Treadler
Very Senior Member
I have both DNSSEC, & strict unsigned validation, enabled.
Using Cloudflare.
Appears to be working fine.
[Release] Asuswrt-Merlin 384.6 is now available
- Thread starter RMerlin
- Start date
I have both DNSSEC, & strict unsigned validation, enabled.
Using Cloudflare.
Appears to be working fine.
NoSync
Regular Contributor
Some users have reported that their WiFi issues have been solved with 384.7 alpha 1 (alpha 2 is now available too). You could also try these settings suggested by fellow forum member @scjr which seem to work well for several users: https://www.snbforums.com/threads/r...-6-is-now-available.47941/page-21#post-422712. Off course, you can try both as well
Those 5 GHz wireless options are basically what I currently use (saved for beamforming - even explicit one creates trouble in my setup) and 2.4 has been consistently reliable. Having to power cycle the computer’s WiFi is not ideal, but I’m a little scared by alphas in a production environment - I could give it a shot today and tomorrow though, as I can afford to break things during the weekend
Thanks!
Maybe you can have 99% of the reason, if you do not use DNSCrypt and only use DNS in WAN, but most servers DNSCrypt v2 (DoH) do not full support DNSSEC from the v384.6 or newer (The DoH servers only works without problems in DNSSEC v384.5) and for me DNSCrypt is more important than DNSSEC, that's why I have DNSSEC disable to be able to use DNSCrypt without problems and I think that Strict DNSSEC enforcement option is useless, because it does not work with DNSCrypt, even if it is disabled Strict DNSSEC enforcement: "No" and the only way for the internet to work again when I use DNSCrypt is to disable DNSSEC completely.
You can try to install DNSCrypt and use the DNS server (DoH) #51 Cleanbrowsing and you will see that I am right, also perform these tests:
If you do not install DNSCrypt v2 and do those tests, then you will not know what I'm talking about.
Your point of view is for people who use DNS on the WAN and that does not include people who use DNSCrypt, that's why I advise you to remove that Strict DNSSEC enforcement option is useless, because for me you added this option for people who use DNSCrypt, but it does not work.
Last edited:
Treadler
Very Senior Member
I think Merlin has previously said he neither supports, nor uses Dnscrypt?
Yes, I formerly have found DNSSEC + Dnscrypt a problematic combination, so I’m just sticking with DNSSEC alone for the time being. Thus far, working well for me.
If a configuration option does not work for you, turn it off.
Additionally, if you are using dnscrypt, why do you need DNSSEC? It is redundant. Both are methods of verifying the queries/responses. Generally speaking, you pick one or the other.
Also, I may have missed where you stated this, but did you choose a DNSCrypt resolver that supports DNSSEC? Not all of them do, as of the last time I was looking into it.
Last edited:
This is pure speculation not backed by any technical facts.
You claimed that the option to disable enforced validation didn't work, which I proved to be incorrect. The fact that you are having DNSSEC issues while using DNSCrypt is unrelated to that option, and not something I care about, as DNSCrypt is a non-supported, third party modification to my firmware that is not officially supported by me. DNSCrypt is also considered obsolete, as it was never an official standard, and is now superseded by the DNS-over-TLS standard that is backed by the IETF.
Not exactly, the two technologies are complementary. DNSSEC ensures that the reply you received was not forged and came from the real authoritative server, while DNSCRYPT (and DoT/DoH) serves to encrypt the communication between you and the DNS server to prevent eavesdropping or interception of your DNS traffic.
DNSCryp v2 (DoH) release this year, DoT release 2016...
When I write DNSCrypt I'm talking about DNSCrypt v2 protocol DoH I'm not going to write that every time I type DNSCrypt so people understand what version I'm talking about, for me it's common sense to think I'm talking about version v2 that supports DoH.
Why you do not implement DoT in the firmware as the Fork version.
Last edited:
You are confusing the client and the protocol. DNSCryptv2 is just a client, which supports the DNSCrypt protocol (which I consider obsolete) and the DNS-over-HTTPS protocol (which is backed by Google, but not by the IETF).
But it is the only one that supports DoH that the improved version of DoT.
Why you do not implement DoT in the firmware as the Fork version, just copy and paste from Fork.
Joke
Because that came out of beta only a week ago, and it still has things requiring ironing out. I will evaluate the solution in a few months once it has stabilized. Right now with the 384.7 development, my focus is on other things which are actually even more important from a security point of view...
The implementation is actually quite complex and requires changes throughout the firmware.
@RMerlin I am 100% sure that people who complain as I do DNSSEC, is because they were using DNSCrypt, if I uninstall DNSCrypt and I use any of these DNS server cloudflare, Cleanbrowsing, google, etc that support DNSSEC and use it in mode super mega Strict works for me without problems, only the problem exists when I use DNSCrypt.
That's why I say Strict DNSSEC enforcement option is useless.
That's why I say Strict DNSSEC enforcement option is useless.
Last edited:
I suspect you're not all using the same resolver, which might be playing a role. That seems to be one of the remaining variables in this discussion.
Zastoff
Very Senior Member
Agree
But adding notes in GUI that DNSSEC does not support DNScrypt i dont understand. Is it not up to the user to find working resolvers?
Last edited:
bluepoint
Very Senior Member
I'm not sure I understand the question. All of this has to be supported on both sides for it to work properly, doesn't it? For instance, if you look at the list of public DNSCrypt resolvers here, not all of them support DNSSEC.
https://dnscrypt.info/public-servers/
If you want to use DNSCrypt (and even DNSSEC), you accept the burden of finding resolvers that support it (while a great many support DNSSEC these days, not all of them do).
Treadler
Very Senior Member
Same here, I have dnscrypt setup with DoH (Cloudflare) and dnssec enabled as well with all the bells and whistles. I test on a daily basis and still have zero issues. I have used all the tools listed by @HowIFix and get passing marks on all. Just saying!!
Ditto, except I can’t get to some sites (like Wikipedia!). Go figure.
So, I do without....
Last edited:
skeal
Part of the Furniture
I also tested all this through a OVPN tunnel and it works with zero problems as well...
Similar threads
- Locked
Similar threads
Similar threads
-
-
-
-
-
Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 62
-
Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14
- Started by B0GDAN
- Replies: 1
-
Several Questions Re:Asuswrt-Merlin Feature Implementation
- Started by fenixreign
- Replies: 2
-
-
Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices
- Started by RMerlin
- Replies: 70
-