What's new

[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Nothing wrong there if you want Quad9. ;):)

Thanks! Yes, I've been a Quad9 man for some time now. Just turned on the D0T feature though, so wasn't sure if I still needed the WAN DNS boxes filled in.

Anton
 
Thanks! Yes, I've been a Quad9 man for some time now. Just turned on the D0T feature though, so wasn't sure if I still needed the WAN DNS boxes filled in.

Anton
You can put any public DNS including your ISP DNS in the WAN DNS settings, just don't use the router IP. ;):)
 
I ran two KDIG tests one with the +cd switch and one without.
With:
Code:
kdig -d @1.1.1.1 +tls-ca +dnssec +cd +tls-host=cloudflare-dns.com  example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 25410
;; Flags: qr rd ra cd; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 25 B

;; QUESTION SECTION:
;; example.com.                IN    A

;; ANSWER SECTION:
example.com.            980    IN    A    93.184.216.34
example.com.            980    IN    RRSIG    A 8 2 86400 20190508112335 20190417064725 63195 example.com. V6Y2fQ7Kwgs0IX3wBSsORH6iSYAdfvj8urqEPaRDENgpH8WS21UNZHWjbUYLAKxhxknzKNTF7mpwKq3GX3sfAdpBpcNVHaovvv+pH2UDte3TCnEtXLo5EoN+fELCcI+Y4skZii9qsvSkFLIQmVo31KJtxZr2bvb59NyMnlINq/c=

;; Received 256 B
;; Time 2019-04-25 17:36:09 CST
;; From 1.1.1.1@853(TCP) in 84.0 ms
And without:
Code:
kdig -d @1.1.1.1 +tls-ca +dnssec +tls-host=cloudflare-dns.com  example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14005
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 25 B

;; QUESTION SECTION:
;; example.com.                IN    A

;; ANSWER SECTION:
example.com.            909    IN    A    93.184.216.34
example.com.            909    IN    RRSIG    A 8 2 86400 20190508112335 20190417064725 63195 example.com. V6Y2fQ7Kwgs0IX3wBSsORH6iSYAdfvj8urqEPaRDENgpH8WS21UNZHWjbUYLAKxhxknzKNTF7mpwKq3GX3sfAdpBpcNVHaovvv+pH2UDte3TCnEtXLo5EoN+fELCcI+Y4skZii9qsvSkFLIQmVo31KJtxZr2bvb59NyMnlINq/c=

;; Received 256 B
;; Time 2019-04-25 17:37:20 CST
;; From 1.1.1.1@853(TCP) in 83.9 ms
The +cd seems to mess the test up. The "ad" flag shows in the second test.
 
You can put any public DNS including your ISP DNS in the WAN DNS settings, just don't use the router IP. ;):)

Could the VPN DNS servers go there as well? Long time ago (pre-Stubby) that is I used to have there and everything worked just fine.


Sent from my iPhone using Tapatalk
 
Could the VPN DNS servers go there as well? Long time ago (pre-Stubby) that is I used to have there and everything worked just fine.


Sent from my iPhone using Tapatalk
Sure, but bear in mind the circumstances when these addresses would be used is few and far between, as revealed in past posts.
 
Sure, but bear in mind the circumstances when these addresses would be used is few and far between, as revealed in past posts.

I agree


Sent from my iPhone using Tapatalk
 
I ran two KDIG tests one with the +cd switch and one without.
With:
Code:
kdig -d @1.1.1.1 +tls-ca +dnssec +cd +tls-host=cloudflare-dns.com  example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 25410
;; Flags: qr rd ra cd; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 25 B

;; QUESTION SECTION:
;; example.com.                IN    A

;; ANSWER SECTION:
example.com.            980    IN    A    93.184.216.34
example.com.            980    IN    RRSIG    A 8 2 86400 20190508112335 20190417064725 63195 example.com. V6Y2fQ7Kwgs0IX3wBSsORH6iSYAdfvj8urqEPaRDENgpH8WS21UNZHWjbUYLAKxhxknzKNTF7mpwKq3GX3sfAdpBpcNVHaovvv+pH2UDte3TCnEtXLo5EoN+fELCcI+Y4skZii9qsvSkFLIQmVo31KJtxZr2bvb59NyMnlINq/c=

;; Received 256 B
;; Time 2019-04-25 17:36:09 CST
;; From 1.1.1.1@853(TCP) in 84.0 ms
And without:
Code:
kdig -d @1.1.1.1 +tls-ca +dnssec +tls-host=cloudflare-dns.com  example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14005
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 25 B

;; QUESTION SECTION:
;; example.com.                IN    A

;; ANSWER SECTION:
example.com.            909    IN    A    93.184.216.34
example.com.            909    IN    RRSIG    A 8 2 86400 20190508112335 20190417064725 63195 example.com. V6Y2fQ7Kwgs0IX3wBSsORH6iSYAdfvj8urqEPaRDENgpH8WS21UNZHWjbUYLAKxhxknzKNTF7mpwKq3GX3sfAdpBpcNVHaovvv+pH2UDte3TCnEtXLo5EoN+fELCcI+Y4skZii9qsvSkFLIQmVo31KJtxZr2bvb59NyMnlINq/c=

;; Received 256 B
;; Time 2019-04-25 17:37:20 CST
;; From 1.1.1.1@853(TCP) in 83.9 ms
The +cd seems to mess the test up. The "ad" flag shows in the second test.

It would appear both switches are working properly the cd switch takes precedent over the ad when applied.
 
In a real world situation I don't see this stuff happening much, because if you think about how much DNSSEC is actually implemented. The main concern is confirming that the DoT appears to be in working order which it does... Fine Job!
 
Hi,

Does this setup look right, to those who know what "right" means?

Thanks,
Anton
Add the second quad9 secure server at 149.112.112.112

Sent from my SM-T380 using Tapatalk
 
I’ve been following this thread to learn about DNS over TLS. I have found it helpful also somewhat confusing so I decided to have a play but wasn’t sure it was working properly. After some googling I believe I have it set up correctly

c535e612e58a621b892732008344b924.jpg



Sent from my iPad using Tapatalk
Exact same result here after implementation ( https://www.cloudflare.com/ssl/encrypted-sni/ ).
I don't know the why's on the Encrypted SNI fail. Read some, but no real clarity yet...
RT AC-5300
 
Last edited:
Why do some people get positive results on the Cloudflare DNS test page, while others (like me) don't?

(Do we know what causes the difference?)
 
Why do some people get positive results on the Cloudflare DNS test page, while others (like me) don't?

(Do we know what causes the difference?)

The settings I use are

VPN client 1 using ExpressVPN
policy rules set to strict & accept DNS configuration set to disabled

The WAN page setting I have are

Connect to DNS Server automatically set to Yes
Forward local domain queries to upstream DNS set to No
Enable DNS rebind protection set to No
Enable DNSSEC support set to No
DNS Privacy Protocol set to DNS over TLS Enabled
DNS over TLS Profile set Strict
Preset servers chosen are 1.1.1.1 Cloudflare-dns.com
1.0.0.1 Cloudflare-dns.com

I’ve seen posts mentioning Enable DNS-based Filtering on the LAN page, mine is switched off.

The only understanding I have is that it works for me but I don’t understand why, I’m still learning


Sent from my iPad using Tapatalk
 
Why do some people get positive results on the Cloudflare DNS test page, while others (like me) don't?

(Do we know what causes the difference?)

For me, if I enabled DNSSEC and DNS-over-TLS then it breaks that page. When I disable DNSSEC, then it works.
 
For me, if I enabled DNSSEC and DNS-over-TLS then it breaks that page. When I disable DNSSEC, then it works.

That happened when I enabled DNSSEC as well


Sent from my iPad using Tapatalk
 
Connect to DNS Server automatically set to Yes
Forward local domain queries to upstream DNS set to No
Enable DNS rebind protection set to No
Enable DNSSEC support set to No
DNS Privacy Protocol set to DNS over TLS Enabled
DNS over TLS Profile set Strict
Preset servers chosen are 1.1.1.1 Cloudflare-dns.com
1.0.0.1 Cloudflare-dns.com

I’ve seen posts mentioning Enable DNS-based Filtering on the LAN page, mine is switched off.
Same settings here, but I also have DNSFilter under LAN set to ‘Router’, leaving the DNS entries blank. Everything working fine as well.
 
Why do some people get positive results on the Cloudflare DNS test page, while others (like me) don't?

(Do we know what causes the difference?)
We have been telling folks for some time now that DNSSEC breaks the cf help test. In time it will get fixed or not. Stubby DoT and DNSSEC do work. For now you just trust that it does...

Sent from my SM-T380 using Tapatalk
 
Add the second quad9 secure server at 149.112.112.112

Sent from my SM-T380 using Tapatalk

Since the secondary Cloudflare server is listed in the drop-down, I was expecting the secondary quad9 to be in there as well. I added it manually. One question is what value to use for the TLS hostname for this server. When I do a reverse lookup on dns.quad9.net, I get 9.9.9.9 and 149.112.112.112, but when I do a lookup on 149.112.112.112, I get rpz-public-resolver1.rrdns.pch.net. I imagine that either is ok to use, but I'm not sure.
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top