[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[bbunge]

Any feedback on the webui implementation? Does it look intuitive to use in its current form?

Well, it seems OK.
Would like option for round robin.
Not sure if spki is needed as it seems to confuse folks and is not required by major DNS providers.
Do like ability to add resolvers

As for the innards, if you are using current getdns and stubby, values to set TLS 1.3 and protocols should be in stubby.yml.

Sent from my SM-T380 using Tapatalk

 

[RMerlin]

On the DNSFilter front, I haven't had the time to test/evaluate the various usage scenario yet. In theory, this is how it should work (again, untested yet):

• If a DNSFilter is set to Router and you have DoT enabled, then it will force that client to use DoT
• If a DNSFilter is set to a specific server/IP (for instance OpenDNS), it will force that client to use OpenDNS, bypassing DoT. It will also prevent that client from using DoT, unless it's the same server
• If a DNSFilter is set to unfiltered, then it could use either DNSFilter, or any server configured in the client (for instance, Android devices might still use 8.8.8.8 for applications like Netflix)

 

[bbunge]

Until a fixed build is released, it's better for people to keep DNSSEC disabled for now, unless they are familiar enough to manually implement the dnsmasq workaround.

That workaround does not work for me.

Sent from my SM-T380 using Tapatalk

 

[RMerlin]

Not sure if spki is needed as it seems to confuse folks and is not required by major DNS providers.

Some providers require it (quite a few of these are in the presets).

Would like option for round robin.

Any particular reason this would be needed by regular users? Current setup is to use round-robin. It will eventually be possible to override it through a postconf, unless there's enough good reasons to make this setting accessible through the webui (I want to keep the number of knobs to a minimum to avoid confusing users).

Do like ability to add resolvers

The initial design actually didn't have the presets, that was added just before public release. Those presets are stored in a file in the firmware, so in theory someone might even be able to replace/customize that list if they wanted to (though I see little reason to do so).

As for the innards, if you are using current getdns and stubby, values to set TLS 1.3 and protocols should be in stubby.yml.

Default configs are already to use the best cipher and TLS version available. Enforcing a minimum TLS version makes little sense - 1.3 will be used whenever it's supported. If there is any odd reason for someone to customize this, it will be possible through a postconf.

 

[Gingernut]

When DNSFilter is set to Router, and LAN DHCP DNS Server 1 is not empty, DNSFilter enforces all the clients' DNS traffic to LAN DHCP DNS server 1. So erase the LAN DHCP DNS servers and then Router mode will force all DNS traffic to the router LAN IP (i.e. dnsmasq) which will forward requests to Stubby which will forward to your selected DoT servers.

Learnt something today, thx.

Maybe the webUI could be a little more intuitive when applying these configurations when they overide each other.

 

[RMerlin]

Learnt something today, thx.

Maybe the webUI could be a little more intuitive when applying these configurations when they overide each other.

I'm considering adding a warning to the DNSPrivacy section whenever the DHCP DNS isn't set to its default values.

 

[skeal]

I like the webui layout!!

 

[Swistheater]

It functions like it should minus the lack of customization. Great job .

 

[Gar]

Seems straight-forward and with my lack of experience still allowed me to set things up after only 1 mistake.

 

[Billy Chaney]

It was easy to set up. I like it.

 

[Swistheater]

I would maybe change the amount of times a connection can fail 2 is pretty low maybe put it at 5

 

[Martin_D]

Working fantastic for me and the webUI is very good

 

[Swistheater]

The default listening option needs to be added to stubby.yml for proper ipv6 support. I tested using ipv6 dot by itself it fails. It only works when I have it joined with ipv4 as well. But with ipv6 by itself nothing gets resolved because .yml file doesnt listen on ipv6 port.

 

[Gar]

On the DNSFilter front, I haven't had the time to test/evaluate the various usage scenario yet. In theory, this is how it should work (again, untested yet):

• If a DNSFilter is set to Router and you have DoT enabled, then it will force that client to use DoT
• If a DNSFilter is set to a specific server/IP (for instance OpenDNS), it will force that client to use OpenDNS, bypassing DoT. It will also prevent that client from using DoT, unless it's the same server
• If a DNSFilter is set to unfiltered, then it could use either DNSFilter, or any server configured in the client (for instance, Android devices might still use 8.8.8.8 for applications like Netflix)

Seems to be the case from my experimentation, just don't know how to populate that client list. Stuff apears when it feels like it.

 

[Swistheater]

The 0::1 option needs to be added

 

[Gar]

The 0::1 option needs to be added

Assuming you are responding to my comment:

For the technically challenged...what can I do from the existing menus that might help?

 

[Swistheater]

For the technically challenged...what can I do from the existing menus that might help?

Sounds like you need to write down all the addresses of the devices you want to put into the dns filter and manually add them as needed filtering or vice versa

 

[Gar]

Sounds like you need to write down all the addresses of the devices you want to put into the dns filter

I'm used to them appearing on their own, but your way works too.

Edit: Sorry, off topic

 

[Treadler]

GUI works for me.

 

[Cam]

The default listening option needs to be added to stubby.yml for proper ipv6 support. I tested using ipv6 dot by itself it fails. It only works when I have it joined with ipv4 as well. But with ipv6 by itself nothing gets resolved because .yml file doesnt listen on ipv6 port.

I don't think ipv6 is properly integrated, yet, as the ipv6 dns servers selected in the GUI are not added to the stubby.yml file.
So even if "server=::1" was added to dnsmasq, it still wouldn't resolv thru ipv6 with stubby. EDIT, though I guess stubby might just use ipv4 to resolv the request

I like the gui so far. Definitely like @RMerlin's idea of a warning if settings changed (ie lan dns server/dnsfilter) than may cause something to break.