What's new

[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
The CF test is not broken. Just has its limitations. It does verify that DoT or DoH is working. It does not test other resolvers. I have tested and use Quad9 and CleanBrowsing as well as Cloudflare. Usually do not use DNSSEC, with the Entware/Stubby install but this Alpha2 version seems to be running very well with DNSSEC enabled on Quad9.
What app do you use to confirm it's all working? I would like to go to Cleanbrowsing again if it works here.
 
Would it be feasible to move the preset dropdown list to the Address field under "DNS-over-TLS Server List"? It would just seem more intuitive to me.

I tried there first, and it didn't look good. So I did what Asus already does on the other webpages with presets, and moved it there.
 
When I disable "Wan: Use local caching DNS server..." and enable DNS Privacy, I end up with 3 entries in /tmp/resolv.conf: WAN DNS1, WAN DNS2 and 127.0.1.1. In that scenario, the router resolver will likely never use DoT because the WAN DNS entries are first. Is that intentional, or what is the reasoning behind all 3 entries being added if DNS Privacy is the goal?
Live client's DNS traffic is encrypted.
As for router-originated resolving, it's tradeoff between unencrypted dns resolution of system services domains on router itself and internet connectivity in general. Mean - *for* internet connectivity in general (ntp update issue above is one of multiple possible cases), so stubby there is the last resort for disaster case.
 
I don't know what that site is checking cause my DNSSEC is disabled and the results are all successful. It's possible it only checks if your DNS server is DNSSEC capable?
Thank You, I was just now noticing that same information, as I turned the settings on/off.
 
Thank You, I was just now noticing that same information, as I turned the settings on/off.
This seeming contradiction may be explained by dnsmasq having proxy-dnssec set.
Code:
# grep proxy /etc/dnsmasq.conf
proxy-dnssec
If this is set, then the router does not actually check DNSSEC itself. Instead, the upstream DNS provider you have configured does the DNSSEC checking and the result is set in the DNS reply. In this way you essentially have the DNSSEC functionality. This is why the DNSSEC test succeeds.

In the context of a consumer router using DNS over TLS, I recommend this. But don't be surprised if there are cranky replies with other opinions. And if you want to go full tin hat, then really you should be doing DNSSEC all the way from your router to the root DNS servers, but by doing so, introduce a privacy issue where your IP is doing the check instead of your DNS provider's IP.
 
Last edited:
My shiny side out tin hat has kept me safe since dial-up, sir!
I'm just happy to see another convenient way for me to "play" with my router.
 
Now DNSSEC active & your link I am getting all success.
Weird that Cloudflre wouldn't correctly verify.
I get success about half the time with DNSSEC on, always with it off. Using Quad 9 secure.
 
This seeming contradiction may be explained by dnsmasq having proxy-dnssec set.
Code:
# grep proxy /etc/dnsmasq.conf
proxy-dnssec
If this is set, then the router does not actually check DNSSEC itself. Instead, the upstream DNS provider you have configured does the DNSSEC checking and the result is set in the DNS reply. In this way you essentially have the DNSSEC functionality. This is why the DNSSEC test succeeds.
With DNSSEC disabled, here's grep's result. Proxy-dnssec is not present.
Code:
/tmp/home/root# grep proxy /etc/dnsmasq.conf
/tmp/home/root#
Not unless I'm in the wrong directory?
 
With DNSSEC disabled, here's grep's result. Proxy-dnssec is not present.
Code:
/tmp/home/root# grep proxy /etc/dnsmasq.conf
/tmp/home/root#
Not unless I'm in the wrong directory?
If
  • DNSSEC from dnsmasq set from the router firmware
    • (LAN > DHCP Server > DNS and WINS Server Setting > Enable DNSSEC support)
  • DNSSEC from Stubby getdns
    • ("stubby -i | grep -i dnssec" is NOT all GETDNS_EXTENSION_FALSE)
  • Proxy DNSSEC from dnsmasq
    • (grep proxy-dnssec /etc/dnsmasq.conf)
are all disabled,
and your router is actually your DNS server,
then
  • DNSSEC tests should fail
 
Last edited:
If
  • DNSSEC from dnsmasq set from the router firmware
    • (LAN > DHCP Server > DNS and WINS Server Setting > Enable DNSSEC support)
  • DNSSEC from Stubby getdns
    • ("stubby -i | grep -i dnssec" is NOT all GETDNS_EXTENSION_FALSE)
  • Proxy DNSSEC from dnsmasq
    • (grep proxy-dnssec /etc/dnsmasq.conf)
are all disabled,
and your router is actually your DNS server,
then
  • DNSSEC tests should fail
Bullet 2 I don't know how to check but bullets 1 & 3 I'm sure are disabled. DOT(cloudflare) is primary DNS server used.
 
If
  • DNSSEC from dnsmasq set from the router firmware
    • (LAN > DHCP Server > DNS and WINS Server Setting > Enable DNSSEC support)
  • DNSSEC from Stubby getdns
    • ("stubby -i | grep -i dnssec" is NOT all GETDNS_EXTENSION_FALSE)
  • Proxy DNSSEC from dnsmasq
    • (grep proxy-dnssec /etc/dnsmasq.conf)
are all disabled,
and your router is actually your DNS server,
then
  • DNSSEC tests should fail

1. I have no such DNSSEC setting here. The DNS Server 1 & 2, and the WINS Server are all blank. In the WAN -> WAN DNS section, DNSSEC is NOT enabled here. I do have DNS-Over-TLS (DoT) enabled.

2. Ran that command and got:

Code:
:/tmp/home/root# stubby -i | grep -i dnssec
[21:23:52.419413] STUBBY: Read config from file /etc/stubby/stubby.yml
Result: Config file syntax is valid.
    "dnssec": GETDNS_EXTENSION_FALSE,
    "dnssec_allowed_skew": 0,
    "dnssec_return_all_statuses": GETDNS_EXTENSION_FALSE,
    "dnssec_return_full_validation_chain": GETDNS_EXTENSION_FALSE,
    "dnssec_return_only_secure": GETDNS_EXTENSION_FALSE,
    "dnssec_return_status": GETDNS_EXTENSION_FALSE,
    "dnssec_return_validation_chain": GETDNS_EXTENSION_FALSE,
    "trust_anchors_verify_email": <bindata of "[EMAIL]dnssec@iana.org[/EMAIL]">,
:/tmp/home/root#

3. The command came out empty.

With this, the DNSSEC tests still say that it's enabled. Just enabling DNS over TLS seems to be enough. Everything is green here: http://0skar.cz/dns/en/
 
2. Ran that command and got:

Code:
:/tmp/home/root# stubby -i | grep -i dnssec
[21:23:52.419413] STUBBY: Read config from file /etc/stubby/stubby.yml
Result: Config file syntax is valid.
    "dnssec": GETDNS_EXTENSION_FALSE,
    "dnssec_allowed_skew": 0,
    "dnssec_return_all_statuses": GETDNS_EXTENSION_FALSE,
    "dnssec_return_full_validation_chain": GETDNS_EXTENSION_FALSE,
    "dnssec_return_only_secure": GETDNS_EXTENSION_FALSE,
    "dnssec_return_status": GETDNS_EXTENSION_FALSE,
    "dnssec_return_validation_chain": GETDNS_EXTENSION_FALSE,
    "trust_anchors_verify_email": <bindata of "[EMAIL]dnssec@iana.org[/EMAIL]">,
:/tmp/home/root#

3. The command came out empty.

With this, the DNSSEC tests still say that it's enabled. Just enabling DNS over TLS seems to be enough. Everything is green here: http://0skar.cz/dns/en/
Yes, just run the command and same results as yours. So, the site seems to just check if DNS server being used is DNSSEC capable just like this site.
http://dnssec.vs.uni-due.de/
 
I don't know what that site is checking cause my DNSSEC is disabled and the results are all successful. It's possible it only checks if your DNS server is DNSSEC capable?

I used to get all greens with this test on 384.10_2 if DNSSEC was activated on the GUI but not Stubby yml.


Sent from my iPhone using Tapatalk
 
1. I have no such DNSSEC setting here. The DNS Server 1 & 2, and the WINS Server are all blank. In the WAN -> WAN DNS section, DNSSEC is NOT enabled here. I do have DNS-Over-TLS (DoT) enabled.

2. Ran that command and got:

Code:
:/tmp/home/root# stubby -i | grep -i dnssec
[21:23:52.419413] STUBBY: Read config from file /etc/stubby/stubby.yml
Result: Config file syntax is valid.
    "dnssec": GETDNS_EXTENSION_FALSE,
    "dnssec_allowed_skew": 0,
    "dnssec_return_all_statuses": GETDNS_EXTENSION_FALSE,
    "dnssec_return_full_validation_chain": GETDNS_EXTENSION_FALSE,
    "dnssec_return_only_secure": GETDNS_EXTENSION_FALSE,
    "dnssec_return_status": GETDNS_EXTENSION_FALSE,
    "dnssec_return_validation_chain": GETDNS_EXTENSION_FALSE,
    "trust_anchors_verify_email": <bindata of "[EMAIL]dnssec@iana.org[/EMAIL]">,
:/tmp/home/root#

3. The command came out empty.

With this, the DNSSEC tests still say that it's enabled. Just enabling DNS over TLS seems to be enough. Everything is green here: http://0skar.cz/dns/en/
Ha! I removed proxy-dnssec from /etc/dnsmasq.conf, service restart_dnsmasq, flushed DNS on Windows and restarted browser. DNSSEC is still working as if it was proxied. From Chrome on Windows and I am even seeing "ad" in the dig flags of websites with DNSSEC from ssh on the router. This is interesting.
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top