[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[Gar]

No issues here with A3 so much so I will wait for a Beta now. Not being knowledgeable about this stuff I skip Alphas normally, but glad I didn't this time.

 

[skeal]

I'm still seeing issues with rebooting with OVPN Server and/or OVPN Client set to start at boot, on my AX88U. If I disable them from starting at boot then the reboot is clean. I can successfully start them both manually from the webui once up and running. I also noticed that when enabling both DNSSEC settings on the WAN page, when you apply the changes, your OVPN Client gets shut down, (It is important to note that the Client is not set to start at reboot, on account of the startup issue outlined above). These are my observations on the AX88U only.

 

[Marin]

This is correct, I have my router's IP in WAN DNS Server one. I have both Cloudflare IPv4 DoT set and DNSSEC all options as shown in the webui. I have no known issues using this configuration. With and without OVPN.

I will give that a shot as well and see what happens.


Sent from my iPhone using Tapatalk

 

[Xentrk]

I'm still seeing issues with rebooting with OVPN Server and/or OVPN Client set to start at boot, on my AX88U. If I disable them from starting at boot then the reboot is clean. I can successfully start them both manually from the webui once up and running. I also noticed that when enabling both DNSSEC settings on the WAN page, when you apply the changes, your OVPN Client gets shut down, (It is important to note that the Client is not set to start at reboot, on account of the startup issue outlined above). These are my observations on the AX88U only.

You are correct.

When applying changes to the WAN page, the OpenVPN clients will go to a down state since there is no WAN connection. The VPN client status will change to an Up state once the WAN connection is restored if the Start on WAN option is enabled.

 

[RMerlin]

Very little has changed in regard to DNS Privacy in alpha 4. Complete change log since previous test build:

756caf15f4 (HEAD -> mainline, origin/mainline) shared: replace upper_strcmp() calls with strcasecmp() in QTN-specific parts
3ffa09a676 (openssldir) cfg_mnt: update location of openssl.cnf, and make use of OpenSSL 1.1.x userspace tool if available
3086a4ed9d httpd: update location of openssl.cnf in gencert.sh script
bcd9c41d13 wget: no longer ignore invalid certificates in the rom/* scripts that use wget
a7765a312b inadyn: Revert "inadyn: hardcode SSL CA certs location"
8f62ef2e78 curl: rely on openssl to locate the CA bundle
48181c96c9 rom: simplify ca-bundle update
5541b4b083 wget: remove wgetrc, no longer needed with OpenSSL properly configured
384780d793 openssl: openssl11: point OpenSSL's default location to /etc/ssl/ and provide a link to the CA bundle
0611c28d7c Merge pull request #300 from KiloFoxtrotPapa/fix-compilation-modern-host
8082333b45 rc: remove unused variable in start_dhcp6c()
b325970cb7 rc: resync with upstream 45713, and fix some bad code block merges
094548155f rc: resync with upstream, and fix some bad code block merges
2499b668eb Fix compilation with glibc 2.25+
c527459265 webui: fix SSH password login string in EN dict
7a29a78a6c Remove use of top_srcdir with newer automakes
bc9b74a95c Bumped revision to alpha 4
1455a56112 Updated documentation
bfc2c09fe1 rom: webui: remove getdnsapi test DoT server from presets
c8a470788b rc: implement new firmware check code that does not require RTCONFIG_FORCE_AUTO_UPGRADE
faddef0efc httpd: fix ej_get_wl_channel_list() building on non-AiMesh models
fe5e16c169 Merge SDK + binary blobs from 45713 for RT-AC86U
2db442566d Merge SDK + binary blobs from 45713 for RT-AC68U
0c8336a43a Merge binary blobs from 45713 for RT-AC88U and RT-AC3100
50fa1db77f rc: fix typo in bae179beba
bca6b4029f Merge with GPL 384_45713
913dea25d3 rc: eliminate build warning in start_stubby() when calling for custom script functions
65c842000c rc: fix typo in bae179beba
bae179beba Renamed lan_dns_fwd_local nvram to dns_fwd_local to avoid clashing with the lan_ instances; removed duplicate setting from DHCP page
258c66f130 libvpn: implement get_ovpn_remote_address() and use it for filling ovpn client config; re-implement update_ovpn_profie(remote() and move it to libvpn
77ba03b6e7 httpd: replace homemade alloc_string() with strdup() that does the exact same thing
07b5156353 rc: add postconf/custom config support for stubby
dfdcdefd74 rc: add service-event-end custom script
ce7e380008 shared: merged run_custom_script() and run_custom_script_blocking(); other minor cleanups to script functions
880c556d7b webui: provide descriptive error message if no DOT server is provided
fa2d68b599 www: don't allow empty dot server list

 

[L&LD]

Thank you RMerlin, although this is very early praise (possibly), for another fine release. Is it possible that a 'full reset to factory defaults' may one day (soon?) be a thing of the past?

This is the fourth dirty upgrade to an RT-AC86U since Alpha 1 and the network continues to purr.

RMerlin, what can you possibly be saving for the 384.11 release?

Just remember, I like my coffee with three creams and five sugars and my bread lightly toasted with lots of butter.

 

[owine]

stubby failing to start due to Bus error. AC3100 from a3.

 

[L&LD]

stubby failing to start due to Bus error. AC3100 from a3.

Try the latest Alpha 4.

 

[owine]

Try the latest Alpha 4.

Yes this is on a4 after upgrading from a3.

 

[L&LD]

Yes this is on a4 after upgrading from a3.

Sorry! Does a reboot help?

 

[Treadler]

Installed alpha 4 and everything is fine.

When I choose a DoT ‘Preset server’ under the drop down (example: Cloudflare), is it necessary to fill in a port number or is that done automatically when you choose one of the preset choices?

My setup is just plain, but I want to run DoT. Sorry for the uneducated question.

Thanks.

Not necessary to fill in a port number. (I haven’t anyway......)

 

[scjr]

Not necessary to fill in a port number. (I haven’t anyway......)

Thank you for confirming, @Treadler. I just noticed this by hovering over the info question mark. Doh!

I think you told me once that you use dns filter in router mode, with the dns fields blank as well?

 

[Treadler]

Thank you for confirming, @Treadler. I just noticed this by hovering over the info question mark. Doh!

I think you told me once that you use dns filter in router mode, with the dns fields blank as well?

Yes.
Also, following a forum suggestion, I have set DNS 1 on the WAN page to be the IP addy of my router. (Connect to DNS server automatically = no). DNS 2 blank.
My theory; this forces DoT to be used for all resolving. (?)
Seems to work.....

 

[bbunge]

Router disconnected after upgrade to Alpha 4. Turned off DNSSEC and back in operation. Thinking of the difference between the Entware-Stubby version and Merlin, DNSSEC root certificates are saved on the USB on Entware.

Sent from my SM-T380 using Tapatalk

Edit: Set DNS Server1 to the LAN IP of the router, turned DNSSEC on and rebooted. Connected this time.

Article about DNS security: https://nakedsecurity.sophos.com/20...-whether-isps-and-governments-like-it-or-not/

 

[Swistheater]

Router disconnected after upgrade to Alpha 4. Turned off DNSSEC and back in operation. Thinking of the difference between the Entware-Stubby version and Merlin, DNSSEC root certificates are saved on the USB on Entware.

Sent from my SM-T380 using Tapatalk

Edit: Set DNS Server1 to the LAN IP of the router, turned DNSSEC on and rebooted. Connected this time.

Article about DNS security: https://nakedsecurity.sophos.com/20...-whether-isps-and-governments-like-it-or-not/

yea you shouldn't have to manually tell it the lan IP address to create the loop back with dnsmasq the router should be automatically doing that.
if you are having that many issues with the gui dnssec it is probably best just to throw proxy-dnssec inside the dnsmasq.conf.add and turn off the gui version.

 

[bbunge]

yea you shouldn't have to manually tell it the lan IP address to create the loop back with dnsmasq the router should be automatically doing that.
if you are having that many issues with the gui dnssec it is probably best just to throw proxy-dnssec inside the dnsmasq.conf.add and turn off the gui version.

proxy-dnssec does not do validation. It allows the "AD" flag through dnsmasq.

Adding the router IP to DNS Server1 is done in the Entware-Stubby install. Merlin does things differently which took me some time to get straight in my mind like using two loopback IP addresses (127.0.0.1 and 127.0.1.1) Stubby listens on 127.0.1.1 port 53 which is different than the Entware-Stubby.

 

[Swistheater]

proxy-dnssec does not do validation. It allows the "AD" flag through dnsmasq.

Adding the router IP to DNS Server1 is done in the Entware-Stubby install. Merlin does things differently which took me some time to get straight in my mind like using two loopback IP addresses (127.0.0.1 and 127.0.1.1) Stubby listens on 127.0.1.1 port 53 which is different than the Entware-Stubby.

from my understanding with john fork -the proxy-dnssec allows the server to handle dnssec.

 

[Swistheater]

the problem is when you select it in the gui it is adding proxy-dnssec to the dnsmasq.conf and also putting dnssec_return_all_statuses: GETDNS_EXTENSION_TRUE in stubby.yml, that is mixing flavors of dnssec and causing your problem
Choose one and only one:

• DNSSEC proxy by dnsmasq set by proxy-dnssec in /etc/dnsmasq.conf
  • or
• DNSSEC direct by dnsmasq set by Merlin GUI LAN > DHCP Server > Enable DNSSEC support
  • or
• DNSSEC direct by stubby set by dnssec: GETDNS_EXTENSION_TRUE and dnssec_return_all_statuses: GETDNS_EXTENSION_TRUE in stubby.yml

but in this case the gui dnssec should be characterized as broken because of how it chooses to validate.

 

[bbunge]

from my understanding with john fork -the proxy-dnssec allows the server to handle dnssec.

Nope. Have been through this before several times in the Entware-Stubby thread...

 

[Swistheater]

--proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.