What's new

[Release] Asuswrt-Merlin 384.6 is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@RMerlin

This option DNSSEC: strict unsigned validation does not work, keeps giving the same problem as always, I have to disable DNSSEC for the internet to work, I advise you ask for help to @john9527 how to set this option correctly, so that it is not in strict mode as in version 384.5 or remove DNSSEC option: strict unsigned validation and leaves DNSSEC in strict mode that is now from version 384.6 onwards.

Move them to WAN

I have both DNSSEC, & strict unsigned validation, enabled.
Using Cloudflare.
Appears to be working fine.
 
Some users have reported that their WiFi issues have been solved with 384.7 alpha 1 (alpha 2 is now available too). You could also try these settings suggested by fellow forum member @scjr which seem to work well for several users: https://www.snbforums.com/threads/r...-6-is-now-available.47941/page-21#post-422712. Off course, you can try both as well ;)

Those 5 GHz wireless options are basically what I currently use (saved for beamforming - even explicit one creates trouble in my setup) and 2.4 has been consistently reliable. Having to power cycle the computer’s WiFi is not ideal, but I’m a little scared by alphas in a production environment - I could give it a shot today and tomorrow though, as I can afford to break things during the weekend :)

Thanks!
 
That option is working perfectly... When disabling strict mode.

Maybe you can have 99% of the reason, if you do not use DNSCrypt and only use DNS in WAN, but most servers DNSCrypt v2 (DoH) do not full support DNSSEC from the v384.6 or newer (The DoH servers only works without problems in DNSSEC v384.5) and for me DNSCrypt is more important than DNSSEC, that's why I have DNSSEC disable to be able to use DNSCrypt without problems and I think that Strict DNSSEC enforcement option is useless, because it does not work with DNSCrypt, even if it is disabled Strict DNSSEC enforcement: "No" and the only way for the internet to work again when I use DNSCrypt is to disable DNSSEC completely.

You can try to install DNSCrypt and use the DNS server (DoH) #51 Cleanbrowsing and you will see that I am right, also perform these tests:
If you do not install DNSCrypt v2 and do those tests, then you will not know what I'm talking about.

Your point of view is for people who use DNS on the WAN and that does not include people who use DNSCrypt, that's why I advise you to remove that Strict DNSSEC enforcement option is useless, because for me you added this option for people who use DNSCrypt, but it does not work.

 
Last edited:
Maybe you can have 99% of the reason, if you do not use DNSCrypt and only use DNS in WAN, but most servers DNSCrypt v2 (DoH) do not full support DNSSEC from the v384.6 or newer (they were only compatible with DNSSEC of v384.5) and for me DNSCrypt is more important than DNSSEC, that's why I have DNSSEC disable to be able to use DNSCrypt without problems and I think that Strict DNSSEC enforcement option is useless, because it does not work with DNSCrypt, even if it is disabled Strict DNSSEC enforcement: "No" and the only way for the internet to work again when I use DNSCrypt is to disable DNSSEC completely.

You can try to install DNSCrypt and use the DNS server (DoH) #51 Cleanbrowsing and you will see that I am right, also perform these tests:
If you do not install DNSCrypt v2 and do these tests then you do not know what I'm talking about.

Your point of view is for people who use DNS on the WAN and that does not include people who use DNSCrypt, that's why I advise you to remove that Strict DNSSEC enforcement option is useless.


I think Merlin has previously said he neither supports, nor uses Dnscrypt?

Yes, I formerly have found DNSSEC + Dnscrypt a problematic combination, so I’m just sticking with DNSSEC alone for the time being. Thus far, working well for me.
 
Your point of view is for people who use DNS on the WAN and that does not include people who use DNSCrypt, that's why I advise you to remove that Strict DNSSEC enforcement option is useless, because for me you added this option for people who use DNSCrypt, but it does not work.


If a configuration option does not work for you, turn it off.

Additionally, if you are using dnscrypt, why do you need DNSSEC? It is redundant. Both are methods of verifying the queries/responses. Generally speaking, you pick one or the other.

Also, I may have missed where you stated this, but did you choose a DNSCrypt resolver that supports DNSSEC? Not all of them do, as of the last time I was looking into it.
 
Last edited:
and I think that Strict DNSSEC enforcement option is useless, because it does not work with DNSCrypt

This is pure speculation not backed by any technical facts.

You claimed that the option to disable enforced validation didn't work, which I proved to be incorrect. The fact that you are having DNSSEC issues while using DNSCrypt is unrelated to that option, and not something I care about, as DNSCrypt is a non-supported, third party modification to my firmware that is not officially supported by me. DNSCrypt is also considered obsolete, as it was never an official standard, and is now superseded by the DNS-over-TLS standard that is backed by the IETF.

Additionally, if you are using dnscrypt, why do you need DNSSEC? It is redundant. Both are methods of verifying the queries/responses. Generally speaking, you pick one or the other.

Not exactly, the two technologies are complementary. DNSSEC ensures that the reply you received was not forged and came from the real authoritative server, while DNSCRYPT (and DoT/DoH) serves to encrypt the communication between you and the DNS server to prevent eavesdropping or interception of your DNS traffic.
 
DNSCrypt is also considered obsolete
DNSCryp v2 (DoH) release this year, DoT release 2016...

When I write DNSCrypt I'm talking about DNSCrypt v2 protocol DoH I'm not going to write that every time I type DNSCrypt so people understand what version I'm talking about, for me it's common sense to think I'm talking about version v2 that supports DoH.

now superseded by the DNS-over-TLS standard that is backed by the IETF.
Why you do not implement DoT in the firmware as the Fork version.
 
Last edited:
DNSCryp v2 (DoH) release this year, DoT release 2016...

You are confusing the client and the protocol. DNSCryptv2 is just a client, which supports the DNSCrypt protocol (which I consider obsolete) and the DNS-over-HTTPS protocol (which is backed by Google, but not by the IETF).
 
You are confusing the client and the protocol. DNSCryptv2 is just a client, which supports the DNSCrypt protocol (which I consider obsolete) and the DNS-over-HTTPS protocol (which is backed by Google, but not by the IETF).
But it is the only one that supports DoH that the improved version of DoT.

now superseded by the DNS-over-TLS standard that is backed by the IETF.
Why you do not implement DoT in the firmware as the Fork version, just copy and paste from Fork. :D Joke
 
Why you do not implement DoT in the firmware as the Fork version

Because that came out of beta only a week ago, and it still has things requiring ironing out. I will evaluate the solution in a few months once it has stabilized. Right now with the 384.7 development, my focus is on other things which are actually even more important from a security point of view...

just copy and paste from Fork.

The implementation is actually quite complex and requires changes throughout the firmware.
 
@RMerlin I am 100% sure that people who complain as I do DNSSEC, is because they were using DNSCrypt, if I uninstall DNSCrypt and I use any of these DNS server cloudflare, Cleanbrowsing, google, etc that support DNSSEC and use it in mode super mega Strict works for me without problems, only the problem exists when I use DNSCrypt.

That's why I say Strict DNSSEC enforcement option is useless.
 
Last edited:
I have no problem with DNSSEC strict and DNScrypt v2 working perfect for me
The DNS servers i use have full support for DNSSEC and DNScrypt v2
 
Last edited:
I have no problem with DNSSEC strict and DNScrypt v2 working perfect for me

I suspect you're not all using the same resolver, which might be playing a role. That seems to be one of the remaining variables in this discussion.
 
I suspect you're not all using the same resolver, which might be playing a role. That seems to be one of the remaining variables in this discussion.

Agree
But adding notes in GUI that DNSSEC does not support DNScrypt i dont understand. Is it not up to the user to find working resolvers?
 
Last edited:
Agree
But adding notes in GUI that DNSSEC does not support DNScrypt i dont understand. It`s up to the user to find working resolvers?

I'm not sure I understand the question. All of this has to be supported on both sides for it to work properly, doesn't it? For instance, if you look at the list of public DNSCrypt resolvers here, not all of them support DNSSEC.

https://dnscrypt.info/public-servers/

If you want to use DNSCrypt (and even DNSSEC), you accept the burden of finding resolvers that support it (while a great many support DNSSEC these days, not all of them do).
 
I have no problem with DNSSEC strict and DNScrypt v2 working perfect for me
The DNS servers i use have full support for DNSSEC and DNScrypt v2
Same here, I have dnscrypt setup with DoH (Cloudflare) and dnssec enabled as well with all the bells and whistles. I test on a daily basis and still have zero issues. I have used all the tools listed by @HowIFix and get passing marks on all. Just saying!! :rolleyes:
 
Same here, I have dnscrypt setup with DoH (Cloudflare) and dnssec enabled as well with all the bells and whistles. I test on a daily basis and still have zero issues. I have used all the tools listed by @HowIFix and get passing marks on all. Just saying!! :rolleyes:

Ditto, except I can’t get to some sites (like Wikipedia!). Go figure.
So, I do without....
 
Last edited:
Ditto, except I can’t get to some sites (like Wikipedia!). Go figure.
So, I do without....
I also tested all this through a OVPN tunnel and it works with zero problems as well...;)
 
I have an RT-AC68U and cannot get the 384.6 firmware to "take". I'm on 384.5 and go through the update process and it seems to work fine but still shows 384.5 at the end. Tried doing a factory reset first and still no luck...
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top