[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[Jack Yaz]

This what your referring to @RMerlin

jquery.js:5 [Deprecation] Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
send @ jquery.js:5
QoS_EZQoS.asp:1 Unchecked runtime.lastError: The message port closed before a response was received.
start_apply.htm:557 Uncaught SyntaxError: Unexpected token else
start_apply.htm:675 Uncaught ReferenceError: no_changes_and_no_committing is not defined
    at start_apply.htm:675
start_apply.htm:676 Uncaught ReferenceError: restart_needed_time is not defined
    at start_apply.htm:676
start_apply.htm:670 Uncaught ReferenceError: initial is not defined
    at onload (start_apply.htm:670)
2QoS_EZQoS.asp:1 Unchecked runtime.lastError: The message port closed before a response was received.

start_apply is selectively sed'd to only insert a couple of lines. It is possible however things have changed in the alpha and the modification needs adapting. Once 384.11 is stable, i can take a look

 

[Swistheater]

You are referring to Cloudflare doing it wrong as the DNS provider, not on their test page?

(The test on https://tenta.com/test/ also fails)

yea i concur with you. Not really much can be done about it- only thing we can do is first test that DOT is working and then test that DNSSEC is working and have to trust when in combination they are playing nicely with each other. --New tech meets old tech

 

[Jack Yaz]

Think your on to something @RMerlin, When I uninstalled the few I wanted to keep the stats for future install. I've since uninstalled them completely and now the refreshing page works. Might need to @Jack Yaz look into it I guess.

Edit: I am going to assume when I left the "stats" it left the pointer to the new pages on the interface as well.

Not removing stats leaves the rrd file only, all webui modifications are removed

 

[Billy Chaney]

start_apply is selectively sed'd to only insert a couple of lines. It is possible however things have changed in the alpha and the modification needs adapting. Once 384.11 is stable, i can take a look

I noticed it happening with 384.10_2


Sent from my iPhone using Tapatalk

 

[Swistheater]

Use tcpdump, it's the only real test that will work 100% reliably. Someone posted the exact commands in a previous post.

https://www.snbforums.com/threads/p...1-with-dns-over-tls.56095/page-25#post-484597
link to thread with test

 

[Jack Yaz]

I noticed it happening with 384.10_2


Sent from my iPhone using Tapatalk

Please can you post on the relevant script thread, as this thread is strictly for DoT discussion

 

[XIII]

Use tcpdump

Yes; all traffic via port 853, nothing on 53.

 

[Swistheater]

now my question is there away to test that the security features of DNSSEC are not interfering with some of the security features of DoT?---not the fact that it is feeding traffic to a certain point, but is there away to tell that the actual built in features are not being hindered?-- obviously we can test dnssec from here till sunday-but can we test that DoT servers are doing their part while in conjunction?

 

[Billy Chaney]

Please can you post on the relevant script thread, as this thread is strictly for DoT discussion

Will do. Sorry


Sent from my iPhone using Tapatalk

 

[Swistheater]

That test site is claiming that my 120 Mbps Cable connection is a 3.5 Mbps 4G connection. Uh...

it tells me i am a tor exit node

 

[Jack Yaz]

Will do. Sorry


Sent from my iPhone using Tapatalk

No worries. I believe we're going to be starting a new thread since the issue covers multiple scripts. I'm moving tomorrow so i doubt I'll be able to get a fix out soon

 

[QuikSilver]

Moderators feel free to move post regarding refreshing issue to new thread if need be. Thanks!

https://www.snbforums.com/threads/p...ing-page-issue-while-using-his-scripts.56308/

 

[skeal]

The test on https://tenta.com/test/ also fails

This site fails to detect that TLS is being used. Major flop!! Site is bogus.

 

[skeal]

now my question is there away to test that the security features of DNSSEC are not interfering with some of the security features of DoT?---not the fact that it is feeding traffic to a certain point, but is there away to tell that the actual built in features are not being hindered?-- obviously we can test dnssec from here till sunday-but can we test that DoT servers are doing their part while in conjunction?

If you have a Linux rig or Ubuntu live or something similar you can run this in a terminal;

kdig -d @1.1.1.1 +tls-ca +dnssec +tls-host=cloudflare-dns.com  example.com

however you will have to allow the device used past the DNSFilter. It passes every time here showing TLS 1.3.

EDIT: KDIG is not available for our Linux based routers. So with TCPDump, and this command, pretty much shows all is well, with both privacy technologies working together.

 

[Swistheater]

some interesting dnssec test i ran. ----

dig www.cloudflare-dnssec-auth.com A
+dnssec

; <<>> DiG 9.12.3-P4 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16338
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com.        IN      A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 125 IN  A       104.20.177.24
www.cloudflare-dnssec-auth.com. 125 IN  A       104.20.176.24
www.cloudflare-dnssec-auth.com. 125 IN  RRSIG   A 13 3 300 20190427000710 20190424220710 34505 cloudflare-dnssec-auth.com. wL2sC08iv6E+3+GqXvMlOXtp9GAHFOCgboH3wEGyEehZlW636db2C3GU yhRRLX5i5Y1iH/42bVrdZoQtYKnXhQ==

;; Query time: 61 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 25 23:10:05 UTC 2019
;; MSG SIZE  rcvd: 303

dig cloudflare-dnssec-auth.com DNSKEY
 +dnssec

; <<>> DiG 9.12.3-P4 <<>> cloudflare-dnssec-auth.com DNSKEY +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60193
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;cloudflare-dnssec-auth.com.    IN      DNSKEY

;; ANSWER SECTION:
cloudflare-dnssec-auth.com. 3444 IN     DNSKEY  257 3 13 32NbP1ghYJTDIdYaAKRKTID3KtAR67Icmf5g+OG/XBF0fznMDHy634A2 u+eKIi3O+dXksBX4reGSYq69C1NHhw==
cloudflare-dnssec-auth.com. 3444 IN     DNSKEY  256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
cloudflare-dnssec-auth.com. 3444 IN     RRSIG   DNSKEY 13 2 3600 20190516191516 20190317191516 9277 cloudflare-dnssec-auth.com. /5DsHH6hxNzB+1EsoLxkH8iINYMKaPVuLlssIi/f9/3ZgzNdD+Yh0GuO rMClIICFzf15hK4tqVvyiBGkDqr0zg==

;; Query time: 55 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 25 23:10:34 UTC 2019
;; MSG SIZE  rcvd: 415

According to cloudflare this last one should not be a servfail

 dig www.cloudflare-dnssec-cname.com A
 +dnssec +cd

; <<>> DiG 9.12.3-P4 <<>> www.cloudflare-dnssec-cname.com A +dnssec +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24650
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.cloudflare-dnssec-cname.com. IN    A

;; Query time: 151 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 25 23:11:09 UTC 2019
;; MSG SIZE  rcvd: 49

 

[Swistheater]

dig www.cloudflare-dnssec-cname.com A +dnssec +cd

; <<>> DiG 9.10.1-P1 <<>> www.cloudflare-dnssec-cname.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 987
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-cname.com. IN  A

;; ANSWER SECTION:
www.cloudflare-dnssec-cname.com. 600 IN CNAME www.cloudflare-dnssec-cname.com.cdn.cloudflare-dnssec.net.
www.cloudflare-dnssec-cname.com. 600 IN RRSIG CNAME 8 3 600 20150212082654 20150128082654 2760 cloudflare-dnssec-cname.com. sxr6XOqNQghcmL197/m5n2Bv3DEv2TT7EISf5TizqfuDSKMK9j8cHPSZ kKIuMgv1kwugLZcwpF973BIXFK+r5NZa11Hkh4hwdpNpG9pjykjzFG2n WDSDTRzHauX2+9Rf1cLFe8dU9cABkxNwH3EqewyHNPRu57PpjMlmYnBQ Pnk=
www.cloudflare-dnssec-cname.com.cdn.cloudflare-dnssec.net. 300 IN A 104.28.0.18
www.cloudflare-dnssec-cname.com.cdn.cloudflare-dnssec.net. 300 IN A 104.28.1.18
www.cloudflare-dnssec-cname.com.cdn.cloudflare-dnssec.net. 300 IN RRSIG A 13 6 300 20150129102015 20150127082015 45140 cloudflare-dnssec.net. y10Kcz7eiVrjDCaTPyjceMmfPQk1FMfzFdo0xxNghAujQQxBWp1r6k2/ kc167BzE9V832hN9WcyiycujtQ5/aw==

;; Query time: 1410 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 28 09:20:17 GMT 2015
;; MSG SIZE  rcvd: 467

this is their example of valid dnssec using this.

 

[AntonK]

Hi,

Does this setup look right, to those who know what "right" means?

Thanks,
Anton

 

[skeal]

Hi,

Does this setup look right, to those who know what "right" means?

Thanks,
Anton

Nothing wrong there if you want Quad9.

 

[Swistheater]

CloudFlare DNSSEC test domain
Help us test our DNSSEC implementation!


See the CloudFlare blog for the details.

If you have feedback or find any defects, let us know at dnssec dash beta at cloudflare dot com. We’ll make sure to get you some stickers if you find some obscure bug!

And if you are a DNSSEC enthusiast and you want to be part of the public beta, send an email to the address above with the answer to this question - first ten people get in:

What is the DNSSEC algorithm number for ECDSAP256SHA256?

I left some feedback in their blog^

 

[dave14305]

Hi,

Does this setup look right, to those who know what "right" means?

Thanks,
Anton

Not sure if the screenshot is cutoff at the bottom, but make sure you have the Quad9 secondary server in the DoT list for redundancy.