• SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

  1. D

    Unbound DNSSec with unbound_manager?

    Hello, I'm using latest merlinwrt 388.1 on AX86U with unbound manager (v3.22) and can't get DNSSec to work :( With unbound turned on DNSSec validation is gone, please take a look at this example: admin@router:/tmp/home/root# dig @ +adflag example.org A ; <<>> DiG 9.18.1 <<>>...
  2. Kanji-San

    Robust DNS Settings

    I am having issues with Google DNS currently. The router claims to be disconnected from the Internet. connmon, using, shows 0 for the last hour. My settings are: WAN DNS Settings: DNS Server 1: DNS Server 2: DNS Privacy Protocol: DNS-over-TLS (DoT) DNS-over-TLS...
  3. cowboy

    Enable DNSSEC with OpenDNS

    I got interested in DNSSEC and want to enable it on my Asus AC88U router running Asuswrt-Merlin 384.15. But as I understand the DNS hosting provider has also to support it. I am using OpenDNS server and few days ago they announced that they will start supporting DNSSEC in this blog post: DNSSEC...
  4. XIII

    Using NTP server protected by DNSSEC?

    Using a NTP server protected by DNSSEC will probably not work because the router has no correct time yet after a reboot? Would this help? How? https://marc.info/?l=openbsd-tech&m=156102757301757&w=2 Is anyone already using such a configuration? How?
  5. dave14305

    Disappointing DNSSEC coverage

    I've been using DNSSEC with Stubby and was curious about how often I'm "protected" by DNSSEC. Since I run Diversion with logging, I scanned my dnsmasq logs for the number of INSECURE, SECURE or BOGUS results. I was very disappointed to see that most of my home's queries were INSECURE, and only a...
  6. RMerlin

    [Experimental] Asuswrt-Merlin 384.13 test - AiMesh/DNSSEC through OpenSSL

    First, the teasers: And: dnsmasq OpenSSL support Dnsmasq uses nettle to handle the crypto portion of DNSSEC, which limits the supported ciphers. @themiron implemented OpenSSL support in dnsmasq, which opens the door for supporting more ciphers. The implementation required a fair amount of...
  7. S

    Using DNSSEC & TLS together?

    Came across an older blog post that mentions DNSSEC is pointless when TLS is set up correctly. I know when I've configured my DNS for Cloudflare, it constantly throws errors about DNSSEC not configured or supported by upstream DNS servers. So my question is, assuming I'm using TLS correctly, do...
  8. G

    Some DNS lookup failing on the router with DNSSEC on

    I have an RT-AC87U running 384.11.2, using Cloudflare's DNS servers with strict mode DNS-over-TLS and DNSSEC turned on. A few days ago I noticed that my 87U can't resolve checkip.amazonaws.com, this is the primary server that my router's DDNS script uses to get its external IP in my double NAT...
  9. O

    DNSSEC suddenly stopped working on Asus RT-AC66U (running on Merlin v380.70)

    Hi, I have my Asus RT-AC66U running Merlin v380.70. The DNSSEC option (under LAN > DHCP) has been enabled for as long as I can remember but yesterday it suddenly started acting up. I could no longer resolve any DNS host names which were enabled for DNSSEC. Same results on all my DHCP clients...
  10. RMerlin

    [380 legacy] DNSSEC no longer compatible with 380.70

    Root nameservers switched to a newer signature key. 380.70 only contains the old signature. People still running that older firmware and using DNSSEC will have to enable custom script support (Administration -> System), and create a /jffs/configs/dnsmasq.conf.add file, with the following...
  11. sfx2000

    PiHole - DNSCrypt/DNSSEC support (along with other things)

    Pihole is a caching DNS server based on DNSMasq that allows for DNS based ad-blocking and other items - need to blacklist a site, pihole can do this.... pihole runs great on a RPi2 with Rasbian Jessie - definitely worth a look - even without the ad-block features, it has a strong logging...