WAN DNS Settings...& clients

[sdmf74]

I wanted to post a screenshot of my settings here to confirm that everything is correct. At first I wasnt sure what Some of these newer settings are for and all though information seems to be scarce I now have a "little" better understanding of what they do.
I just wanted to make sure everything is set correctly & wondered if these settings could possibly have a negative effect on client devices i.e mediacom tivo MG2 dvr's? The boxes both seem to be connecting fine but I have a lot of missing channels since enabling these settings (It could be completely unrelated?)
It sounds more like a cable card pairing issue to me but mediacom cant seem to figure it out what is causing it

Also if someone has a good link or two with info about Enabling secure UPnP that would be great

 

[ColinTaylor]

Regarding your UPnP question; AFAIK you just select Yes to enable UPnP and then select Yes for Enable secure mode. That's it.

I don't use the same firmware as you but your DoT server list looks like it might be wrong to me. When DoT is enabled your normal WAN DNS servers are ignored. So from your settings you are only using Google's IPv6 DNS servers. Do you have an IPv6 internet connection?

 

[sdmf74]

Ok so just leave the from & to port settings open the way they are when enabling secure UPnP?

Yes I have IPv6 enabled (native) setting, so wouldn't it just ignore or fallback to the IPv4 8.8.8.8 setting when a site isn't IPv6 compatible?

 

[ColinTaylor]

Yes, just leave the UPnP ports at the default.

OK, if you've got native IPv6 that should be fine. I don't believe the router would "fall back" to the normal WAN settings because they are not used when DoT is active. But that shouldn't be a problem because all DNS servers, regardless of whether you connect to them via IPv4 or IPv6, will return both the IPv4 and IPv6 addresses of the name queried. See the example below (I don't have IPv6 but it still returns the address).

C:\Users\Colin>nslookup google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4009:818::200e
          216.58.204.46

 

[sdmf74]

OK yeah makes sense, also notice below how under Inernet Status it shows that my DNS is "overridden by DNS privacy" so all should be good.

I have another question. It seems that I can no longer enable/disable TLS 1.3 in google chrome's experimental features (The option is missing). Any body else having this issue? Was it temporarily removed in chrome v74 or is something else going on here? Thanks!

 

[sdmf74]

Nobody has any info about chromes TLS implementation? It seems like I may have disabled TLS 1.3 in chrome a while ago (if I remember correctly) cause I was getting errors while loading pages and I read that this was a temporary fix. Now when I go to chrome://flags/ the only option I have is for TLS 1.3 downgrade hardening & I am not sure if this is normal or not. I just now upgraded my browser to chrome 75 & still only have the TLS 1.3 downgrade hardening setting

 

[Swistheater]

Nobody has any info about chromes TLS implementation? It seems like I may have disabled TLS 1.3 in chrome a while ago (if I remember correctly) cause I was getting errors while loading pages and I read that this was a temporary fix. Now when I go to chrome://flags/ the only option I have is for TLS 1.3 downgrade hardening & I am not sure if this is normal or not. I just now upgraded my browser to chrome 75 & still only have the TLS 1.3 downgrade hardening setting

if you are worried about this you can simply make a /jffs/configs/stubby.yml.add
in your jffs scripts

tls_max_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"

this will hack the setup and tell it to use TLS 1.2 version as the highest cipher.

 

[dave14305]

if you are worried about this you can simply make a /jffs/configs/stubby.yml.add
in your jffs scripts

tls_max_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"

this will hack the setup and tell it to use TLS 1.2 version as the highest cipher.

There wouldn't be any link between Chrome browser connecting to a website with https using TLS 1.2 or 1.3 and Stubby connecting to a resolver using TLS 1.2 or 1.3. Completely independent setups, so I think it's misleading to suggest a stubby custom config for his concern.

Unless I'm wrong.

 

[Swistheater]

test it for yourself, i am suggesting there are better ways to control tls vs forcibly downgrading it via browser- despite the fact of there being no direct link to the two. Just saying if he wants to go all tls1.2 then there are other ways of doing it.

 

[Swistheater]

here is an article on enabling tls 1.3 in chrome though if you are only concerned about browser...
https://support.cloudflare.com/hc/en-us/articles/227172348-Understanding-TLS-1-3

 

[sdmf74]

To be clear I only disabled TLS 1.3 in chrome like 6 months ago cause I was having issues which Im sure are resolved now with several new versions of chrome released since then, (sorry if I wasnt clear about that). I am concerned with security so I was looking for the chrome TLS 1.3 setting
so that I could enable or reenable it but like I said it has completely disappeared in chromes experimental features in both chrome 74 & 75 on my system & I cant find any articles that explain if or why chrome removed it?

Could you guys check and see if the option to enable/disable TLS 1.3 is available on your system? (not TLS 1.3 downgrade hardening, it is a different feature)

@Swistheater Thanks for the link but I had already read that one and it says that TLS 1.3 was implemented in chrome 66. I guess it is possible that chrome has fully implemented it and it is no longer an "experimental feature" but I still need a way to test whether it is enabled or not on my system because I previously disabled it.

I think I understand what the TLS 1.3 downgrade hardening feature does but I am not sure which of the four options I should choose?

Also I have disabled TLS 1.1 & tls 1.2 in internet options under the advanced tab.

 

[Swistheater]

To be clear I only disabled TLS 1.3 in chrome like 6 months ago cause I was having issues which Im sure are resolved now with several new versions of chrome released since then, (sorry if I wasnt clear about that). I am concerned with security so I was looking for the chrome TLS 1.3 setting
so that I could enable or reenable it but like I said it has completely disappeared in chromes experimental features in both chrome 74 & 75 on my system & I cant find any articles that explain if or why chrome removed it?

Could you guys check and see if the option to enable/disable TLS 1.3 is available on your system? (not TLS 1.3 downgrade hardening, it is a different feature)

@Swistheater Thanks for the link but I had already read that one and it says that TLS 1.3 was implemented in chrome 66. I guess it is possible that chrome has fully implemented it and it is no longer an "experimental feature" but I still need a way to test whether it is enabled or not on my system because I previously disabled it.

I think I understand what the TLS 1.3 downgrade hardening feature does but I am not sure which of the four options I should choose?

Also I have disabled TLS 1.1 & tls 1.2 in internet options under the advanced tab.

This test will tell you if tls1.3 is active with your browser
https://www.ssllabs.com/ssltest/viewMyClient.html

 

[sdmf74]

lol I just found & ran that test, looks like im still on TLS 1.2. I just uninstalled chrome & reinstalled it but still no TLS 1.3 enable option?

 

[Jumpstarter]

I wouldnt worry too much about it just make sure you are not downgrading to anything less than tls1.2 . The browser could take some time to catch up because it is still considered experimental phase.

 

[dave14305]

lol I just found & ran that test, looks like im still on TLS 1.2. I just uninstalled chrome & reinstalled it but still no TLS 1.3 enable option?

Since the GUI was changed since you set it, you might need to dig into the Chrome user profile directory, or create a brand new Chrome profile. Look in the C:\Users\username\AppData\Local\Google\Chrome\User Data\Local State file for tls13.

I don't use Chrome, so I can't confirm what you'd expect to find, or exactly what to change it to. Someone else might be able to reply with their settings.

 

[Jumpstarter]

Yea I read some where
C:\Users\username\AppData\Local\Google\Chrome\User Data\Local State file.

If you disable it check the Local State file (with Notepad) to see the string required eg "tls13-variant@1" to "tls13-variant@8"

Also, you can modify the target to in the Chrome shortcut to be

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --tls13-variant=disabled"

Maybe checking to make sure these are undone will fix the issue.

 

[Jumpstarter]

This test will tell you if tls1.3 is active with your browser
https://www.ssllabs.com/ssltest/viewMyClient.html

Here is what a test on chrome will show if tls 1.3 is enabled.

 

[Swistheater]

lol I just found & ran that test, looks like im still on TLS 1.2. I just uninstalled chrome & reinstalled it but still no TLS 1.3 enable option?

maybe try chrome admin

Navigate to Local Computer Policy > Computer Configuration > Administrative Templates. Right-click Administrative Templates, and select Add/Remove Templates. Add the chrome.adm template via the dialog. Once complete, a Google / GoogleChrome folder will appear under Administrative Templates if it's not already there.

here is a more detailed description

or Windows, there are two types of policy templates: an ADM and an ADMX template. Verify which type you can use on your network. The templates show which registry keys you can set to configure Chrome, and what the acceptable values are. Chrome looks at the values set in these registry keys to determine how to act.

Step1: Download Chrome policy templates
The Windows templates, as well as common policy documentation for all operating systems, can be found here:

Zip file of Google Chrome templates and documentation.

Step 2: Open the ADM or ADMX template you downloaded

1. Navigate to Start > Run: gpedit.msc. (Or run gpedit.msc in your terminal)
2. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates.
3. Right-click Administrative Templates, and select Add/Remove Templates.
4. Add the chrome.adm template via the dialog.
5. Once complete, a Google / Google Chrome folder will appear under Administrative Templates if it's not already there. If you added the ADM template on Windows 7 or 10, it will appear under Classic Administrative Templates / Google / Google Chrome.

Step 3: Configure policies
In the Group Policy Editor, open the template you just added and change the configuration settings. The most commonly-modified policies are:

• Set the home page - The URL that Chrome opens when a user launches the browser or clicks the Home button.
• Send anonymous usage statistics and crash information - To turn off sending any crash information or anonymous statistics to Google, change this setting to be False.
• Turn off auto-updates - Although not normally recommended, you can turn off auto-updates.

Apply the policies to the target machines. Depending on your network's configuration, this may require time for the policy to propagate, or you may need to propagate those policies manually via administrator tools.

Note the chrome.adm is located in the zip file in the windows branch folder labeled adm under which ever language folder you intend to use it in.

 

[Swistheater]

it is pretty cool once you get in there for example under depricated policies you can force what minimum tls you want to allow it to fall back to.

you can also look under Chrome://policy confirm there are no policies in there preventing you from using tls1.3

Edit
I recommend you use the suggestions here to gain access to the windows admx files vs accessing the adm... There are more options inside the admx, the directions for admx are at the bottom of this link.
https://www.poremsky.com/windows/use-group-policy-admx-files-in-windows-7-or-8/
The directions in previous post are for using the adm files.

 

[sdmf74]

I tried the above suggestions but still cannot find an option to enable TLS 1.3 unfortunately.
I downloaded the google chrome templates and imported the ADMX template into the local group policy editor but was unable to find one that enables TLS 1.3 (unless I somehow missed it). Closest thing I could find is "minimum TLS version to fallback to"
which I set to TLS 1.2.

I navigated to C:\Users\username\AppData\Local\Google\Chrome\User Data\Local State file, I was able to find the local state file and opened it with notepad but there is no tls13-variant@1" or "tls13-variant@8 or anything pertaining to the TLS 1.3 setting
(probably cause it is still disabled) except for the downgrade hardening setting, same as in chrome://flags.

@Jumpstarter I dont know what you meant by the following statement : also, you can modify the target to in the Chrome shortcut to be
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --tls13-variant=disabled"
Maybe checking to make sure these are undone will fix the issue.