Advanced search results
Better search
Select: Post content
Keywords: DNSSEC
Posted by:
Search forums: Selected
Results count: 2972
Select: Post content
Keywords: DNSSEC
Posted by:
Search forums: Selected
Results count: 2972
-
P- 26 Posts - Paliv...people say Comcast’s DNS are unreliable and serve ads on redirects instead of NXDOMAIN. All of this is old information. Redirecting DNS breaks DNSSEC which they implemented years ago and stopped redirects. Also I have found it’s uptime to be just as good as any third party these days and...
-
- 26 Posts - sfx2000Try Cloudflare - they're pretty good... and they're not google... They do both DoT and DoH, and support DNSSEC -
M- 176 Posts - maxbraketorqueSecond alpha installed in my GT-AX6000 main/AP combo this morning. Working fine so far with DNSSEC and DoT operating in strict mode.
-
- 4 Posts - David27...some settings. It's either invalid password or cannot access. Only with the Node. The changes I made were enabling DNS over TLS, enabling DNSSEC, changed from WPA2 to WPA2 / WPA3-Personal, disabled 11b. I tried reversing them, I even did a reset to the Node and re-added it, but nothing solves... -
B- 68 Posts - bennorHuh? AiMesh has been officially supported since the Asuswrt-Merlin 384.13 (31-July-2019) firmware. https://www.asuswrt-merlin.net/node/10 The issue more than a few face with AiMesh is just the wonky nature of Asus's implementation of the feature. People using stock Asus firmware face issues...
-
-
M- 758 Posts - maxbraketorqueSo the two CVEs addressed with 388.6_2 are only DOS vulnerabilities, correct? DNSSEC security not compromised?
-
- 21 Posts - Viktor JaepIt won't make your browsing more secure. Your ISP/upstream services can still watch everything you go to. Settings like these would make DNS resolution more secure, but ultimately won't help with browsing security. -
R- 21 Posts - Rob Q...selected option. DNS Server: Auto Forward local domain queries to upstream DNS: Yes / (No) Enable DNS Rebind protection: Yes / (No) Enable DNSSEC support: Yes / (No) - If "Yes" is selected.... - Validate unsigned DNSSEC replies: (Yes) / No Prevent client auto DoH: Yes / No / (Auto) DNS...
-
- 31 Posts - sfx2000...<nwfilardo@gmail.com> Date: Sun Feb 18 13:12:10 2024 +0000 dnsmasq: version 2.90 Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387, CVE-2023-50868) among many other goodies and fixes (notably, upstream 568fb024... fixes a UAF in cache_remove_uid...
-
B- 169 Posts - bibikalka...time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile Mar 1 10:52:22 RT-AC86U-9988 dnsmasq[3850]: read /etc/hosts - 22 names Mar 1 10:52:22 RT-AC86U-9988...
-
B- 169 Posts - bibikalka...time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile And here is the working 12_4 output: grep DHCP n1c.log dnsmasq-dhcp[1160]: DHCP, IP range 192.168.102.2...
-
H- 169 Posts - heywireSo you're stable with 386.12, but not the sub-releases (.12.2, 12.4, 12.6)? How does your history with the recent firmwares look; were you rock stable over a significant period of time at any point going backwards with 386.11, .10, .9? I'm saying "for a significant period of time" because as I...
-
- 169 Posts - TomoSame situation here, i'm currently stable with 386.12, all the new builds create problems on wifi and i notice that the problems continue to be reported. Unfortunately Merlin's hands are tied and he can't do more than this, for now i'll stay on .12 and let AdGuardHome manage the DNSSEC. -
L- 758 Posts - learning_curve...from 3004.388.6_2 (Beta Release) to 3004.388.6_2 then a 15 mins run and a further re-boot. No problems with anything at all, including full DNSSEC etc which was the issue for the previous Beta Releases (testing dnsmasq 2.90) Thanks again @RMerlin Your hard work and effort is very much...
-
- 169 Posts - RMerlinAsuswrt-Merlin 386.12_6 has been released for Wifi 5 models. This is a security update addressing two vulnerabilities in dnsmasq when using DNSSEC. Changes since 386.12_4: 386.12_6 (26-Feb-2024) - UPDATED: dnsmasq to 2.90 (resolves CVE 2023-50868 and CVE 2023-50387). Downloads are here...
-
- 103 Posts - aex.perezIf you're testing to the extent I was for the condition I was testing for, you set up to bypass the router's dnsmasq/DNS Firefox if using DOH (disable to use DOT) Everything else, using DOT, configure on the router or using it's own DNS (fixed IP and config), neither DOT or DOH Pick your... -
- 103 Posts - bbungeFirefox and other browsers can use DoT if enabled. Not DNSSEC. -
- 48 Posts - alan6854321...time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile <31>Feb 11 12:32:14 RT-AX86S-F750-225CCF0-C dnsmasq[3636]: warning: interface br2 does not currently... -
- 103 Posts - aex.perez...for the first time, no longer happens and performance returns after dnsmasq and router settles down from the reload. Firefox set to use DoH/DNSSEC with Cloudflare never saw the problems. All browsers (Chrome, Edge, Firefox, Safari, an so on) tested did, regardless of device, DOT configured...
-
- 103 Posts - RMerlinAll this says is that google.com isn`t DNSSEC signed. You will have to ask Google to sign it... This site tests the domain name, not your DNS resolver.
-
C- 103 Posts - cc666Installed and working perfectly. Passed the test https://www.internetsociety.org/resources/deploy360/2011/testing-dnssec-analyzer/ It fails here if you put in google.com as the url to check on top https://dnssec-debugger.verisignlabs.com/www.google.com Merlin can you look at these tests. CC
-
T- 31 Posts - TonyK132I did option 3 by commenting that line in the config file. Is that the right thing to do? #module-config: "respip validator iterator" # v1.08 add 'respip' for rpz feature @juched
-
- 31 Posts - sfx2000Should note that this is not just DNSMASQ, most of the other resolvers that support DNSSEC have the same issue... Anyways, here's the relevant links to the disclosures/CVE's... https://nvd.nist.gov/vuln/detail/CVE-2023-50387 https://nvd.nist.gov/vuln/detail/CVE-2023-50868
-
B- 31 Posts - bennorhttps://www.nlnetlabs.nl/documentation/unbound/howto-turnoff-dnssec/
-
T- 31 Posts - TonyK132Is there an option in unbound to do this?
-
D- 103 Posts - Damit1Already confused, LOL. DoH is not enabled, DNSSEC and DoT do.
-
L- 103 Posts - learning_curveI don't... normally :D run Beta versions of Firmware, but seeing as I make full use of DNSSEC (pic) I thought it relevant to try the Beta 2 release and post my own findings. In my case, zero problems, zero issues appearing in the logs, zero collateral damage elsewhere (as a result of running...
-
- 103 Posts - bbungeWent back to Merlin a couple of days ago. Loaded up the test version this afternoon and all seems well. Dig shows the AD flag for DNSSEC.
-
B- 103 Posts - bennorThe color tag removed for readability. Expand quote to see their full post.
-
- 103 Posts - aex.perezI can't say its slowness for me, DNSSEC is on though but the pages don't load complete, but now that I see this I'm going to try Firefox set to use DNSSEC and use different providers to see if it happens with that as well...
-
- 103 Posts - John FitzgeraldSame and some slowness when first navigating a site (inconsistent), (dnssec = on) -
- 103 Posts - aex.perez...time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile Feb 19 16:08:12 Router dnsmasq[4022]: DNSSEC validation enabled Feb 19 16:08:12 Router dnsmasq[4022]...
-
T- 103 Posts - TomMeUpdated my AX86U about 12 hours ago. Used some with and without DNSSEC. No problems have been noticed.
-
- 31 Posts - RMerlinDNSSEC is a validation done when you do a DNS query. It`s not a connection. The vulnerability is if you visit a website that contains an URL to a malicious domain, and that domain has a specially crafted DNS entry. When your dnsmasq will try to resolve that hostname, and check its DNSSEC...
-
- 31 Posts - GHammerHere's what I'd like to know. Reading some of the announcements of this issue, it sounds like it is an incoming DNSSEC request that is the trigger. Nothing I run is open to the outside (limited to responding to my LAN only). Where is the threat to my install? I'm sure I'll patch this, just with... -
- 103 Posts - aex.perezSecond Beta applied, turned DNSSEC back on, tried the domains that were logging the failures, did not get anything in the logs like before... Checking whether I still randomly see partial page loads requiring a refresh to load the requested page fully. Haven't seen that happen anymore though...
-
- 3 Posts - icanflyBingo! That was it thanks @ColinTaylor!
-
- 103 Posts - RMerlinThis is the same thing that I found. If a request results in a SERVFAIL (for instance if DNSSEC validation fails), then it generates that incorrect log entry.
-
- 103 Posts - dave14305Interesting. I wouldn’t bother enabling FTL/dnsmasq DNSSEC if I was forwarding to Unbound on the same server. Let Unbound do its thing. Maybe I need to setup a Pi-Hole again to see how it’s going. -
- 103 Posts - dave14305Interesting findings by the PiHole team. https://discourse.pi-hole.net/t/pihole-unbound-dnsmasq-validation-failed-resource-limit-exeeded/68388/22
-
- 103 Posts - aex.perezI tried this since the log entries mention validation, didn't help The only thing that did is turning off DNSSEC, I'm leaving it disabled until I mess with it again in the AM I have to look at the logs in detail because trying this again caused a whole lot of services to restart, failed and...
-
- 103 Posts - RMerlinThe SERVFAIL error is actually DNSSEC doing its job. DNSSEC prevents a reply from being replaced by a different answer, by using reply signing. When using Cloudflare 1.1.1.2, Cloudflare returns a different answer than what is the real answer, returning 0.0.0.0 instead of the correct IP...
-
F- 103 Posts - FLA_NLI'm seeing the same with 216.58.202.4.in-addr.arpa along with www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com. If I search for these requests on internet, it seems that this is some weird stuff that Samsung devices can produce after android 10. I've also tracked this down...
-
- 103 Posts - 5stringdeathAll good here, DNSSec enabled.
-
D- 103 Posts - Damit1Feb 17 00:31:49 dnsmasq[2780]: validation of 216.58.202.4.in-addr.arpa failed: resource limit exceeded Not sure if it is good, bad, or even relevant. Not got into any actual measurable issues, so I'm not sure what should I do with that error. DNSSec is ON. Thanks, @RMerlin
-
- 103 Posts - AntonKUpdated from 3004.388.6_1 to this fix release. Everything running fine whether DNSSEC is enabled or not. No "limit exceeded" messages in my Syslog. Thanks RMerlin! -
D- 103 Posts - Damit1@RMerlin Please care to pay attention to that, not sure what its true importance. Upgraded my router only, DNSSec is enabled. No issues popped, tried my VPN (Instand Guard), DDNS, and normal browsing. Nothing to worry about.
-
- 103 Posts - dave14305Keep an eye out for any new dnsmasq syslog messages saying “limit exceeded” (with DNSSEC enabled). That could suggest that the new dnsmasq option dnssec-limits needs to be adjusted.
-
- 103 Posts - RipshodGood to stay ahead of threats. Installed just fine, no complaints from DNSSEC and fine with it off too. -
A- 103 Posts - archielInstalled on RT-AX88U. Not using DNSSec directly, but I am using unbound (script by @Martineau) and I assume (but don't know) that this leverages whatever DNSSec is installed by default. Nothing unexpected in logs files, DNScheck looks normal, no obvious issue with the other installed...
-
U- 103 Posts - Unisoftcautiously did it on one AX86U. DNSSec still works and confirmed by test tools. IPv4 network (ISP). No issues so far, remote apps still work etc. and I use DNS over TLS too. 18/02/2024 - UPDATE: Done the update on two other remote AX86U and all seems to be OK. I read Merlin tried js7k.com...
-
- 103 Posts - JGranaUpgraded my AX88U Pro - anytime a new dnsmasq version comes out - I'm eager to test. System is running fine, no DNSSEC enabled. I do still see the kernel report a dnsmasq Tainted error on startup. Its been there since dnsmasq 2.6 (usually after YazDHCP starts). Feb 16 07:26:01 kernel: CPU: 3... -
Q- 103 Posts - Quoc HuynhThanks for keeping us with the security fix! I upgrade my RT-AX88U from 3004.388.6 to the new beta firmware 5 hours ago without any issue, and it works nicely with DNSSEC enabled. Edited to add that no "limit exceeded" message found after 15 hours of running.
-
F- 103 Posts - FLA_NLUpgraded to 3004.388.6_1-g7c86063034 from 3004.388.6. For me it works with and without DNSSEC enabled.
-
- 103 Posts - TreadlerWorking fine here, both with & without DNSSEC enabled. -
M- 103 Posts - MorrisUpgraded RT-AX86U to 3004.388.6_1 and all is good. I don't run DNSSEC to provide the no DNSSEC view.
-
- 103 Posts - RMerlinhttps://www.snbforums.com/threads/cve-2023-50868-and-cve-2023-50387-in-dnsmasq-when-dnssec-is-enabled.88890/
-
- 31 Posts - sfx2000Good background on the VULN - it's a 7.5 out of 10, so seriously worth fixing... https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
-
- 103 Posts - RMerlinHi everyone, I've uploaded Asuswrt-Merlin 3004.388.6_1 test builds that include dnsmasq 2.90 (which contains two security fixes related to DNSSEC). https://www.asuswrt-merlin.net/test-builds Please give these builds a try, both with and without DNSSEC enabled. Let me know if there are any...
-
- 31 Posts - RMerlinTwo new CVEs were revealed related to DNSSEC support in dnsmasq. A specially crafted record can generate a DoS against dnsmasq, causing it to exhaust its resources. While dnsmasq 2.90 was released with a fix, initial reports indicate that it causes other issues, breaking DNSSEC for some...
-
X- 7 Posts - Xboxsx4life...what it does but not sure how much additional security it would add given that it can break certain services from what I’ve read. I’m using DoT in strict mode with ‘DNSSEC’ and ‘validate unsigned replies’ both enabled. Just not sure if it’s worth enabling rebind protection too. Thanks again.
-
- 758 Posts - karatecahi, i do it but same, dont save the config and show me this log.
-
- 4 Posts - alan6854321...time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile 14-Jan 10:00:37 AX dnsmasq[3607]: warning: interface br2 does not currently exist 14-Jan 10:00:37 AX...
-
- 280 Posts - bbungeWell, when I set Stubby up to do DNSSEC (yes, I know dnsmasq can do DNSSEC but I prefer to let Stubby do it) Stubby crashes. Did not crash with the same stubby.postconf under 388.5. Something changed.
-
R- 4 Posts - Rici...time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile Jan 1 21:37:03 dnsmasq[27490]: warning: interface br2 does not currently exist Jan 1 21:37:03...
-
J- 3 Posts - jkbach...the upstream DNS server: DNS Server: 1.1.1.2 Forward local domain queries to upstream DNS: No Enable DNS rebind protection: No Enable DNSSEC support: No Prevent client auto DoH: Auto DNS privacy protocol: None At this point, clients on the LAN can resolve all the host names as expected...
-
R- 10 Posts - RT-N66UI'm experiencing an issue with my Dynamic Domain Name System (DDNS) not updating when the WAN cable is reconnected on my RT-AC68U router running the latest Merlin firmware. This problem seems to have emerged in the recent firmware releases. To address this issue, I have to manually click 'Apply'...
-
- 19 Posts - Viktor JaepSo downloading over VPN will bypass whatever is in place, and works for you. Hum. Have you tried plugging your Windows 11 device directly into your modem, and bypassing your router? See what the results are there? Have you tried resetting your router from scratch, and just going with...
-
D- 19 Posts - DJones...DNS server normally cloudflare with DNS-over TLS, Disable TLS, Set DNS provider to automatic by ISP. Disable DNS rebind protection Disable DNSSEC support Prevent client auto DoH No UPnP normally off and set to No. Enable Firewall is YES (don't think I need to change that) Enable DoS...
-
B- 583 Posts - bibikalka...time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile Nov 25 01:25:51 RT-AC86U-9988 dnsmasq[20628]: read /etc/hosts - 22 names Nov 25 01:25:51 RT-AC86U-9988...
-
V- 89 Posts - valkraider...make sure things go through it. ;) I have tried both the 9.9.9.9 and the 9.9.9.11 variations with the same results. I have tried it with DNSSEC on and off, and DoT on and off, and so on and so forth, I just switched back to Cloudflare for families 1.1.1.2 for now, but it doesn’t score as...
-
M- 47 Posts - MorrisTry a deferent torrent app or none
-
I- 47 Posts - ikaUpdate: So after many hours of testing, disabling DNSSEC, DNS director, and all kind of settings in the router, and also in the torrent client. Settings like local peer discovery (creates lots of multicast packets), DHT, and everything you name it, I'm a little bit closer to the cause perhaps...
-
P- 15 Posts - privacyguy123DNSSEC is working fine, I'm just attempting to understand the settings in my new router. :)
-
P- 15 Posts - privacyguy123Interesting, I've never had anybody suggest to turn that setting on in AdGuard, what does it do? It's safe to have DNS rebind off in the WAN setting panel? Or it it doing nothing as AdGuard overwrites this section entirely?
-
- 15 Posts - Tech9...or for nothing. They basically don't matter because AGH is doing your queries upstream. I would leave in WAN settings everything on No and in AGH settings select Enable EDNS client subnet only. Test your DNS (link below) and you'll see DNSSEC authenticated responses anyway... -
P- 15 Posts - privacyguy123Yep. DNSSEC enabled here: Vs here:
-
- 599 Posts - RMerlinTest without DoT to see if there is any relation with your problems. Also make sure your ISP DNS do support DNSSEC before enabling it.
-
- 25 Posts - drinkingbird...it). Maybe newer code implements TCP/53 or maybe that is caused by some setting on the WAN DNS screen, not sure. RT-AC1900 386.11 (no DOT or DNSSEC) Guest Wireless 1 EBTABLES broute -p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT , pcnt = 3 -- bcnt = 639 -p IPv4 -i wl0.1... -
- 25 Posts - bbungeI feel he really intended DoT because conventional DNS uses UDP and DoT does use TCP. Oops.. I just learned that conventional DNS can use TCP when responses are larger than the default (512 bytes?) as in DNSSEC responses. However, the OP likely does not know this and really meant DoT...
-
- 20 Posts - drinkingbirdNope, DNSSEC is done between the recursive name server and the Authoritative name server. Doing DNSSEC between two recursive servers (such as the Asus and your ISP or 3rd party), best you can expect is to re-authenticate what they have already authenticated for you (assuming they even pass that...
-
- 20 Posts - bbungeWrong again... https://www.unibesecure.unibe.ch/tips__tricks/dot_doh_and_dnssec/index_eng.html
-
- 20 Posts - drinkingbirdDoing DNSSEC to a recursive 3rd party DNS server is not adding any security.
-
- 20 Posts - bbunge...is not hiding from your ISP but adding a level of security to DNS which was never designed to be secure. None of you above who say DoT and DNSSEC are not worth it would turn of https! Same issue. Verifying the connection with DNSSEC and preventing tampering with DoT. Some of us have spent a...
-
- 20 Posts - drinkingbirdHonestly I'm not a diversion expert, but if it is running fine without slowing anything down, that's probably still going to be faster. You can try DNS benchmarking both setups (using namebench from google and/or GRC's DNS Benchmark to see which performs better overall). I suspect if your...
-
D- 20 Posts - Dux...been very helpful. It looks like just using the ISP or a fast public DNS at the router and avoiding non-essential router features like DoT, DNSSEC, IPv6 etc. will cause the least friction. I do have a somewhat related question, I'm using DNS Director + Diversion to filter a few dozen...
-
- 20 Posts - drinkingbirdAgreed (even to a certain extent with the tin foil hat part :) ). A lot of people are just enabling DOT/DOH/DNSSEC etc not realizing it is really not doing anything for you when using a recursive DNS server (whether it be your ISP or one like Quad9 etc). All it is doing is slowing you down...
-
D- 20 Posts - DuxOK, thank you for clearing that up. OK, thank you all for your insights. It looks like I'll just forget about DoT via the router for now. DoH at the browser or device level doesn't cause these hangups or noticeable latency issues for my usage, but does it provide any benefit at all for home...
-
P- 20 Posts - PalivYeah it depends on the ISP. My ISP (Comcast) routes Quad9 to Chicago or LA and I’m in New Mexico. I contacted Quad9 and unfortunately despite them having closer servers they don’t have a peering agreement with Comcast, so for now it’s just those servers. They work fine, though, just gets me to...
-
- 20 Posts - drinkingbird...providers. You can contact them and show them a traceroute and sometimes they can work with the ISP to fix it. But I found that both DOT and DNSSEC added delays even to a very nearby server, and both are fairly useless from a security perspective on a recursive DNS server. So I'm just...
-
- 20 Posts - bbunge...same data center as Cloudflare but for some reason I regularly experience delays in resolving addresses using DoT. Now I am using Quad9 with DNSSEC and have no complaints from the girls. I do try DoT from time to time to see if it has improved. I do not use DoH as it still uses unencrypted...
-
- 17 Posts - drinkingbird...what their priorities are. If having a filtering DNS is important, the latency penalty may be worth it. I've just found, even with uBlock blocking hundreds/thousands of lookups on a page, everything was so much more sluggish with any of these features (DOT, DNSSEC, filtering DNS provider, etc).
-
- 17 Posts - drinkingbird...DOT simply hides your DNS request, if someone is monitoring you they just need to watch what IP you go to after the encrypted DNS request. DNSSEC is done between the auth server and the first recursive server querying it. Between two recursive servers the best you can hope for (if the...
-
- 17 Posts - sfx2000I respectfully disagree - I suggest you put up some info to back your claim - latency over time would be a good start... RRD over time - that would be a great example... Your graphs would be good - a single pic can explain a thousand posts here...
-
- 17 Posts - drinkingbird...couple powerful servers from your ISP) is a bit of a misconception. But you do eliminate the man in the middle potential and can validate the DNSSEC signatures yourself in that case, so technically more secure, if you don't mind the performance hit for the first lookup every TTL interval. I...
-
- 17 Posts - heysoundudeI agree with DoT being...a complexity. unbound handles the DNSSEC stuff iirc, if OP would like to give that a spin. (Querying the AUTH servers directly rather than CloudFlare's recursive ones - unbound makes your router a local, personal DNS server on par with cloudflare, and my router is only... -
- 17 Posts - drinkingbirdDOT and DNSSEC are fairly useless on a recursive DNS server, and I've seen a pretty significant performance impact. I would not recommend using either.
