What's new

[Release] Asuswrt-Merlin 384.6 is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I agree, DNSSEC support should surely be transparently ‘on’, or ‘off’.
Catering for various resolvers apparent inability to implement DNSSEC properly can only end in tears.
Just my 10 cents worth....

Especially as not using strict mode means DNSSEC might not be working at all, and one wouldn't even know it...

I originally added it on my fork to be able to 'set' the option, exactly for the reasons you said. Now I consider it more of a diagnostic tool that should not be left disabled. (i.e. you can disable it, run a check on a DNSSEC test site to make sure DNSSEC is working, and it is indeed just a specific site or sites that are failing).

I also improved the logging of invalid DS replies, this will probably be even more useful as a debugging tool, so people will be able to tell who to point the finger at if things don't work properly. I suspect that in most cases, the fault lies with the domain, not with dnsmasq.

Too bad nslookup doesn't report the response flags, otherwise a simple test could have been implemented in the firmware. fwupdate.lostrealm.ca should have the AD flag set when using a working DNSSEC resolver. Using dig:

Right:
Code:
merlin@ubuntu-dev:~$ dig fwupdate.lostrealm.ca @192.168.10.1

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> fwupdate.lostrealm.ca @192.168.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35551
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fwupdate.lostrealm.ca.        IN    A

;; ANSWER SECTION:
fwupdate.lostrealm.ca.    300    IN    A    104.27.144.248
fwupdate.lostrealm.ca.    300    IN    A    104.27.145.248

;; Query time: 76 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Fri Aug 17 15:33:47 EDT 2018
;; MSG SIZE  rcvd: 82

Wrong:

Code:
merlin@ubuntu-dev:~$ dig fwupdate.lostrealm.ca @4.2.2.2

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> fwupdate.lostrealm.ca @4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10743
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;fwupdate.lostrealm.ca.        IN    A

;; ANSWER SECTION:
fwupdate.lostrealm.ca.    55    IN    A    104.27.145.248
fwupdate.lostrealm.ca.    55    IN    A    104.27.144.248

;; Query time: 23 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Fri Aug 17 15:33:52 EDT 2018
;; MSG SIZE  rcvd: 82
 
I also improved the logging of invalid DS replies, this will probably be even more useful as a debugging tool, so people will be able to tell who to point the finger at if things don't work properly. I suspect that in most cases, the fault lies with the domain, not with dnsmasq.
Just an FYI....I tweaked my original change here as when the server really doesn't support DNSSEC it spews semi-garbage and the original message really was better.

EDIT: I've also thought about enabling the log with dnssec-check-unisgned set to no, but haven't had the time to look at that yet.
 
Just an FYI....I tweaked my original change here as when the server really doesn't support DNSSEC it spews semi-garbage and the original message really was better.

EDIT: I've also thought about enabling the log with dnssec-check-unisgned set to no, but haven't had the time to look at that yet.

I reworded the original message a bit, making it less definitive as to the cause.

https://github.com/RMerl/asuswrt-merlin.ng/commit/7a469ebda3f3c379840afe3e539c842ef50c6b11

Unfortunately, I have yet to see that message in my own log, so no idea if it works as expected...
 
@RMerlin Then remove it, if you are not sure to add it, I do not know who suggested it :D, but I understand that it is not a problem dnsmasq or firmware , the real problem for me, is that 99% of free DNS servers lie to us, we are the product. (as I contradict myself)
 
Last edited:
I have a problem every time I restart the router I have to manually reconnect the vpn, it is not possible to make sure that the restart automatically connects to the vpn that had at the time of shutdown? On the official firmware it did it automatically.
Thank you
 
I have a problem every time I restart the router I have to manually reconnect the vpn, it is not possible to make sure that the restart automatically connects to the vpn that had at the time of shutdown? On the official firmware it did it automatically.
Thank you
Have you made sure that automatic start at boot time is checked under VPN client?
 
Last edited:
I can not find this setting, where it is??

It is located below the toggle button that turns your VPN access on/off. Choose “Yes” as your option.


Sent from my iPhone using Tapatalk
 
Coming from an old version, the update went smooth without any problems on my AC88U. Factory reset also done.

At the moment I´m fighting with the OpenVPN Server - The iPhone App tries to connect the router but the connection will not be established.
Any idea what I´m doing wrong?

thx

From the log-file:

pls help - did I miss something?
thx
 
I am running 384.6 on my 5300 and have installed the post-mount script to start an NTP server on it. (as per insructions in Merlin's wiki) I notice, however, that the script does NOT run after a reboot. I have done chmod on the script to make it executable and enabled custom scripts in the gui. I have to SSH into the router and manually run the script in order to start the NTP server. Anyone else ?
 
@Wadadli: have you checked whether the script actually runs at boot? Is it in /jffs/scripts and in the correct format?

Add a line like

Code:
touch /tmp/000ntpstarted

near the beginning of post-mount (but after the shebang) and check the tmp folder after boot for this file to see whether it's created and/or whether its time stamp has changed. If it exists, check syslog for any errors.

(from the user scripts tutorial in the wiki)
 
@Wadadli: have you checked whether the script actually runs at boot? Is it in /jffs/scripts and in the correct format?

Add a line like

Code:
touch /tmp/000ntpstarted

near the beginning of post-mount (but after the shebang) and check the tmp folder after boot for this file to see whether it's created and/or whether its time stamp has changed. If it exists, check syslog for any errors.

(from the user scripts tutorial in the wiki)
I am sure the script never runs because I see nothing in the logs that the init of the NTP server succeeded or failed. The comments only show in the logs after I manually run the script.
 
More like I can't touch it any longer. I used to, but now Asus has moved that code to a closed source component specifically to prevent bypassing it...
Thanks for the hint! I found the component and patched it for myself, so now I have 384.7 alpha working perfectly with English as a language.
 
Thanks for the hint! I found the component and patched it for myself, so now I have 384.7 alpha working perfectly with English as a language.
Could you please help others how exactly you've done?
Many got a chinese version and now lost all other languages (leaving chinese and english) with last stock or Merlin.
 
Last edited:
I'm pretty sure that @RMerlin will be well aware of the release of the code folks... give the man time to wake up!
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top