This is correct, I have my router's IP in WAN DNS Server one. I have both Cloudflare IPv4 DoT set and DNSSEC all options as shown in the webui. I have no known issues using this configuration. With and without OVPN.
You are correct.I'm still seeing issues with rebooting with OVPN Server and/or OVPN Client set to start at boot, on my AX88U. If I disable them from starting at boot then the reboot is clean. I can successfully start them both manually from the webui once up and running. I also noticed that when enabling both DNSSEC settings on the WAN page, when you apply the changes, your OVPN Client gets shut down, (It is important to note that the Client is not set to start at reboot, on account of the startup issue outlined above). These are my observations on the AX88U only.
756caf15f4 (HEAD -> mainline, origin/mainline) shared: replace upper_strcmp() calls with strcasecmp() in QTN-specific parts
3ffa09a676 (openssldir) cfg_mnt: update location of openssl.cnf, and make use of OpenSSL 1.1.x userspace tool if available
3086a4ed9d httpd: update location of openssl.cnf in gencert.sh script
bcd9c41d13 wget: no longer ignore invalid certificates in the rom/* scripts that use wget
a7765a312b inadyn: Revert "inadyn: hardcode SSL CA certs location"
8f62ef2e78 curl: rely on openssl to locate the CA bundle
48181c96c9 rom: simplify ca-bundle update
5541b4b083 wget: remove wgetrc, no longer needed with OpenSSL properly configured
384780d793 openssl: openssl11: point OpenSSL's default location to /etc/ssl/ and provide a link to the CA bundle
0611c28d7c Merge pull request #300 from KiloFoxtrotPapa/fix-compilation-modern-host
8082333b45 rc: remove unused variable in start_dhcp6c()
b325970cb7 rc: resync with upstream 45713, and fix some bad code block merges
094548155f rc: resync with upstream, and fix some bad code block merges
2499b668eb Fix compilation with glibc 2.25+
c527459265 webui: fix SSH password login string in EN dict
7a29a78a6c Remove use of top_srcdir with newer automakes
bc9b74a95c Bumped revision to alpha 4
1455a56112 Updated documentation
bfc2c09fe1 rom: webui: remove getdnsapi test DoT server from presets
c8a470788b rc: implement new firmware check code that does not require RTCONFIG_FORCE_AUTO_UPGRADE
faddef0efc httpd: fix ej_get_wl_channel_list() building on non-AiMesh models
fe5e16c169 Merge SDK + binary blobs from 45713 for RT-AC86U
2db442566d Merge SDK + binary blobs from 45713 for RT-AC68U
0c8336a43a Merge binary blobs from 45713 for RT-AC88U and RT-AC3100
50fa1db77f rc: fix typo in bae179beba
bca6b4029f Merge with GPL 384_45713
913dea25d3 rc: eliminate build warning in start_stubby() when calling for custom script functions
65c842000c rc: fix typo in bae179beba
bae179beba Renamed lan_dns_fwd_local nvram to dns_fwd_local to avoid clashing with the lan_ instances; removed duplicate setting from DHCP page
258c66f130 libvpn: implement get_ovpn_remote_address() and use it for filling ovpn client config; re-implement update_ovpn_profie(remote() and move it to libvpn
77ba03b6e7 httpd: replace homemade alloc_string() with strdup() that does the exact same thing
07b5156353 rc: add postconf/custom config support for stubby
dfdcdefd74 rc: add service-event-end custom script
ce7e380008 shared: merged run_custom_script() and run_custom_script_blocking(); other minor cleanups to script functions
880c556d7b webui: provide descriptive error message if no DOT server is provided
fa2d68b599 www: don't allow empty dot server list
stubby failing to start due to Bus error. AC3100 from a3.
Yes this is on a4 after upgrading from a3.Try the latest Alpha 4.
Yes this is on a4 after upgrading from a3.
Installed alpha 4 and everything is fine.
When I choose a DoT ‘Preset server’ under the drop down (example: Cloudflare), is it necessary to fill in a port number or is that done automatically when you choose one of the preset choices?
My setup is just plain, but I want to run DoT. Sorry for the uneducated question.
Thanks.
Thank you for confirming, @Treadler. I just noticed this by hovering over the info question mark. Doh!
I think you told me once that you use dns filter in router mode, with the dns fields blank as well?
yea you shouldn't have to manually tell it the lan IP address to create the loop back with dnsmasq the router should be automatically doing that.Router disconnected after upgrade to Alpha 4. Turned off DNSSEC and back in operation. Thinking of the difference between the Entware-Stubby version and Merlin, DNSSEC root certificates are saved on the USB on Entware.
Sent from my SM-T380 using Tapatalk
Edit: Set DNS Server1 to the LAN IP of the router, turned DNSSEC on and rebooted. Connected this time.
Article about DNS security: https://nakedsecurity.sophos.com/20...-whether-isps-and-governments-like-it-or-not/
yea you shouldn't have to manually tell it the lan IP address to create the loop back with dnsmasq the router should be automatically doing that.
if you are having that many issues with the gui dnssec it is probably best just to throw proxy-dnssec inside the dnsmasq.conf.add and turn off the gui version.
proxy-dnssec does not do validation. It allows the "AD" flag through dnsmasq.
Adding the router IP to DNS Server1 is done in the Entware-Stubby install. Merlin does things differently which took me some time to get straight in my mind like using two loopback IP addresses (127.0.0.1 and 127.0.1.1) Stubby listens on 127.0.1.1 port 53 which is different than the Entware-Stubby.
Nope. Have been through this before several times in the Entware-Stubby thread...from my understanding with john fork -the proxy-dnssec allows the server to handle dnssec.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!