[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[Swistheater]

i think part of the issue lies in the fact that some dnssec is actually being done by the setup with out the dnssec turned on, i notice this when doing dig test and loading dnssec test pages.

 

[Swistheater]

With out DNSSEC turned on Dig test returned,

/tmp/home/root# dig pir.org +dnssec +multi

; <<>> DiG 9.12.3-P4 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5261
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;pir.org.               IN A

;; ANSWER SECTION:
pir.org.                300 IN A 97.107.141.235
pir.org.                300 IN RRSIG A 5 2 300 (
                                20190428084004 20190414084004 7053 pir.org.
                                BpZ3AwDAvcH3ECmIeqKAG88JgWQlySUhhlbQ+hp/6maN
                                hnmpJkXi7Agk1GrrOeJOfdx98UzvnaNf9j0sTA5H83Oj
                                2Vgspvxqld07Vx5733VKjP3DvHnFJvdUndHvQoS66gvO
                                NawzIcJHl0ZmXq71WYBkuxMMMt+EcWSXIO3hVKw= )

;; Query time: 84 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 15 05:52:52 UTC 2019
;; MSG SIZE  rcvd: 233

then i tested a failed server without dnssec turned on

/tmp/home/root# dig www.dnssec-failed.org

; <<>> DiG 9.12.3-P4 <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11413
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; Query time: 33 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 15 05:53:19 UTC 2019
;; MSG SIZE  rcvd: 39

then tested a server not dnssec signed

/tmp/home/root# dig www.google.com +dnssec


; <<>> DiG 9.12.3-P4 <<>> www.google.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5473
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         25      IN      A       172.217.3.68

;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 15 05:57:23 UTC 2019
;; MSG SIZE  rcvd: 73

 

[Treadler]

Workaround did not fix DNSSEC issue for me. Maybe, I need to reboot after the change, tomorrow I'll try when I can.

I rebooted after making the change, for what it’s worth.

 

[Treadler]

Are you using firefox?

No.

 

[Swistheater]

what version of get dns is being used?

 

[fearz]

So i'll ask my question here again since there are more developments to DNS over TLS in those builds.

Ii'm using custom DNS servers related to services which unblocks streaming websites, so i need to use those 2 DNS servers, however, I still want to have all my DNS traffic encrypted.

Can this ever work?

 

[Swistheater]

are you talking about using specific DNS servers for encrypted traffic and then different dns servers for other devices like streaming devices?

 

[Xentrk]

With DNSSEC enabled

View attachment 17055
With DNSSEC disabled

View attachment 17057

Rt-AC68P

That is interesting.

When I have enabled DNSSEC in stubby.yml, I get a fail on the DNS over TLS. This is a known issue as the test site does not support DoT.

However, I do show that I am connected to 1.1.1.1

 

[Adamm]

Everything seems to be working as expected, good to see this being adopted into the main firmware.

Fwiw the listen address for stubby is now 127.0.1.1#53 (previously it was 127.0.0.1#5453) if anyone else is wondering why dnsmasq config edits may have stopped working.

EDIT; Spoke too soon, as previously pointed out you will need to add "server=/pool.ntp.org/1.1.1.1" to "/jffs/scripts/dnsmasq.conf.add" otherwise NTP will fail to start.

 

[skeal]

EDIT; Spoke too soon, as previously pointed out you will need to add "server=/pool.ntp.org/1.1.1.1" to "/jffs/scripts/dnsmasq.conf.add" otherwise NTP will fail to start.

This is what I was trying to point out earlier. When having DoT and DNSSEC used together with the router's IP set to the WAN DNS Server 1, you will need the above line in dnsmasq.conf.add to get the ntp update to work. Thank you @Adamm for confirming this.

 

[Adamm]

This is what I was trying to point out earlier. When having DoT and DNSSEC used together with the router's IP set to the WAN DNS Server 1, you will need the above line in dnsmasq.conf.add to get the ntp update to work. Thank you @Adamm for confirming this.

I'm not even sure if/when those WAN DNS fields are used so I just set them to 1.1.1.1 / 1.0.0.1 (nor do they allow local IP's), seemed overly confusing having it above DOT settings.

 

[skeal]

I'm not even sure if/when those WAN DNS fields are used so I just set them to 1.1.1.1 / 1.0.0.1 (nor do they allow local IP's), seemed overly confusing having it above DOT settings.

I agree @Adamm it is confusing having an Server field still when using DoT.

 

[bluepoint]

Workaround did not fix DNSSEC issue for me. Maybe, I need to reboot after the change, tomorrow I'll try when I can.

Update: Reboot did not help, in fact, after the reboot enabling DNSSEC, WAN connection stopped working.

 

[Gar]

Dirty upgrade. DoT breaks all. Tried different servers and reset. Odd since on my 56u/374 fork it works fine. More testing...

EDIT: Added CF to DoT Server List and am ok now, list was blank before not realizing I had to add an entry. DNSSEC breaks it though with cache setting on or off.

 

[Asad Ali]

Dirty upgrade. DoT breaks all. Tried different servers and reset. Odd since on my 56u/374 fork it works fine. More testing...

Testing a BETA firmware on a dirty upgrade is like putting petrol in a diesel vehicle, it'll look like it's working in the start but everything will break eventually.

 

[Gingernut]

Firstly, thank you.

I have a few of my kids devices configured to use OpenDNS family config through the DNSfilter option to block certain domains.

Is it normal that when DoT is enabled my filter config is totally bypassed?

 

[themiron]

I'm not even sure if/when those WAN DNS fields are used so I just set them to 1.1.1.1 / 1.0.0.1 (nor do they allow local IP's), seemed overly confusing having it above DOT settings.

I agree @Adamm it is confusing having an Server field still when using DoT.

DNS Server1 and DNS Server2 play same ISP DNS role as before. They are used by router itself unless dnsmasq is set as system resolver (i.e for NTP server resolving, etc) and DoT is enabled.
Things may change in the future.

Update: Reboot did not help, in fact, after the reboot enabling DNSSEC, WAN connection stopped working.

Dirty upgrade. DoT breaks all. Tried different servers and reset. Odd since on my 56u/374 fork it works fine. More testing...

Do not enable DNSSEC on alpha2, or you'll end with no working DNS after reboot.
If you have the reasons to keep it enabled, there're 3 options:
* Disable "Wan: Use local caching DNS server as system resolver (default: Yes)" on Tools - Other Settings page, actually this is the reason.
* Add "server=/pool.ntp.org/1.1.1.1" or similar to /jffs/scripts/dnsmasq.conf.add, this will cause ntp server resolve bypass via non-DoT DNS.
* DoT + DNSSEC + NTP coexistance already fixed in sources, will be available in new alpha build.
Any one of them should work.

 

[Swistheater]

Firstly, thank you.

I have a few of my kids devices configured to use OpenDNS family config through the DNSfilter option to block certain domains.

Is it normal that when DoT is enabled my filter config is totally bypassed?

so when i run my dnsfilter global mode set to router and then add predefined opendns for extra devices this is what i get on that device.

 

[Swistheater]

so when i run my dnsfilter global mode set to router and then add predefined opendns for extra devices this is what i get on that device.
View attachment 17060

when i remove the filter option for that device it goes back to DoT

 

[Swistheater]

when i remove the filter option for that device it goes back to DoT
View attachment 17061

I imagine this will also play nice with custom block features of diversion where one uses a custom block file for global mode haven't tested it but i will later.