via my router I see the route through my ISP, as expected.

[redacted]@RT-AC86U-4608:/tmp/home/root# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
 1  *  *  *
 2  dtr03snloca-tge-0-0-0-3.[redact].ca.charter.com (96.34.122.205)  10.582 ms  9.953 ms  9.682 ms
 3  96-34-124-194.static.unas.nv.charter.com (96.34.124.194)  12.414 ms  16.145 ms  9.906 ms
 4  bbr01slidla-tge-0-0-0-4.slid.la.charter.com (96.34.2.36)  18.111 ms  16.560 ms  16.192 ms
 5  bbr02snloca-bue-4.[redact].ca.charter.com (96.34.0.29)  12.980 ms  17.437 ms  16.808 ms
 6  bbr01snjsca-bue-6.snjs.ca.charter.com (96.34.0.0)  17.352 ms  18.130 ms  30.634 ms
 7  prr01snjsca-bue-5.snjs.ca.charter.com (96.34.3.1)  13.769 ms  14.764 ms  19.296 ms
 8  equinix-sanjose.as13335.net (206.223.116.237)  33.349 ms  50.421 ms  25.722 ms
 9  one.one.one.one (1.1.1.1)  18.001 ms  13.466 ms  16.082 ms

All clients are routed via VPN using 192.168.0.1/24. If I run traceroute from my Linux box, I see my router, then the local IP assigned by my VPN provider (10.200.0.1), my VPN IP range (107.170.207.254) then hops on to 1.1.1.1.

[redacted]@Linux ~ $ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  router.asus.com (192.168.1.1)  0.191 ms  0.151 ms  0.163 ms
 2  10.200.0.1 (10.200.0.1)  20.032 ms  19.948 ms  19.920 ms
 3  107.170.207.254 (107.170.207.254)  40.424 ms 107.170.207.253 (107.170.207.253)  19.879 ms  19.864 ms
 4  138.197.248.208 (138.197.248.208)  19.866 ms 138.197.248.206 (138.197.248.206)  19.861 ms 138.197.248.222 (138.197.248.222)  19.857 ms
 5  138.197.244.237 (138.197.244.237)  32.130 ms 138.197.244.233 (138.197.244.233)  32.138 ms 138.197.244.237 (138.197.244.237)  32.139 ms
 6  equinix-sanjose.as13335.net (206.223.116.237)  34.175 ms  48.185 ms  56.916 ms
 7  one.one.one.one (1.1.1.1)  22.710 ms  21.106 ms  21.096 ms

 

[RMerlin]

How do you run tcpdump? Is there something I need to install from Entware first? Thank you.

Yes, it needs to be installed from Entware.

Check the usage help, I don't remember the exact switches. You basically want it to monitor traffic on the eth0 interface. You can grep the output to only show entries with 53 or 853 in them.

Also, what other validation tests can be run to ensure that DOT is working as it should?

Not really. Keep in mind that what DoT does is simply connect to the specified DNS server using port 853 and TLS encryption. The actual result is identical to using a regular DNS server, so there's no real way to "validate" that you are using it, unless the provider has its own test designed specifically for its own DoT server (in which case it could, like OpenDNS, return a different IP when using a special test address if it's resolved by the DoT server). So, any test would have to be unique to each provider to be accurate.

 

[MarkRH]

Also, what other validation tests can be run to ensure that DOT is working as it should? Same ones as here: https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin ?

Well, you can go into Network Tools -> Netstat tab and click the Netstat button. Should see entries going to the DNS servers using the 853 port.

tcp        0      0 (ip addy):35081     1.0.0.1:853             TIME_WAIT   -
tcp        0      0 (ip addy):60283     1.1.1.1:853             TIME_WAIT   -
...
tcp        0      0 (ip addy):32878 2606:4700:4700::1001:853 TIME_WAIT   -
tcp        0      0 (ip addy):49156 2606:4700:4700::1111:853 TIME_WAIT   -

 

[dlandon]

I just installed the alpha version last night to give the DoT a try. It was easy to set up and I disabled the OpenVPN DNS servers so all DNS requests go through the DoT. It works as I expected. My compliments on this very cool feature! Adds a level of security that I've been wanting for quite a while.

 

[DonnyJohnny]

When I enable ipv6 and add a dot ipv6 CF, I am still unable to establish ipv6 connection.
I checked the /etc/stubby/stubby.yml, it didn’t add listening address for ipv6. Only for ipv4 (127.0.1.1:53). Could this be the problem?

In WAN GUI, I am unable to change the option for “Forward local domain queries to upstream DNS”
Is this the fix for it?
https://github.com/RMerl/asuswrt-merlin.ng/commit/bae179bebaf1b8291a3e75215c9a47fcd3429de5

@RMerlin
I see that when we enable ipv6 (native) via GUI, the stubby.yml did not add in the listening address for ipv6 (0::1@53)
I have tested that without the listening address for ipv6 in stubby.yml, the internet is down. I have manually added in the yml and restart stubby. Internet is working.
I tried to do a reboot of router and I see the setting is not saved.

So I think that is a missing function. Enabling ipv6 need to add the listening address for ipv6 in stubby.yml? Maybe by adding in ipv6 dot server in WAN, will automatically add ipv6 listening address (0::1@53) in stubby.yml.

 

[Xentrk]

Yep, that is what I followed, thank you. I have Accept DNS Configuration as "Disabled".

Also, have "Yes" under the WAN DNS settings but then with Stubby that used to be selected as "No" and router's IP was entered there instead (under DNS 1 field). Do you think I should do the same this time?

In 380.10_2, The Yes setting will use the DNS of your ISP. The No setting allows you to specify a DNS. From the screen pic in the OP, the Yes setting doesn’t appear to work that way any longer as the option to specify a DoT DNS is available when Connect to DNS Automatically is set to Yes.

 

[Marin]

In 380.10_2, The Yes setting will use the DNS of your ISP. The No setting allows you to specify a DNS. From the screen pic in the OP, the Yes setting doesn’t appear to work that way any longer as the option to specify a DoT DNS is available when Connect to DNS Automatically is set to Yes.

Good to know. Thank you!


Sent from my iPhone using Tapatalk

 

[bluepoint]

In 380.10_2, The Yes setting will use the DNS of your ISP. The No setting allows you to specify a DNS. From the screen pic in the OP, the Yes setting doesn’t appear to work that way any longer as the option to specify a DoT DNS is available when Connect to DNS Automatically is set to Yes.

It still does work the same way so the router initally have a DNS server acquired until Stubby activates. Even if the WAN DNS is set to not automatically acquire, you can still input the preferred DNS manually. This does not affect the ability to specify a DOT DNS, the option is still there.

 

[skeal]

This is correct, I have my router's IP in WAN DNS Server one. I have both Cloudflare IPv4 DoT set and DNSSEC all options as shown in the webui. I have no known issues using this configuration. With and without OVPN.

 

[JemTheWire]

I’ve been running .11 alpha from the get-go. I have to say that it might as well be a release version.

Not had any issues with it at all, none that I have noticed anyway.

No problems with DNS and my OpenVPN server and AirVPN clients work as expected.

Rocking on my AX88U

Thanks Eric.

 

[L&LD]

I’ve been running .11 alpha from the get-go. I have to say that it might as well be a release version.

Not had any issues with it at all, none that I have noticed anyway.

No problems with DNS and my OpenVPN server and AirVPN clients work as expected.

Rocking on my AX88U

Thanks Eric.

Agree with the above (no AirVPN for me though). Working great.

Looking forward to Alpha 4, Beta 1 or 384.11 release.