AntonK
Very Senior Member
Nothing wrong there if you want Quad9.
Thanks! Yes, I've been a Quad9 man for some time now. Just turned on the D0T feature though, so wasn't sure if I still needed the WAN DNS boxes filled in.
Anton
[Preview] Asuswrt-Merlin 384.11 with DNS over TLS
- Thread starter RMerlin
- Start date
- Status
Thanks! Yes, I've been a Quad9 man for some time now. Just turned on the D0T feature though, so wasn't sure if I still needed the WAN DNS boxes filled in.
Anton
skeal
Part of the Furniture
You can put any public DNS including your ISP DNS in the WAN DNS settings, just don't use the router IP.
skeal
Part of the Furniture
I ran two KDIG tests one with the +cd switch and one without.
With:
And without:
The +cd seems to mess the test up. The "ad" flag shows in the second test.
With:
Code:
kdig -d @1.1.1.1 +tls-ca +dnssec +cd +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 25410
;; Flags: qr rd ra cd; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 25 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 980 IN A 93.184.216.34
example.com. 980 IN RRSIG A 8 2 86400 20190508112335 20190417064725 63195 example.com. V6Y2fQ7Kwgs0IX3wBSsORH6iSYAdfvj8urqEPaRDENgpH8WS21UNZHWjbUYLAKxhxknzKNTF7mpwKq3GX3sfAdpBpcNVHaovvv+pH2UDte3TCnEtXLo5EoN+fELCcI+Y4skZii9qsvSkFLIQmVo31KJtxZr2bvb59NyMnlINq/c=
;; Received 256 B
;; Time 2019-04-25 17:36:09 CST
;; From 1.1.1.1@853(TCP) in 84.0 ms
Code:
kdig -d @1.1.1.1 +tls-ca +dnssec +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14005
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 25 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 909 IN A 93.184.216.34
example.com. 909 IN RRSIG A 8 2 86400 20190508112335 20190417064725 63195 example.com. V6Y2fQ7Kwgs0IX3wBSsORH6iSYAdfvj8urqEPaRDENgpH8WS21UNZHWjbUYLAKxhxknzKNTF7mpwKq3GX3sfAdpBpcNVHaovvv+pH2UDte3TCnEtXLo5EoN+fELCcI+Y4skZii9qsvSkFLIQmVo31KJtxZr2bvb59NyMnlINq/c=
;; Received 256 B
;; Time 2019-04-25 17:37:20 CST
;; From 1.1.1.1@853(TCP) in 83.9 ms
Marin
Very Senior Member
You can put any public DNS including your ISP DNS in the WAN DNS settings, just don't use the router IP.
Could the VPN DNS servers go there as well? Long time ago (pre-Stubby) that is I used to have there and everything worked just fine.
Sent from my iPhone using Tapatalk
skeal
Part of the Furniture
Sure, but bear in mind the circumstances when these addresses would be used is few and far between, as revealed in past posts.
Marin
Very Senior Member
Marin
Very Senior Member
Swistheater
Very Senior Member
It would appear both switches are working properly the cd switch takes precedent over the ad when applied.
Swistheater
Very Senior Member
In a real world situation I don't see this stuff happening much, because if you think about how much DNSSEC is actually implemented. The main concern is confirming that the DoT appears to be in working order which it does... Fine Job!
bbunge
Part of the Furniture
Add the second quad9 secure server at 149.112.112.112
Sent from my SM-T380 using Tapatalk
Howard_inGA
Senior Member
Exact same result here after implementation ( https://www.cloudflare.com/ssl/encrypted-sni/ ).I’ve been following this thread to learn about DNS over TLS. I have found it helpful also somewhat confusing so I decided to have a play but wasn’t sure it was working properly. After some googling I believe I have it set up correctly
Sent from my iPad using Tapatalk
I don't know the why's on the Encrypted SNI fail. Read some, but no real clarity yet...
RT AC-5300
no_name
Regular Contributor
The bottom two lines may explain the Encrypted SNI fail, I was curious about this as well
Sent from my iPad using Tapatalk
Last edited:
no_name
Regular Contributor
The settings I use are
VPN client 1 using ExpressVPN
policy rules set to strict & accept DNS configuration set to disabled
The WAN page setting I have are
Connect to DNS Server automatically set to Yes
Forward local domain queries to upstream DNS set to No
Enable DNS rebind protection set to No
Enable DNSSEC support set to No
DNS Privacy Protocol set to DNS over TLS Enabled
DNS over TLS Profile set Strict
Preset servers chosen are 1.1.1.1 Cloudflare-dns.com
1.0.0.1 Cloudflare-dns.com
I’ve seen posts mentioning Enable DNS-based Filtering on the LAN page, mine is switched off.
The only understanding I have is that it works for me but I don’t understand why, I’m still learning
Sent from my iPad using Tapatalk
MarkRH
Senior Member
For me, if I enabled DNSSEC and DNS-over-TLS then it breaks that page. When I disable DNSSEC, then it works.
no_name
Regular Contributor
scjr
Very Senior Member
Same settings here, but I also have DNSFilter under LAN set to ‘Router’, leaving the DNS entries blank. Everything working fine as well.
bbunge
Part of the Furniture
We have been telling folks for some time now that DNSSEC breaks the cf help test. In time it will get fixed or not. Stubby DoT and DNSSEC do work. For now you just trust that it does...
Sent from my SM-T380 using Tapatalk
XIII
Very Senior Member
That would indeed explain the failure I see.
maxbraketorque
Very Senior Member
Since the secondary Cloudflare server is listed in the drop-down, I was expecting the secondary quad9 to be in there as well. I added it manually. One question is what value to use for the TLS hostname for this server. When I do a reverse lookup on dns.quad9.net, I get 9.9.9.9 and 149.112.112.112, but when I do a lookup on 149.112.112.112, I get rpz-public-resolver1.rrdns.pch.net. I imagine that either is ok to use, but I'm not sure.
- Status
Similar threads
Similar threads
Similar threads
-
-
-
-
-
Asuswrt-Merlin 3004.388.8_2 - Switching from ‘automatic IP’ to ‘PPPoE’- Started by AsusFreak
- Replies: 6
-
-
-
-
Release Asuswrt-Merlin 386.14 is now available for AC models
- Started by RMerlin
- Replies: 157
-
Latest threads
-
-
-
Is RT-AX86U Pro meshed w/ RT-AX3000 (satellite) still a good option?- Started by SR-71
- Replies: 2
-
Best 600m2 3 floor mesh system for good coverage
- Started by Maanu1131
- Replies: 5
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!
Staff online
-
RMerlinAsuswrt-Merlin dev