[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[RMerlin]

I tried to reach out to Cloudflare over Twitter, we'll see.

 

[octopus]

I think everyone should consider resetting to factory defaults when 384.11 final is released.

Last time I have done full reset is when I went from 380=>384 builds and not have any truoble since then.

 

[CriticJay]

I tried to reach out to Cloudflare over Twitter, we'll see.

Cloudflare should donate to this project lol, since you've effectively found a bug in their code!

 

[RMerlin]

Cloudflare should donate to this project lol, since you've effectively found a bug in their code!

They are giving back in a way, I use their free service to cache the server hosting the firmware update check data.

 

[bbunge]

And disabling Strict Validation allows both Cloudflare test pages to now properly report the use of DoT.

So it's now confirmed to be a problem on their end. That test entry they create fails DNSSEC validation.

So this issue with https://cloudflare-dns.com/help/ has been there since I've been "testing" DoT/DNSSEC and was well documented in the Xentrk/Stubby thread. We know Stubby works and we know DNSSEC works. Both work very well together in the recent Merlin Alpha builds. Proving that they work is a challenge for most. Someday some person with time on their hands will come up with a great test for DoT/DoH/DNSSEC that actually works. Until then we should be concerned with our governments efforts to limit encryption and track everything we do.
Merlin's product has gotten me a router that runs the security features I want without a USB drive! Thank you very much!!!

 

[QuikSilver]

Could be because the router has to restart various network components when making changes on that particular page (in addition to the WAN connection itself), which can interfere with the page reload. I suspect this is particularly the case if accessing the router through an IP instead of a hostname, tho I never experienced that issue myself in either scenarios.

Thanks @RMerlin, gonna try a few things tonight as well to see if I can narrow down the issue. So far the only changes I'm made to both router (both are 86u units) is go from Alpha 3 to alpha 4. Dirty upgrades on both so it may be time to do a factory reset. Have noticed it doesn't matter where I make a "change" within the GUI it still does the same thing. Gonna try accessing it through the host name locally to see if it makes a difference. Normally use the local IP address. Gonna also try a different browser as I mostly use Chrome.

 

[bluzfanmr1]

So this issue with https://cloudflare-dns.com/help/ has been there since I've been "testing" DoT/DNSSEC and was well documented in the Xentrk/Stubby thread. We know Stubby works and we know DNSSEC works. Both work very well together in the recent Merlin Alpha builds. Proving that they work is a challenge for most. Someday some person with time on their hands will come up with a great test for DoT/DoH/DNSSEC that actually works. Until then we should be concerned with our governments efforts to limit encryption and track everything we do.
Merlin's product has gotten me a router that runs the security features I want without a USB drive! Thank you very much!!!

Following Merlin's previous advice, I have installed tcpdump and I believe it tests/shows that all is working as it should.

What I did is open 2 ssh windows and type in each:

opkg install tcpdump
tcpdump -i eth0 port 53
tcpdump -i eth0 port 853

As I watch both windows I see no traffic on port 53 but see all the traffic on port 853.

If I use DNS Filtering and choose global router mode, but put my laptop to no filtering, I then see my laptop DNS traffic on port 53.

I think this is visual verification that all is working but feel free to correct me if wrong.

 

[skeal]

Following Merlin's previous advice, I have installed tcpdump and I believe it tests/shows that all is working as it should.

What I did is open 2 ssh windows and type in each:

opkg install tcpdump
tcpdump -i eth0 port 53
tcpdump -i eth0 port 853

As I watch both windows I see no traffic on port 53 but see all the traffic on port 853.

If I use DNS Filtering and choose global router mode, but put my laptop to no filtering, I then see my laptop DNS traffic on port 53.

I think this is visual verification that all is working but feel free to correct me if wrong.

+1 I can confirm this.
UPDATE: I also tested the tunxx interface and proved out that requested DNS preferences are being used.

 

[Elmer]

Thx for the reply. I would like to point out that when both WAN DNS server blocks are empty (and that's the way I am running at the moment), that the Internet status page obtain via the Network Map page shows a blank DNS box. If you have set a DOT server via the WAN page, it should probably be reflected in that box (maybe with a dot after it?) or we, the unwashed masses, might become confused and ask for support. Also, you have a warning message concerning the DNS Filter, but shouldn't there also be a warning message if a the DHCP DNS blocks are occupied since the clients can now bypass DOT (at least according to some on this thread)?

 

[skeal]

Thx for the reply. I would like to point out that when both WAN DNS server blocks are empty (and that's the way I am running at the moment), that the Internet status page obtain via the Network Map page shows a blank DNS box. If you have set a DOT server via the WAN page, it should probably be reflected in that box (maybe with a dot after it?) or we, the unwashed masses, might become confused and ask for support. Also, you have a warning message concerning the DNS Filter, but shouldn't there also be a warning message if a the DHCP DNS blocks are occupied since the clients can now bypass DOT (at least according to some on this thread)?

In my case on my AX88U, you are not allowed to leave WAN DNS empty. You get this error:

Please set up the DNS server on the client device.

I had been using the router's IP here, but have learned and experienced the difference, with using a public DNS IP like Cloudflare.

 

[skeal]

I hate it when my router runs so well, there isn't anything to do...I know I need a life beyond RMerlin's wonderful firmware.

 

[heysoundude]

Yes, I’ve even noticed something funky using their app on my phone since the last update.



Sent from my iPhone using Tapatalk

It seems they’re back up. 14:51 EDT. 18:51Z


Sent from my iPhone using Tapatalk

 

[Gar]

Only issue for me, as noted, clicking Apply doesn't complete. After logging back in I see that the change has been applied though.

 

[no_name]

Could be because the router has to restart various network components when making changes on that particular page (in addition to the WAN connection itself), which can interfere with the page reload. I suspect this is particularly the case if accessing the router through an IP instead of a hostname, tho I never experienced that issue myself in either scenarios.

I was having the same problem, I uninstalled spdmerlin and applying settings worked properly

 

[QuikSilver]

I was having the same problem, I uninstalled spdmerlin and applying settings worked properly

Did you do anything extra after you uninstalled like reboot or re log in? I went into the GUI to verify it was still doing it (used the QOS page apply without making changes to verify) uninstalled spdmerlin using putty, then redid steps, still getting applying settings spinning wheel.

 

[Gar]

I was having the same problem, I uninstalled spdmerlin and applying settings worked properly

I'm not using any add-ons so I don't know. Not a big deal for me.

 

[Howard_inGA]

Finally tried it...
Using these 2 Cloudflare IPv6 addresses selected from the drop down box:
2606:4700:4700::1111
2606:4700:4700::1001

So, 7 mouse clicks, then had to select 'Apply!' I am exhausted...think I'll have a beer!?! ;-)
Thanks to Eric for clearing up a thorny issue!

Finally, could I have just as easily used these from Google?:
2001:4860:4860::8888
2001:4860:4860::8844

RT AC-5300

 

[no_name]

Did you do anything extra after you uninstalled like reboot or re log in? I went into the GUI to verify it was still doing it (used the QOS page apply without making changes to verify) uninstalled spdmerlin using putty, then redid steps, still getting applying settings spinning wheel.

I only had spdmerlin installed, I uninstalled it using putty and refreshed the GUI then changed a setting on the QoS page and the applying settings worked. Do you have ntpmerlin and connmon installed, it could be worth uninstalling one at a time to see if they are also causing the problems


Sent from my iPad using Tapatalk

 

[Gar]

Finally tried it...
Using these 2 Cloudflare IPv6 addresses selected from the drop down box:
2606:4700:4700::1111
2606:4700:4700::1001

So, 7 mouse clicks, then had to select 'Apply!' I am exhausted...think I'll have a beer!?! ;-)
Thanks to Eric for clearing up a thorny issue!

Finally, could I have just as easily used these from Google?:
2001:4860:4860::8888
2001:4860:4860::8844

RT AC-5300

Good move, the beer I mean, you were under alot of pressure!

 

[Billy Chaney]

Anyone having an issue where you make changes and the webpage seems to stay on applying settings forever? Reloading the screen manually shows the changes were accepted though.

I had this happening with ntpmerlin. So I uninstalled it and I'm working fine now.