[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[Swistheater]

the only reason a person should be concerned that it wasn't working is if there was no connection, you can check this with stubby -l, which means your servers are not setup right.

 

[jsbeddow]

Yes, but for a period of time we all got spoiled by how simple it was to verify though the CF 1.1.1.1/help page when using stubby .
It just requires a bit of faith now...

 

[Swistheater]

The biggest leap of faith involves not being able to test from the outside looking in. all the test we conduct are from the inside looking out.

 

[truglodite]

Right jsbeddow, but I think our reliance on the cf help page was hinging on not using 'strict' dnssec validation... which as rmerlin said before there's no point in using dnssec if it isn't strict. So now we swallow the red pill, and must know it is more complicated than we all thought, but for a good reason.

 

[truglodite]

opkg install tcpdump
tcpdump -i eth0 port 53<------- this would show you any traffic that was being passed that was not connected via DoT "lets say for example you used DNSFILTER to use a different server for a specific device"
this would show the traffic of that one device.

tcpdump -i eth0 port 853<-------- This shows all traffic concerned with the DoT connected devices.

OK thanks, that's what I thought... I'll fire up that ancient laptop of mine and play with wireshark (I prefer the interface lol).

 

[Swistheater]

OK thanks, that's what I thought... I'll fire up that ancient laptop of mine and play with wireshark (I prefer the interface lol).

I understand... I get nervous when I pull out the ol'wireshark.... you never know what you will find.

 

[RMerlin]

Right jsbeddow, but I think our reliance on the cf help page was hinging on not using 'strict' dnssec validation... which as rmerlin said before there's no point in using dnssec if it isn't strict. So now we swallow the red pill, and must know it is more complicated than we all thought, but for a good reason.

Cloudflare will eventually have to fix this. Dnsmasq has been defaulting to Strict mode for a couple of months now, so as everyone starts upgrading to an up-to-date version of dnsmasq, more and more complains will arise.

 

[AntonK]

Looks good to me!


Sent from my iPhone using Tapatalk

I notice that enabling this D0T feature slows down (creates a pause) between the time you request a page and the page displays. Does anyone else experience that?

Anton

 

[RMerlin]

384.11 Beta 1 is now available. Thanks everyone that contributed test results and feedback during development.

 

[RMerlin]

I notice that enabling this D0T feature slows down (creates a pause) between the time you request a page and the page displays. Does anyone else experience that?

Anton

DoT will always be a bit slower, due to the encryption involved (and a bit slower with DNSSEC enabled, due to the extended validations involved). Make sure you pick a DNS server that gives you good performance. Cloudflare's extensive CDN is usually a good pick, but results may vary between countries.

 

[Swistheater]

I notice that enabling this D0T feature slows down (creates a pause) between the time you request a page and the page displays. Does anyone else experience that?

Anton

I had that issue when I had the IP of the router being forced into the wan DNS address. it is because of a DNS loop most likely. ---This problem plagued me when using the old Stubby script, now that it is built into the router it shouldn't be a problem if you remove the IP of the router from the WAN Dns address.

 

[RMerlin]

The router's WAN DNS should never contain anything but a real DNS server (either remote, or within your LAN). Otherwise, ya, bad things happen, including your router will be unable to ever sync its clock, meaning DoT will never get started in TLS mode.

 

[scjr]

384.11 Beta 1 is now available. Thanks everyone that contributed test results and feedback during development.

Thank you for adding ‘DNS Privacy mode’ status under Internet status!

 

[maxbraketorque]

Set that client to use "Router" instead on the DNSFilter rules.

Merlin is correct 100 percent. Router forces the dot to be used on that device. You can globally specify router for all devices and make rules to specifically require certain devices to use other servers if you do not want them on DoT server. ---this would be devices that may be required to be on isp servers or maybe they require certain filtering like open dns provides.

Thanks. I understood that.

If you assign Quad9 in DNSFilter, even though it supports DoT, DNSFilter is still only passing old fashioned DNS over 53/udp.

This is what I wanted to confirm. Presumably in the not-too-distant future, DNSSEC + DoT will be supported by all DNS servers, so it would be nice if DNSSEC + DoT would be applied to DNS servers that have been assigned to specific clients in the DNS Filter page. The specific scenario is that I want to use quad9 in general, but for my kids devices, I will want to use DNS servers with stronger filtering.

 

[truglodite]

...more and more complains will arise.

I wonder if they are hearing the complaints in here. Think we should ping them about this?

I notice that enabling this D0T feature slows down (creates a pause) between the time you request a page and the page displays. Does anyone else experience that?
Anton

No, actually I noticed my internet started acting snappier after I started using DoT+cloudflare a few weeks ago. I was using google dns with dnssec before that. I am in California though... YMMV with cloudflare depending on where you are on the globe. As rmerlin mentioned, you may be able to improve performance by picking servers that are located closer to you.

 

[maxbraketorque]

For a router in AP mode, what should I select for the LAN DNS servers to get DNSSEC+DoT on devices connected to the AP? If I leave the AP LAN DNS servers set to automatic, will the AP use the main router WAN DNS config settings?

 

[Swistheater]

Yes on ap set lan dns to 192.168.1.1 (your main routers ip) or leave it as automatic

 

[RMerlin]

I wonder if they are hearing the complaints in here. Think we should ping them about this?

Didn't get any response from my twitter poke at @CloudflareDev. <shrug>

Their test sites don't provide any "official" channels to reach out to them about these issues, so I'm not gonna devote any more time in trying to find out a way to contact them, and will move on to other things. If someone knows a way to contact them about it, go for it.

For a router in AP mode, what should I select for the LAN DNS servers to get DNSSEC+DoT on devices connected to the AP?

Nothing. An AP doesn't do any DNS resolution for its connected clients, it only acts as a bridge between those clients and the upstream router.

YMMV with cloudflare depending on where you are on the globe.

One nice thing about their 1.1.1.1 test site is it tells you the location of the datacenter to which you are connected.

 

[maxbraketorque]

Yes on ap set lan dns to 192.168.1.1 (your main routers ip) or leave it as automatic

ok. Thanks.

 

[Vexira]

@RMerlin dumb question, I do alot online gaming thru PS4/Xbox via WiFi (yes not the best setup). Wld messing with any of these settings i.e. DNS over TLS mess with lag while playing say CoD4? Just curious as I tend to keep my settings defaulted while running your FW. I am running FreshJr script which has completely minimized any lag while playing on WiFi. Also currently I don't use the stubby script. But I use diversion, skynet and pixelserv-tls.

It won't help the connection, unless your ISP has bad packet routing there is not much else that can be done short of getting a faster connection or an ISP with better international routing or backhaul bandwidth during peak hours.