What's new

[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Blindness sometimes an issue here as well....... :-(

However, yes, DNSSEC enabled breaks DoT for me, regardless of servers chosen. (I’ve tried with all Cloudflare, & all Quad9, no difference.)

DNSSEC + DoT totally kills my WAN connection.
So, I can have DoT, or DNSSEC, but not both.
I wonder if you add “proxy-dnssec” to /jffs/configs/dnsmasq.conf.add and restart dnsmasq, does that help?
 
Yes running alpha 2 and yes I did a complete M&M because that's how I role. ;):) I think the key point being; if your WAN DNS is set to your router's IP. I found in this specific case, you need that line. I think if you left the WAN DNS as your ISP DNS or maybe even 1.1.1.1 the ntp update would work. That is while using the new DoT settings.
I’m standing on the alpha sidelines, but studying the code intently. :p
 
Observation: When using DoT with the routers IP as WAN DNS server 1 you will need to add this line in to /jffs/configs/dnsmasq.conf.add:
Code:
server=/pool.ntp.org/1.1.1.1
This will allow the time to update.
Rebooting with OVPN Server or Client set to start at boot, still breaks the connection to the internet. If you start these services after the reboot is complete everything works as normal, just don't reboot with the OVPN Server turned on. ;):)
FWIW, I do not have this entry and did not have WAN connection issues.
 
RT-AC66U_B1 went from entware/stubby to 384.11 a2. Deleted scripts for entware and stubby in /jffs, set Wan DNS servers to Cloudflare then rebooted. Removed thumb drive and flashed alpha 2 firmware. Then configured DoT to CF, tested OK, then Q9, tested OK. Will do DNSSEC tomorrow.
Only request is to include Q9 alt secure 149.112.112.112
Thanks!

Sent from my SM-T380 using Tapatalk
 
I wonder if you add “proxy-dnssec” to /jffs/configs/dnsmasq.conf.add and restart dnsmasq, does that help?
If you click on the Enable DNSSEC Support, is says "Make sure your WAN/ISP DNS are DNSSEC-compatible, otherwise DNS lookups will always fail.". Initially I had WAN connection troubles, but tracked it down to my having "Connect to DNS Server automatically" as YES, which created lookup issues. May or may not help you.

Enabling DNSSEC stops DoT for me when checking 1.1.1.1/help. I tried adding proxy-dnssec to dnsmasq.conf.add and restarting dnsmasq but it had no discernable effect.
 
If you click on the Enable DNSSEC Support, is says "Make sure your WAN/ISP DNS are DNSSEC-compatible, otherwise DNS lookups will always fail.". Initially I had WAN connection troubles, but tracked it down to my having "Connect to DNS Server automatically" as YES, which created lookup issues. May or may not help you.

Enabling DNSSEC stops DoT for me when checking 1.1.1.1/help. I tried adding proxy-dnssec to dnsmasq.conf.add and restarting dnsmasq but it had no discernable effect.
Ok, be sure to remove that line if it didn’t help.
 
With DNSSEC enabled

WithDNSSEC.jpg

With DNSSEC disabled

WithoutDNSSEC.jpg


Rt-AC68P
 
Well, I'm blind apparently...

Well, the different cattegories text arnt rendering correctly in firefox making them impossible to read.

Right, I forgot. Firefox has been broken for YEARS in rendering optgroup labels. Sigh.

I can't remember what the workaround was (beside telling the Firefox devs to fix their stuff, and wait a few years for it to actually happen...)
 
If you click on the Enable DNSSEC Support, is says "Make sure your WAN/ISP DNS are DNSSEC-compatible, otherwise DNS lookups will always fail.". Initially I had WAN connection troubles, but tracked it down to my having "Connect to DNS Server automatically" as YES, which created lookup issues. May or may not help you.

Enabling DNSSEC stops DoT for me when checking 1.1.1.1/help. I tried adding proxy-dnssec to dnsmasq.conf.add and restarting dnsmasq but it had no discernable effect.

All DNS servers configured in my router are DNSSEC friendly.
I don’t have ‘connect to DNS server automatically’ enabled.
DoT appears to be working fine, all I need to do to kill my WAN connection is to enable DNSSEC. :-(
No connection, hence no NTP update, nor anything else, just dead.
Disable DNSSEC, press ‘apply’, & all is good once more.
 
One possible workaround for DNSSEC issue is to disable (set to No) "Wan: Use local caching DNS server as system resolver" at Tools / Other settings page.
 
is there away to modify with an add script the stubby config file.
 
is there away to modify with an add script the stubby config file.

Not yet. I need the core functionality tested before I allow people to start customizing the living hell out of it, so I won't add the planned postconf script support until that testing phase is done. :)
 
Not yet. I need the core functionality tested before I allow people to start customizing the living hell out of it, so I won't add the planned postconf script support until that testing phase is done. :)

I can tell it functions as it should-minus the dnssec issues. it does have some mild dnssec support with the option turned off, but it fails the cloudflare test pages when it is turned on which is lack of support on their part.
 
One possible workaround for DNSSEC issue is to disable (set to No) "Wan: Use local caching DNS server as system resolver" at Tools / Other settings page.


That appears to have fixed it!
Both DNSSEC & DoT enabled, all good, many thanks.
 
Last edited:
I can tell it functions as it should-minus the dnssec issues. it does have some mild dnssec support with the option turned off, but it fails the cloudflare test pages when it is turned on which is lack of support on their part.

8 hours of testing isn't a large enough sample to call it "yep, it's working, let's all start customizing everything and introduce user-generated errors into the mix!" :)
 
8 hours of testing isn't a large enough sample to call it "yep, it's working, let's all start customizing everything and introduce user-generated errors into the mix!" :)

agreed.
 
With both DNSSEC & DoT enabled, that Cloudflare page now tells me I’m using DoH !?
(& not using DoT).
Go figure.
Just ignoring that page for now.......

That page is weird. It fails to detect DoT for me when I use anything BUT Cloudflare and with DNSSEC disabled. I wish I knew how they are actually doing their test.

Also getting unreliable results from https://www.cloudflare.com/ssl/encrypted-sni/ if I use anything other than Cloudflare, or if I enable DNSSEC.
 
One possible workaround for DNSSEC issue is to disable (set to No) "Wan: Use local caching DNS server as system resolver" at Tools / Other settings page.
Workaround did not fix DNSSEC issue for me. Maybe, I need to reboot after the change, tomorrow I'll try when I can.
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top