What's new

[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
This what your referring to @RMerlin

Code:
jquery.js:5 [Deprecation] Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
send @ jquery.js:5
QoS_EZQoS.asp:1 Unchecked runtime.lastError: The message port closed before a response was received.
start_apply.htm:557 Uncaught SyntaxError: Unexpected token else
start_apply.htm:675 Uncaught ReferenceError: no_changes_and_no_committing is not defined
    at start_apply.htm:675
start_apply.htm:676 Uncaught ReferenceError: restart_needed_time is not defined
    at start_apply.htm:676
start_apply.htm:670 Uncaught ReferenceError: initial is not defined
    at onload (start_apply.htm:670)
2QoS_EZQoS.asp:1 Unchecked runtime.lastError: The message port closed before a response was received.
start_apply is selectively sed'd to only insert a couple of lines. It is possible however things have changed in the alpha and the modification needs adapting. Once 384.11 is stable, i can take a look
 
You are referring to Cloudflare doing it wrong as the DNS provider, not on their test page?

(The test on https://tenta.com/test/ also fails)
yea i concur with you. Not really much can be done about it- only thing we can do is first test that DOT is working and then test that DNSSEC is working and have to trust when in combination they are playing nicely with each other. --New tech meets old tech
 
Think your on to something @RMerlin, When I uninstalled the few I wanted to keep the stats for future install. I've since uninstalled them completely and now the refreshing page works. Might need to @Jack Yaz look into it I guess.

Edit: I am going to assume when I left the "stats" it left the pointer to the new pages on the interface as well.
Not removing stats leaves the rrd file only, all webui modifications are removed
 
start_apply is selectively sed'd to only insert a couple of lines. It is possible however things have changed in the alpha and the modification needs adapting. Once 384.11 is stable, i can take a look

I noticed it happening with 384.10_2


Sent from my iPhone using Tapatalk
 
now my question is there away to test that the security features of DNSSEC are not interfering with some of the security features of DoT?---not the fact that it is feeding traffic to a certain point, but is there away to tell that the actual built in features are not being hindered?-- obviously we can test dnssec from here till sunday-but can we test that DoT servers are doing their part while in conjunction?
 
That test site is claiming that my 120 Mbps Cable connection is a 3.5 Mbps 4G connection. Uh...
it tells me i am a tor exit node
 
now my question is there away to test that the security features of DNSSEC are not interfering with some of the security features of DoT?---not the fact that it is feeding traffic to a certain point, but is there away to tell that the actual built in features are not being hindered?-- obviously we can test dnssec from here till sunday-but can we test that DoT servers are doing their part while in conjunction?
If you have a Linux rig or Ubuntu live or something similar you can run this in a terminal;
Code:
kdig -d @1.1.1.1 +tls-ca +dnssec +tls-host=cloudflare-dns.com  example.com
however you will have to allow the device used past the DNSFilter. It passes every time here showing TLS 1.3.

EDIT: KDIG is not available for our Linux based routers. So with TCPDump, and this command, pretty much shows all is well, with both privacy technologies working together.
 
Last edited:
some interesting dnssec test i ran. ----
Code:
dig www.cloudflare-dnssec-auth.com A
+dnssec

; <<>> DiG 9.12.3-P4 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16338
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com.        IN      A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 125 IN  A       104.20.177.24
www.cloudflare-dnssec-auth.com. 125 IN  A       104.20.176.24
www.cloudflare-dnssec-auth.com. 125 IN  RRSIG   A 13 3 300 20190427000710 20190424220710 34505 cloudflare-dnssec-auth.com. wL2sC08iv6E+3+GqXvMlOXtp9GAHFOCgboH3wEGyEehZlW636db2C3GU yhRRLX5i5Y1iH/42bVrdZoQtYKnXhQ==

;; Query time: 61 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 25 23:10:05 UTC 2019
;; MSG SIZE  rcvd: 303

Code:
dig cloudflare-dnssec-auth.com DNSKEY
 +dnssec

; <<>> DiG 9.12.3-P4 <<>> cloudflare-dnssec-auth.com DNSKEY +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60193
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;cloudflare-dnssec-auth.com.    IN      DNSKEY

;; ANSWER SECTION:
cloudflare-dnssec-auth.com. 3444 IN     DNSKEY  257 3 13 32NbP1ghYJTDIdYaAKRKTID3KtAR67Icmf5g+OG/XBF0fznMDHy634A2 u+eKIi3O+dXksBX4reGSYq69C1NHhw==
cloudflare-dnssec-auth.com. 3444 IN     DNSKEY  256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
cloudflare-dnssec-auth.com. 3444 IN     RRSIG   DNSKEY 13 2 3600 20190516191516 20190317191516 9277 cloudflare-dnssec-auth.com. /5DsHH6hxNzB+1EsoLxkH8iINYMKaPVuLlssIi/f9/3ZgzNdD+Yh0GuO rMClIICFzf15hK4tqVvyiBGkDqr0zg==

;; Query time: 55 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 25 23:10:34 UTC 2019
;; MSG SIZE  rcvd: 415

According to cloudflare this last one should not be a servfail

Code:
 dig www.cloudflare-dnssec-cname.com A
 +dnssec +cd

; <<>> DiG 9.12.3-P4 <<>> www.cloudflare-dnssec-cname.com A +dnssec +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24650
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.cloudflare-dnssec-cname.com. IN    A

;; Query time: 151 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 25 23:11:09 UTC 2019
;; MSG SIZE  rcvd: 49
 
Code:
dig www.cloudflare-dnssec-cname.com A +dnssec +cd

; <<>> DiG 9.10.1-P1 <<>> www.cloudflare-dnssec-cname.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 987
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-cname.com. IN  A

;; ANSWER SECTION:
www.cloudflare-dnssec-cname.com. 600 IN CNAME www.cloudflare-dnssec-cname.com.cdn.cloudflare-dnssec.net.
www.cloudflare-dnssec-cname.com. 600 IN RRSIG CNAME 8 3 600 20150212082654 20150128082654 2760 cloudflare-dnssec-cname.com. sxr6XOqNQghcmL197/m5n2Bv3DEv2TT7EISf5TizqfuDSKMK9j8cHPSZ kKIuMgv1kwugLZcwpF973BIXFK+r5NZa11Hkh4hwdpNpG9pjykjzFG2n WDSDTRzHauX2+9Rf1cLFe8dU9cABkxNwH3EqewyHNPRu57PpjMlmYnBQ Pnk=
www.cloudflare-dnssec-cname.com.cdn.cloudflare-dnssec.net. 300 IN A 104.28.0.18
www.cloudflare-dnssec-cname.com.cdn.cloudflare-dnssec.net. 300 IN A 104.28.1.18
www.cloudflare-dnssec-cname.com.cdn.cloudflare-dnssec.net. 300 IN RRSIG A 13 6 300 20150129102015 20150127082015 45140 cloudflare-dnssec.net. y10Kcz7eiVrjDCaTPyjceMmfPQk1FMfzFdo0xxNghAujQQxBWp1r6k2/ kc167BzE9V832hN9WcyiycujtQ5/aw==

;; Query time: 1410 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 28 09:20:17 GMT 2015
;; MSG SIZE  rcvd: 467

this is their example of valid dnssec using this.
 
Hi,

Does this setup look right, to those who know what "right" means?

Thanks,
Anton
 

Attachments

  • Wan Setup.jpg
    Wan Setup.jpg
    67.5 KB · Views: 574
Hi,

Does this setup look right, to those who know what "right" means?

Thanks,
Anton
Nothing wrong there if you want Quad9. ;):)
 
CloudFlare DNSSEC test domain
Help us test our DNSSEC implementation!


See the CloudFlare blog for the details.

If you have feedback or find any defects, let us know at dnssec dash beta at cloudflare dot com. We’ll make sure to get you some stickers if you find some obscure bug!

And if you are a DNSSEC enthusiast and you want to be part of the public beta, send an email to the address above with the answer to this question - first ten people get in:

What is the DNSSEC algorithm number for ECDSAP256SHA256?

I left some feedback in their blog^
 
Hi,

Does this setup look right, to those who know what "right" means?

Thanks,
Anton
Not sure if the screenshot is cutoff at the bottom, but make sure you have the Quad9 secondary server in the DoT list for redundancy.
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top