[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[RMerlin]

stubby failing to start due to Bus error. AC3100 from a3.

Any other AC3100 owner with the same issue? I don't have one so I can't test it.

 

[Swistheater]

#i tested it on my AC3100, but i did a complete factory M&M before doing so because i came over from stock, i didnt experience this issue-- maybe that is the best recommendation.

 

[RMerlin]

#i tested it on my AC3100, but i did a complete factory M&M before doing so because i came over from stock, i didnt experience this issue-- maybe that is the best recommendation.

A bus error usually indicates either a corrupted firmware image, or failing hardware. I wanted to be sure it wasn't the first one, since it seems to have happened a few times lately (first with Asus's own RT-AC68U release a few weeks ago, and also to an AC88U test build I did for myself a few days ago).

 

[Swistheater]

Any other AC3100 owner with the same issue? I don't have one so I can't test it.

what is the official names for the files that the system recognizes for customizing stubby?

 

[Swistheater]

A bus error usually indicates either a corrupted firmware image, or failing hardware. I wanted to be sure it wasn't the first one, since it seems to have happened a few times lately (first with Asus's own RT-AC68U release a few weeks ago, and also to an AC88U test build I did for myself a few days ago).

only possible issues i have noticed in the past couple of weeks is issues with adaptive QOS failing to actually start even though it shows the logs for it, but this only was happening on beta 3 from what i noticed.

 

[skeal]

but in this case the gui dnssec should be characterized as broken because of how it chooses to validate.

Why do you think DNSSEC in the webui is broken? Please if you would explain.

 

[Swistheater]

Why do you think DNSSEC in the webui is broken? Please if you would explain.

because of the general use is overkill, based on where it is placing options for dnssec. it is telling dnsmasq to do dnssec then also telling stubby to do it and then also telling it to be handled by the server as well.

 

[bbunge]

Why do you think DNSSEC in the webui is broken? Please if you would explain.

He doesn't understand validation is different from proxy...

Sent from my SM-T380 using Tapatalk

 

[Swistheater]

proxy is an alternative. it shouldn't be being mixed

 

[skeal]

because of the general use is overkill, based on where it is placing options for dnssec. it is telling dnsmasq to do dnssec then also telling stubby to do it and then also telling it to be handled by the server as well.

First I will confirm that the stubby.yml has the needed instruction to get dnssec extensions true. But no where do I see proxy-dnssec in any file associated with the process. Having Stubby take the extensions is no problem and never has been.

 

[skeal]

I guess I should add that I use only the webui for setting DNSSEC and/or DoT.

 

[Swistheater]

i confirm that having the command for stubby to do dnssec isn't a problem, but also having proxy-dnssec inside dnsmasq.conf at the same time is .

 

[Elmer]

using alpha4

Okay, I'm the typical clueless user, I'm not worried about the interaction with VPNs (yet), and just want to confirm proper setup:

WAN page
1. Connect to DNS automatically set to NO
2. Leave the two WAN DNS Server blocks empty
3. Forward ... to upstream set to NO
4. Enable DNS rebind - Yes
5. Enable DNSSEC - Yes
6. Validate DNSSEC - Yes
7. Enable DoT, Set DNS over TLS Profile to strict
8. Select a DNS server from the dropdown (9.9.9.9 in my case) and hit apply
LAN Page
9. Both DNS server blocks left blank (updated per Dave14305 reponse, see below)
10. Advertise router IP - set to Yes
11. DNS Filter ON, and set to Router
Tools Page
12. Use Local caching DNS server - Set to Yes

Correct?

Comments:
1. If I leave DNS Server 1 on the LAN page blank, my ISP starts a cycle of connect/disconnect (I was mistaken about this - something else was in play - see edit below)

As to addons, I'm running Diversion and Skynet

Edit:
↑
From Dave14305 (page 22)
9. DNS Server 1 set to match 8
By doing this you are having all your clients bypass the router DNS server and go right to quad 9 (non-TLS). For DNSFilter router mode to truly force clients to use the router's dnsmasq/stubby, LAN DHCP DNS 1 needs to be blank.
So we need to figure out why you're having a hard time in that setup.

Thanks Dave14305. I got it working with blank fields. I must have noticed the ISP cycling before eveything was complete and mistakingly assumed it was the DHCP DNS setting- my bad.



Thanks,
AC88 user

 

[skeal]

i confirm that having the command for stubby to do dnssec isn't a problem, but also having proxy-dnssec inside dnsmasq.conf at the same time is .

You are correct, I looked closer and it is in dnsmasq.conf. I removed it and bounced dnsmasq and still no issues. I'll reboot now and get back to you.

 

[skeal]

You are correct, I looked closer and it is in dnsmasq.conf. I removed it and bounced dnsmasq and still no issues. I'll reboot now and get back to you.

Reboot worked without issues. @RMerlin @themiron clearly the proxy-dnssec does not need to be there, if using the webui settings.

 

[Xentrk]

Curious to know if anyone has looked to see if the system is writing the trust anchor files to disk when using the

dnssec_return_status: GETDNS_EXTENSION_TRUE

setting. I saw the files early in my testing of the Stubby installer and saved a backup. But was never able to reproduce having Stubby create the trust anchor files in the appdata_dir folder again. DNSSEC appeared to work okay without the anchor files. If no appdata_dir is specified, the system defaults to the .getdns directory.

 

[skeal]

The instruction in dsnmasq.conf (proxy-dnssec) cannot be removed at this point of development, it keeps being restored.

 

[Swistheater]

Reboot worked without issues. @RMerlin @themiron clearly the proxy-dnssec does not need to be there, if using the webui settings.

in reality they should setup the three option system -like john's fork
one where you can choose the server to do dnssec and pass the cached data to router- proxy-dnssec
or
allow the router to use DNSMASQ to do dnssec
or
getdns through stubby.yml - using the dnssec extensions

 

[Swistheater]

The instruction in dsnmasq.conf (proxy-dnssec) cannot be removed at this point of development, it keeps being restored.

you can remove it using a helper script in dnsmasq.postconf

 

[bbunge]

Curious to know if anyone has looked to see if the system is writing the trust anchor files to disk when using the

dnssec_return_status: GETDNS_EXTENSION_TRUE

setting. I saw the files early in my testing of the Stubby installer and saved a backup. But was never able to reproduce having Stubby create the trust anchor files in the appdata_dir folder again. DNSSEC appeared to work okay without the anchor files. If no appdata_dir is specified, the system defaults to the .getdns directory.

Yes, They are being written to: appdata_dir: "/var/lib/misc"

Still trying to get an answer why this entry is in stubby.yml: resolvconf: "/tmp/resolv.conf"

As for proxy-dnssec in dnsmasq.conf, use it or not. Makes no difference to stubby dnssec validation. I feel it is good to have there as web browsers begin to use dnssec validation.