[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[bluzfanmr1]

Does anyone ever see DoT in use using other than CF and their app? I haven't so far and wonder if that isn't more evidence that the CF test is broken/rigged?

I use Quad9 and this test...

http://0skar.cz/dns/en/

 

[Gar]

The CF test is not broken. Just has its limitations. It does verify that DoT or DoH is working. It does not test other resolvers. I have tested and use Quad9 and CleanBrowsing as well as Cloudflare. Usually do not use DNSSEC, with the Entware/Stubby install but this Alpha2 version seems to be running very well with DNSSEC enabled on Quad9.

What app do you use to confirm it's all working? I would like to go to Cleanbrowsing again if it works here.

 

[unsynaps]

This is great! Any plans to have WireGuard implemented?

Doubt it any time soon as only 1-2 routers support it because of kernel requirements.

 

[RMerlin]

Would it be feasible to move the preset dropdown list to the Address field under "DNS-over-TLS Server List"? It would just seem more intuitive to me.

I tried there first, and it didn't look good. So I did what Asus already does on the other webpages with presets, and moved it there.

 

[themiron]

When I disable "Wan: Use local caching DNS server..." and enable DNS Privacy, I end up with 3 entries in /tmp/resolv.conf: WAN DNS1, WAN DNS2 and 127.0.1.1. In that scenario, the router resolver will likely never use DoT because the WAN DNS entries are first. Is that intentional, or what is the reasoning behind all 3 entries being added if DNS Privacy is the goal?

Live client's DNS traffic is encrypted.
As for router-originated resolving, it's tradeoff between unencrypted dns resolution of system services domains on router itself and internet connectivity in general. Mean - *for* internet connectivity in general (ntp update issue above is one of multiple possible cases), so stubby there is the last resort for disaster case.

 

[Gar]

I use Quad9 and this test...

http://0skar.cz/dns/en/

Worked for me too, thanks. Up until now thought the CF site was universal.

 

[Clark Griswald]

I use Quad9 and this test...

http://0skar.cz/dns/en/

Now DNSSEC active & your link I am getting all success.
Weird that Cloudflre wouldn't correctly verify.

 

[bluepoint]

Now DNSSEC active & your link I am getting all success.

I don't know what that site is checking cause my DNSSEC is disabled and the results are all successful. It's possible it only checks if your DNS server is DNSSEC capable?

 

[Clark Griswald]

I don't know what that site is checking cause my DNSSEC is disabled and the results are all successful. It's possible it only checks if your DNS server is DNSSEC capable?

Thank You, I was just now noticing that same information, as I turned the settings on/off.

 

[EmeraldDeer]

Thank You, I was just now noticing that same information, as I turned the settings on/off.

This seeming contradiction may be explained by dnsmasq having proxy-dnssec set.

# grep proxy /etc/dnsmasq.conf
proxy-dnssec

If this is set, then the router does not actually check DNSSEC itself. Instead, the upstream DNS provider you have configured does the DNSSEC checking and the result is set in the DNS reply. In this way you essentially have the DNSSEC functionality. This is why the DNSSEC test succeeds.

In the context of a consumer router using DNS over TLS, I recommend this. But don't be surprised if there are cranky replies with other opinions. And if you want to go full tin hat, then really you should be doing DNSSEC all the way from your router to the root DNS servers, but by doing so, introduce a privacy issue where your IP is doing the check instead of your DNS provider's IP.

 

[Clark Griswald]

My shiny side out tin hat has kept me safe since dial-up, sir!
I'm just happy to see another convenient way for me to "play" with my router.

 

[Gar]

Now DNSSEC active & your link I am getting all success.
Weird that Cloudflre wouldn't correctly verify.

I get success about half the time with DNSSEC on, always with it off. Using Quad 9 secure.

 

[bluepoint]

This seeming contradiction may be explained by dnsmasq having proxy-dnssec set.

# grep proxy /etc/dnsmasq.conf
proxy-dnssec

If this is set, then the router does not actually check DNSSEC itself. Instead, the upstream DNS provider you have configured does the DNSSEC checking and the result is set in the DNS reply. In this way you essentially have the DNSSEC functionality. This is why the DNSSEC test succeeds.

With DNSSEC disabled, here's grep's result. Proxy-dnssec is not present.

/tmp/home/root# grep proxy /etc/dnsmasq.conf
/tmp/home/root#

Not unless I'm in the wrong directory?

 

[EmeraldDeer]

With DNSSEC disabled, here's grep's result. Proxy-dnssec is not present.

/tmp/home/root# grep proxy /etc/dnsmasq.conf
/tmp/home/root#

Not unless I'm in the wrong directory?

If

• DNSSEC from dnsmasq set from the router firmware
  • (LAN > DHCP Server > DNS and WINS Server Setting > Enable DNSSEC support)
• DNSSEC from Stubby getdns
  • ("stubby -i | grep -i dnssec" is NOT all GETDNS_EXTENSION_FALSE)
• Proxy DNSSEC from dnsmasq
  • (grep proxy-dnssec /etc/dnsmasq.conf)

are all disabled,
and your router is actually your DNS server,
then

• DNSSEC tests should fail

 

[bluepoint]

If

• DNSSEC from dnsmasq set from the router firmware
  • (LAN > DHCP Server > DNS and WINS Server Setting > Enable DNSSEC support)
• DNSSEC from Stubby getdns
  • ("stubby -i | grep -i dnssec" is NOT all GETDNS_EXTENSION_FALSE)
• Proxy DNSSEC from dnsmasq
  • (grep proxy-dnssec /etc/dnsmasq.conf)

are all disabled,
and your router is actually your DNS server,
then

• DNSSEC tests should fail

Bullet 2 I don't know how to check but bullets 1 & 3 I'm sure are disabled. DOT(cloudflare) is primary DNS server used.

 

[MarkRH]

If

• DNSSEC from dnsmasq set from the router firmware
  • (LAN > DHCP Server > DNS and WINS Server Setting > Enable DNSSEC support)
• DNSSEC from Stubby getdns
  • ("stubby -i | grep -i dnssec" is NOT all GETDNS_EXTENSION_FALSE)
• Proxy DNSSEC from dnsmasq
  • (grep proxy-dnssec /etc/dnsmasq.conf)

are all disabled,
and your router is actually your DNS server,
then

• DNSSEC tests should fail

1. I have no such DNSSEC setting here. The DNS Server 1 & 2, and the WINS Server are all blank. In the WAN -> WAN DNS section, DNSSEC is NOT enabled here. I do have DNS-Over-TLS (DoT) enabled.

2. Ran that command and got:

:/tmp/home/root# stubby -i | grep -i dnssec
[21:23:52.419413] STUBBY: Read config from file /etc/stubby/stubby.yml
Result: Config file syntax is valid.
    "dnssec": GETDNS_EXTENSION_FALSE,
    "dnssec_allowed_skew": 0,
    "dnssec_return_all_statuses": GETDNS_EXTENSION_FALSE,
    "dnssec_return_full_validation_chain": GETDNS_EXTENSION_FALSE,
    "dnssec_return_only_secure": GETDNS_EXTENSION_FALSE,
    "dnssec_return_status": GETDNS_EXTENSION_FALSE,
    "dnssec_return_validation_chain": GETDNS_EXTENSION_FALSE,
    "trust_anchors_verify_email": <bindata of "[EMAIL]dnssec@iana.org[/EMAIL]">,
:/tmp/home/root#

3. The command came out empty.

With this, the DNSSEC tests still say that it's enabled. Just enabling DNS over TLS seems to be enough. Everything is green here: http://0skar.cz/dns/en/

 

[bluepoint]

2. Ran that command and got:

:/tmp/home/root# stubby -i | grep -i dnssec
[21:23:52.419413] STUBBY: Read config from file /etc/stubby/stubby.yml
Result: Config file syntax is valid.
    "dnssec": GETDNS_EXTENSION_FALSE,
    "dnssec_allowed_skew": 0,
    "dnssec_return_all_statuses": GETDNS_EXTENSION_FALSE,
    "dnssec_return_full_validation_chain": GETDNS_EXTENSION_FALSE,
    "dnssec_return_only_secure": GETDNS_EXTENSION_FALSE,
    "dnssec_return_status": GETDNS_EXTENSION_FALSE,
    "dnssec_return_validation_chain": GETDNS_EXTENSION_FALSE,
    "trust_anchors_verify_email": <bindata of "[EMAIL]dnssec@iana.org[/EMAIL]">,
:/tmp/home/root#

3. The command came out empty.

With this, the DNSSEC tests still say that it's enabled. Just enabling DNS over TLS seems to be enough. Everything is green here: http://0skar.cz/dns/en/

Yes, just run the command and same results as yours. So, the site seems to just check if DNS server being used is DNSSEC capable just like this site.
http://dnssec.vs.uni-due.de/

 

[Marin]

I don't know what that site is checking cause my DNSSEC is disabled and the results are all successful. It's possible it only checks if your DNS server is DNSSEC capable?

I used to get all greens with this test on 384.10_2 if DNSSEC was activated on the GUI but not Stubby yml.


Sent from my iPhone using Tapatalk

 

[EmeraldDeer]

1. I have no such DNSSEC setting here. The DNS Server 1 & 2, and the WINS Server are all blank. In the WAN -> WAN DNS section, DNSSEC is NOT enabled here. I do have DNS-Over-TLS (DoT) enabled.

2. Ran that command and got:

:/tmp/home/root# stubby -i | grep -i dnssec
[21:23:52.419413] STUBBY: Read config from file /etc/stubby/stubby.yml
Result: Config file syntax is valid.
    "dnssec": GETDNS_EXTENSION_FALSE,
    "dnssec_allowed_skew": 0,
    "dnssec_return_all_statuses": GETDNS_EXTENSION_FALSE,
    "dnssec_return_full_validation_chain": GETDNS_EXTENSION_FALSE,
    "dnssec_return_only_secure": GETDNS_EXTENSION_FALSE,
    "dnssec_return_status": GETDNS_EXTENSION_FALSE,
    "dnssec_return_validation_chain": GETDNS_EXTENSION_FALSE,
    "trust_anchors_verify_email": <bindata of "[EMAIL]dnssec@iana.org[/EMAIL]">,
:/tmp/home/root#

3. The command came out empty.

With this, the DNSSEC tests still say that it's enabled. Just enabling DNS over TLS seems to be enough. Everything is green here: http://0skar.cz/dns/en/

Ha! I removed proxy-dnssec from /etc/dnsmasq.conf, service restart_dnsmasq, flushed DNS on Windows and restarted browser. DNSSEC is still working as if it was proxied. From Chrome on Windows and I am even seeing "ad" in the dig flags of websites with DNSSEC from ssh on the router. This is interesting.

 

[heysoundude]

I use Quad9 and this test...

http://0skar.cz/dns/en/

this test works on my ios mobile using brave (scripts protection disabled) with the cloudflare app's VPN profile engaged (with DoT rather than DoH) as well as it does on my desktop running stubby.