What's new

[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
I have downloaded this alpha from the test folder for my AX88U but don’t see the extra options on the WAN DNS settings page.

What have I done wrong? Lol
 
Will 384.11 alpha 2+ be based on 45149 or 45713 (or something else?)
Thanks Merlin!
 
Last edited:
Will 384.11 alpha 2+ be based on 45149 or 45713 (or something else?)
Thanks Merlin!

There is no new GPL available from Asus except for the RT-AX88U.
 
Test builds have been uploaded to Onedrive:

https://asuswrt.lostrealm.ca/test-builds

Once again, please keep the posts in this thread specifically on the DNS over TLS topic. Further posts about GPL versions and what not in this thread will simply be ignored and/or deleted.
 
Upgraded my AX88U and no issues. Just a reminder that Stubby users should uninstall and stabilize before the upgrade, IMHO. DoT working as we speak. Nice job on the interface @RMerlin !! ;):)
 
Trying out this alpha out on my RT-AC68U and set it up just like your screenshots. I went to https://www.cloudflare.com/ssl/encrypted-sni/ and the first three things had green check marks and the last did not. I then went to https://cloudflare-dns.com/help/ and it did show I was using 1.1.1.1 "Using DNS over TLS (DoT)". So, this does seem to be working.

Thanks for your efforts. If anything crops up, let yah know.

Edit: Oh, I do not have "Enable DNSSEC support" checked. Should it be?
 
Last edited:
A bug, AC-3200, with DNSoT and DNSSEC enabled along with (cloudflare dns). the WAN connection is down from cold boot. Disabling DNSSEC allows the WAN to come up and DNSoT works. Enabling DNSSEC again w/o restarting, and DNSSEC and DNSoT no longer work but fall back to DNS w/o either.

Any plans for IPv6 support for DNSoT?
 
Last edited:
A bug, AC-3200, with DNSoT and DNSSEC enabled along with (cloudflare dns). the WAN connection is down from cold boot. Disabling DNSSEC allows the WAN to come up and DNSoT works. Enabling DNSSEC again w/o restarting, and DNSSEC and DNSoT no longer work but fall back to DNS w/o either.

Any plans for IPv6 support for DNSoT?

Scroll down on the list of server presets, IPv6 ones there.
So, I’m assuming IPv6 supported....
 
Well I definitely struggled with this upgrade and couldn't make it to work on my AX88U. Could not connect to the internet and none of the NordVPN clients would work either. Activated DOT via GUI and picked Cloudlfare's IPv4 servers but no luck. Tried changing different WAN DNS settings (Yes, No + Router's IP, No+NordVPN servers, No + No servers, etc) but none of those brought internet back. Also, played with different Accept DNS Configuration settings (Exclusive, Strict, Disabled...) but no luck. Also, unplugged my cable modem for about 30 min to allow for enough time for lease renewal before trying again.

Maybe I am overlooking some very obvious settings in GUI. If anyone would be willing to share their Stubby + WAN + their VPN's "Accept DNS Configuration" setting screenshots, that would be appreciated.

Perhaps, for some of us earlier Stubby + VPN users, a quick guide on what options may need to tweaked as result of the new changes, would be useful.

Moved back to 384.10_2 FW and was able to get my good ol' Stubby back via AMTM.

Will try again at a later time.
 
Dirty upgrade on AC3100 worked fine. Able to configure DoT, however it doesn’t look like the stubby.yml wants to pick up the Cloudflare IPv6 servers. I have both IPv4 addresses and both IPv6 addresses configured from presets in the GUI.

I performed an uninstall and reboot via the stubby installer prior to updating.
 
Observation: When using DoT with the routers IP as WAN DNS server 1 you will need to add this line in to /jffs/configs/dnsmasq.conf.add:
Code:
server=/pool.ntp.org/1.1.1.1
This will allow the time to update.
Rebooting with OVPN Server or Client set to start at boot, still breaks the connection to the internet. If you start these services after the reboot is complete everything works as normal, just don't reboot with the OVPN Server turned on. ;):)
 
Scroll down on the list of server presets, IPv6 ones there.
So, I’m assuming IPv6 supported....
Well, I'm blind apparently...

Well, the different cattegories text arnt rendering correctly in firefox making them impossible to read.
 

Attachments

  • dnsot.png
    dnsot.png
    284.2 KB · Views: 1,022
Observation: When using DoT with the routers IP as WAN DNS server 1 you will need to add this line in to /jffs/configs/dnsmasq.conf.add:
Code:
server=/pool.ntp.org/1.1.1.1
This will allow the time to update.
Rebooting with OVPN Server or Client set to start at boot, still breaks the connection to the internet. If you start these services after the reboot is complete everything works as normal, just don't reboot with the OVPN Server turned on. ;):)
Is this running alpha 2 or from your experience running the Stubby script? Alpha 2 will start Stubby without strict TLS if ntp isn’t synced yet, so ntp hostnames should resolve on their own.

I think anyone running the Stubby script is going to need to do a @L&LD M&M config to unlearn some of the necessary workarounds from the entware implementation. ;)
 
Is this running alpha 2 or from your experience running the Stubby script? Alpha 2 will start Stubby without strict TLS if ntp isn’t synced yet, so ntp hostnames should resolve on their own.
Yes running alpha 2 and yes I did a complete M&M because that's how I role. ;):) I think the key point being; if your WAN DNS is set to your router's IP. I found in this specific case, you need that line. I think if you left the WAN DNS as your ISP DNS or maybe even 1.1.1.1 the ntp update would work. That is while using the new DoT settings.
 
Well, I'm blind apparently...

Well, the different cattegories text arnt rendering correctly in firefox making them impossible to read.

Blindness sometimes an issue here as well....... :-(

However, yes, DNSSEC enabled breaks DoT for me, regardless of servers chosen. (I’ve tried with all Cloudflare, & all Quad9, no difference.)

DNSSEC + DoT totally kills my WAN connection.
So, I can have DoT, or DNSSEC, but not both.
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top