[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[jsbeddow]

+1...Same problem here, I uninstalled ntpmerlin and no more spinning circle when applying settings on various pages in the GUI.
(Apologies for this side discussion not strictly related to the new DOT functionality)

 

[no_name]

I’ve been following this thread to learn about DNS over TLS. I have found it helpful also somewhat confusing so I decided to have a play but wasn’t sure it was working properly. After some googling I believe I have it set up correctly

Sent from my iPad using Tapatalk

 

[ItsMeDude]

Could be because the router has to restart various network components when making changes on that particular page (in addition to the WAN connection itself), which can interfere with the page reload. I suspect this is particularly the case if accessing the router through an IP instead of a hostname, tho I never experienced that issue myself in either scenarios.

I've been reading through the thread because after this build seems stable enough I'm going to put my pihole to sleep, and use diversion/DoT. I had the issue on 384.10_2 when connecting by name, and IP. I started troubleshooting, and when I uninstalled ntpmerlin, the problem went away. So that may be the issue.

I came on here to post the issue in the ntpmerlin thread, and decided to read the new posts in this thread first. I know it's off topic but I figured I'd let you know it's happening on the last stable release as well so you're not chasing something in the preview build unnecessarily.

 

[XIII]

After some googling I believe I have it set up correctly

Which Alpha are you using?

I get “You may not be using secure DNS” with Alpha 4 and DoT via 1.1.1.1

(Trying firmware DoT instead of unbound, which worked fine)

 

[no_name]

Which Alpha are you using?

I get “You may not be using secure DNS” with Alpha 4 and DoT via 1.1.1.1

(Trying firmware DoT instead of unbound, which worked fine)

I am a complete novice with very little understanding on how DoT works but I can confirm I’m using the alpha 4


Sent from my iPad using Tapatalk

 

[RMerlin]

I was having the same problem, I uninstalled spdmerlin and applying settings worked properly

Check the browser console for any Javascript error then, could be a problem related to the webui patch these scripts to do to inject new pages into the interface.

 

[QuikSilver]

I only had spdmerlin installed, I uninstalled it using putty and refreshed the GUI then changed a setting on the QoS page and the applying settings worked. Do you have ntpmerlin and connmon installed, it could be worth uninstalling one at a time to see if they are also causing the problems
Sent from my iPad using Tapatalk

I had this happening with ntpmerlin. So I uninstalled it and I'm working fine now.

Uninstalled both of these and still same issue. Are y'all removing the stats as well for a full uninstall??

 

[no_name]

Uninstalled both of these and still same issue. Are y'all removing the stats as well for a full uninstall??

I uninstalled the stats


Sent from my iPad using Tapatalk

 

[Billy Chaney]

Uninstalled both of these and still same issue. Are y'all removing the stats as well for a full uninstall??

That’s what I did. I uninstalled everything. I also rebooted after.


Sent from my iPhone using Tapatalk

 

[QuikSilver]

Check the browser console for any Javascript error then, could be a problem related to the webui patch these scripts to do to inject new pages into the interface.

Think your on to something @RMerlin, When I uninstalled the few I wanted to keep the stats for future install. I've since uninstalled them completely and now the refreshing page works. Might need to @Jack Yaz look into it I guess.

Edit: I am going to assume when I left the "stats" it left the pointer to the new pages on the interface as well.

 

[RMerlin]

Thx for the reply. I would like to point out that when both WAN DNS server blocks are empty (and that's the way I am running at the moment), that the Internet status page obtain via the Network Map page shows a blank DNS box.

You shouldn't leave that empty, or your router will have trouble connecting and setting up the router at boot time. Leave that on "Automatic", which is the default. As someone else pointed out, you normally shouldn't even be able to leave those fields empty.

. If you have set a DOT server via the WAN page, it should probably be reflected in that box (maybe with a dot after it?)

I don't like the idea of dumping too much unrelated information in that frame, which is meant to only report the information specific to the WAN connection, as configured between you and your ISP. It's not meant to reflect every other configuration that might have been done and might impact how the connection is working (i.e. DNSFilter, DNS Privacy, VPN Clients with traffic redirection, and so on).

I can see if there's a clean way to mention that DNS Privacy is enabled, but at this time I'm not too fond of the idea of flooding this section with additional information, especially as the majority of users don't even realize this frame exists at all (I frequently get people asking me for a way to display that info, not knowing it's already there).

but shouldn't there also be a warning message if a the DHCP DNS blocks are occupied since the clients can now bypass DOT (at least according to some on this thread)?

Already there:

<div id="dhcpdns_hint_dnspriv" style="display:none;"><span>Your router's <a style="text-decoration:underline; color:#FFCC00;" href
="Advanced_DHCP_Content.asp">DHCP server</a> is configured to provide a DNS server that's different from your router's IP address.  This will prevent clients from using the DNS Privacy servers.</span></div>

 

[RMerlin]

Which Alpha are you using?

I get “You may not be using secure DNS” with Alpha 4 and DoT via 1.1.1.1

(Trying firmware DoT instead of unbound, which worked fine)

Please review recent posts on this. This is a bug with Cloudflare, not with Asuswrt-Merlin. Cloudflare doesn't properly sign the temporary hostnames used for validation. Since dnsmasq defaults to strict DNSSEC validation, it rejects those invalid DNS entries, and therefore the test completely fails.

Your Unbound "works" because it simply ignores unsigned replies from a signed zone... Which means it's doing zero to protect you against DNS hijacking. Any hijacking could simply NOT sign the fake DNS zone, and you would never even know.

Dnsmasq's strict validation is the way proper DNSSEC is meant to work, if you want DNSSEC to truly be an effective protection mechanism.

 

[no_name]

Check the browser console for any Javascript error then, could be a problem related to the webui patch these scripts to do to inject new pages into the interface.

That’s above my knowledge so if someone else wants to explore that I will follow along


Sent from my iPad using Tapatalk

 

[QuikSilver]

Check the browser console for any Javascript error then, could be a problem related to the webui patch these scripts to do to inject new pages into the interface.

This what your referring to @RMerlin

jquery.js:5 [Deprecation] Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
send @ jquery.js:5
QoS_EZQoS.asp:1 Unchecked runtime.lastError: The message port closed before a response was received.
start_apply.htm:557 Uncaught SyntaxError: Unexpected token else
start_apply.htm:675 Uncaught ReferenceError: no_changes_and_no_committing is not defined
    at start_apply.htm:675
start_apply.htm:676 Uncaught ReferenceError: restart_needed_time is not defined
    at start_apply.htm:676
start_apply.htm:670 Uncaught ReferenceError: initial is not defined
    at onload (start_apply.htm:670)
2QoS_EZQoS.asp:1 Unchecked runtime.lastError: The message port closed before a response was received.

 

[RMerlin]

This what your referring to @RMerlin

jquery.js:5 [Deprecation] Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
send @ jquery.js:5
QoS_EZQoS.asp:1 Unchecked runtime.lastError: The message port closed before a response was received.
start_apply.htm:557 Uncaught SyntaxError: Unexpected token else
start_apply.htm:675 Uncaught ReferenceError: no_changes_and_no_committing is not defined
    at start_apply.htm:675
start_apply.htm:676 Uncaught ReferenceError: restart_needed_time is not defined
    at start_apply.htm:676
start_apply.htm:670 Uncaught ReferenceError: initial is not defined
    at onload (start_apply.htm:670)
2QoS_EZQoS.asp:1 Unchecked runtime.lastError: The message port closed before a response was received.

Have the author investigate then. Their code might be incompatible with the latest Asus GPL merge.

 

[XIII]

Please review recent posts on this. This is a bug with Cloudflare, not with Asuswrt-Merlin. Cloudflare doesn't properly sign the temporary hostnames used for validation. Since dnsmasq defaults to strict DNSSEC validation, it rejects those invalid DNS entries, and therefore the test completely fails.

You are referring to Cloudflare doing it wrong as the DNS provider, not on their test page?

(The test on https://tenta.com/test/ also fails)

 

[RMerlin]

You are referring to Cloudflare doing it wrong as the DNS provider, not on their test page?

(The test on https://tenta.com/test/ also fails)

As their test page (both the 1.1.1.1 and the SNI test page).

No idea about that test you linked, never heard of it before. Someone would have to test it with dnsmasq logging enabled, to see if it also complains about the same things as the CF test page.

 

[RMerlin]

That test site is claiming that my 120 Mbps Cable connection is a 3.5 Mbps 4G connection. Uh...

 

[XIII]

I tried Cloudflare, Quad9, Surfnet, and Google DNS now.

For all of them both test pages report that I’m not using DNS over TLS.

What page can I use to check?

 

[RMerlin]

I tried Cloudflare, Quad9, Surfnet, and Google DNS now.

For all of them both test pages report that I’m not using DNS over TLS.

What page can I use to check?

Use tcpdump, it's the only real test that will work 100% reliably. Someone posted the exact commands in a previous post.