[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[dave14305]

Blindness sometimes an issue here as well....... :-(

However, yes, DNSSEC enabled breaks DoT for me, regardless of servers chosen. (I’ve tried with all Cloudflare, & all Quad9, no difference.)

DNSSEC + DoT totally kills my WAN connection.
So, I can have DoT, or DNSSEC, but not both.

I wonder if you add “proxy-dnssec” to /jffs/configs/dnsmasq.conf.add and restart dnsmasq, does that help?

 

[dave14305]

Yes running alpha 2 and yes I did a complete M&M because that's how I role. I think the key point being; if your WAN DNS is set to your router's IP. I found in this specific case, you need that line. I think if you left the WAN DNS as your ISP DNS or maybe even 1.1.1.1 the ntp update would work. That is while using the new DoT settings.

I’m standing on the alpha sidelines, but studying the code intently.

 

[owine]

Observation: When using DoT with the routers IP as WAN DNS server 1 you will need to add this line in to /jffs/configs/dnsmasq.conf.add:

server=/pool.ntp.org/1.1.1.1

This will allow the time to update.
Rebooting with OVPN Server or Client set to start at boot, still breaks the connection to the internet. If you start these services after the reboot is complete everything works as normal, just don't reboot with the OVPN Server turned on.

FWIW, I do not have this entry and did not have WAN connection issues.

 

[bbunge]

RT-AC66U_B1 went from entware/stubby to 384.11 a2. Deleted scripts for entware and stubby in /jffs, set Wan DNS servers to Cloudflare then rebooted. Removed thumb drive and flashed alpha 2 firmware. Then configured DoT to CF, tested OK, then Q9, tested OK. Will do DNSSEC tomorrow.
Only request is to include Q9 alt secure 149.112.112.112
Thanks!

Sent from my SM-T380 using Tapatalk

 

[Cam]

I wonder if you add “proxy-dnssec” to /jffs/configs/dnsmasq.conf.add and restart dnsmasq, does that help?

If you click on the Enable DNSSEC Support, is says "Make sure your WAN/ISP DNS are DNSSEC-compatible, otherwise DNS lookups will always fail.". Initially I had WAN connection troubles, but tracked it down to my having "Connect to DNS Server automatically" as YES, which created lookup issues. May or may not help you.

Enabling DNSSEC stops DoT for me when checking 1.1.1.1/help. I tried adding proxy-dnssec to dnsmasq.conf.add and restarting dnsmasq but it had no discernable effect.

 

[dave14305]

If you click on the Enable DNSSEC Support, is says "Make sure your WAN/ISP DNS are DNSSEC-compatible, otherwise DNS lookups will always fail.". Initially I had WAN connection troubles, but tracked it down to my having "Connect to DNS Server automatically" as YES, which created lookup issues. May or may not help you.

Enabling DNSSEC stops DoT for me when checking 1.1.1.1/help. I tried adding proxy-dnssec to dnsmasq.conf.add and restarting dnsmasq but it had no discernable effect.

Ok, be sure to remove that line if it didn’t help.

 

[bluepoint]

With DNSSEC enabled

With DNSSEC disabled

Rt-AC68P

 

[RMerlin]

Well, I'm blind apparently...

Well, the different cattegories text arnt rendering correctly in firefox making them impossible to read.

Right, I forgot. Firefox has been broken for YEARS in rendering optgroup labels. Sigh.

I can't remember what the workaround was (beside telling the Firefox devs to fix their stuff, and wait a few years for it to actually happen...)

 

[Treadler]

If you click on the Enable DNSSEC Support, is says "Make sure your WAN/ISP DNS are DNSSEC-compatible, otherwise DNS lookups will always fail.". Initially I had WAN connection troubles, but tracked it down to my having "Connect to DNS Server automatically" as YES, which created lookup issues. May or may not help you.

Enabling DNSSEC stops DoT for me when checking 1.1.1.1/help. I tried adding proxy-dnssec to dnsmasq.conf.add and restarting dnsmasq but it had no discernable effect.

All DNS servers configured in my router are DNSSEC friendly.
I don’t have ‘connect to DNS server automatically’ enabled.
DoT appears to be working fine, all I need to do to kill my WAN connection is to enable DNSSEC. :-(
No connection, hence no NTP update, nor anything else, just dead.
Disable DNSSEC, press ‘apply’, & all is good once more.

 

[themiron]

One possible workaround for DNSSEC issue is to disable (set to No) "Wan: Use local caching DNS server as system resolver" at Tools / Other settings page.

 

[Swistheater]

is there away to modify with an add script the stubby config file.

 

[RMerlin]

is there away to modify with an add script the stubby config file.

Not yet. I need the core functionality tested before I allow people to start customizing the living hell out of it, so I won't add the planned postconf script support until that testing phase is done.

 

[Swistheater]

Not yet. I need the core functionality tested before I allow people to start customizing the living hell out of it, so I won't add the planned postconf script support until that testing phase is done.

I can tell it functions as it should-minus the dnssec issues. it does have some mild dnssec support with the option turned off, but it fails the cloudflare test pages when it is turned on which is lack of support on their part.

 

[Treadler]

One possible workaround for DNSSEC issue is to disable (set to No) "Wan: Use local caching DNS server as system resolver" at Tools / Other settings page.

That appears to have fixed it!
Both DNSSEC & DoT enabled, all good, many thanks.

 

[RMerlin]

I can tell it functions as it should-minus the dnssec issues. it does have some mild dnssec support with the option turned off, but it fails the cloudflare test pages when it is turned on which is lack of support on their part.

8 hours of testing isn't a large enough sample to call it "yep, it's working, let's all start customizing everything and introduce user-generated errors into the mix!"

 

[Swistheater]

8 hours of testing isn't a large enough sample to call it "yep, it's working, let's all start customizing everything and introduce user-generated errors into the mix!"

agreed.

 

[Treadler]

With DNSSEC enabled

View attachment 17055
With DNSSEC disabled

View attachment 17057

Rt-AC68P

With both DNSSEC & DoT enabled, that Cloudflare page now tells me I’m using DoH !?
(& not using DoT).
Go figure.
Just ignoring that page for now.......

 

[RMerlin]

With both DNSSEC & DoT enabled, that Cloudflare page now tells me I’m using DoH !?
(& not using DoT).
Go figure.
Just ignoring that page for now.......

That page is weird. It fails to detect DoT for me when I use anything BUT Cloudflare and with DNSSEC disabled. I wish I knew how they are actually doing their test.

Also getting unreliable results from https://www.cloudflare.com/ssl/encrypted-sni/ if I use anything other than Cloudflare, or if I enable DNSSEC.

 

[bluepoint]

One possible workaround for DNSSEC issue is to disable (set to No) "Wan: Use local caching DNS server as system resolver" at Tools / Other settings page.

Workaround did not fix DNSSEC issue for me. Maybe, I need to reboot after the change, tomorrow I'll try when I can.

 

[bluepoint]

With both DNSSEC & DoT enabled, that Cloudflare page now tells me I’m using DoH !?
(& not using DoT).
Go figure.
Just ignoring that page for now.......

Are you using firefox?