1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

384.11 Secure DNS

Discussion in 'Asuswrt-Merlin' started by Preskitt.man, May 21, 2019.

  1. Preskitt.man

    Preskitt.man Regular Contributor

    Joined:
    Jan 25, 2014
    Messages:
    93
    Location:
    Peoria, AZ
    I installed 384.11-2. I then went to the WAN DNS page to implement DNSSEC. There was this message underneath the select box for DNS Privacy Protocol:
    Your router's DHCP server is configured to provide a DNS server that's different from your router's IP address. This will prevent clients from using the DNS Privacy servers."
    The WAN page currently point DNS1/2 to 1.1.1.1 and 1.0.0.1
    I went over to the DHCP page, and DNS Server1/2 also pointed 1.1.1.1 and 1.0.0.1.
    What am I missing?
     
  2. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    737
    Clients will be told to use 1.1.1.1 directly instead of using the router and DoT (DNS Privacyj. Clear the DHCP DNS entries and advertise the router as the DNS server for clients.
     
  3. Preskitt.man

    Preskitt.man Regular Contributor

    Joined:
    Jan 25, 2014
    Messages:
    93
    Location:
    Peoria, AZ
    Thanks!

    Cleared the DNS entries on the DHCP page and clicked Yes on Advertise the Routers IP. Applied these settings, and the warning message went away. On the DNS page, I configured as follows:
    DNS Server 1/2 : 1.1.1.1 1.0.0.1
    Forward Local Domain Queries to Upstream DNS: No
    Enable DNS Rebind Protection: No
    Enable DNSSEC: Yes
    Validate Unsigned DNSSEC replies: Yes
    DNS Privacy Protocol : DoT
    DNS over TLS Profile : Strict
    Preset Servers: Selected Cloudfare 1.1.1.1 and 1.0.0.1

    Obviously a bunch of new settings here - Not sure if all are selected for best use. Help file on this would sure be nice. Good news is, at a minimum, DNS is working on my networks. :)
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,547
    Location:
    UK
    I know I've laboured this point before :rolleyes: but I'm really uncomfortable when people recommend setting this value to "Yes". Two reasons:

    1. The setting isn't "Advertise the router as the DNS". The actual setting is "Advertise router's IP in addition to user-specified DNS". So the setting is not applicable when there are no user-specified DNSs. (Therefore telling people to change it is misleading)

    2. When people do want to set user-specified DNS(s) they could easily miss changing this back to "No". In such a situation the clients would also be using the router's DNS which is probably not what they intended.
     
    Last edited: May 21, 2019
  5. Treadler

    Treadler Senior Member

    Joined:
    Nov 9, 2017
    Messages:
    355
    Location:
    South Australia
    Looks like you’re on the right track now.

    This may help?..........
    https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy
     
  6. Marin

    Marin Very Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    648
    You would benefit by setting this as "Yes"
     
    SMS786, Quoc Huynh and Treadler like this.
  7. Treadler

    Treadler Senior Member

    Joined:
    Nov 9, 2017
    Messages:
    355
    Location:
    South Australia
    I missed that, yes, yes!
     
    Marin likes this.
  8. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    737
    Yes, but the guy in that thread wasn’t nearly as smart as me. o_O

    I shall temper my enthusiasm for extra DNS directives.
     
    martinr and Treadler like this.
  9. Preskitt.man

    Preskitt.man Regular Contributor

    Joined:
    Jan 25, 2014
    Messages:
    93
    Location:
    Peoria, AZ
    Thanks all - the Wiki link helps out a lot. Looks like the only things I needed to change was the Enable DNS rebind protection to Yes, and advertise the router as the DNS server for clients to No.
     
  10. Preskitt.man

    Preskitt.man Regular Contributor

    Joined:
    Jan 25, 2014
    Messages:
    93
    Location:
    Peoria, AZ
    Just one other question - I did go to the Cloudfare Browsing experience security check site. As the Wiki suggested, the Secure DNS site had a Red X, while DNSSEC and TLS 1.3 were both Green. The Encrypted SNI also had the Red X. Is this an unimplemented feature in 384.11-2, an implementation error on my part, or suspected bug in the Cloudfare site.
     
  11. Swistheater

    Swistheater Very Senior Member

    Joined:
    Jul 8, 2017
    Messages:
    982
    Location:
    Florida
    There are only a few browsers that support encrypted sni it is still something new to the home user
     
  12. Preskitt.man

    Preskitt.man Regular Contributor

    Joined:
    Jan 25, 2014
    Messages:
    93
    Location:
    Peoria, AZ
    interestingly, Android 9.0 has DoT built in as an option, and when I tested with it at the Cloudfare site, had Green check marks across the board, including encrypted SNI. In any case, not so paranoid that I think this really matters. If I were living in China, might feel differently.
     
  13. Swistheater

    Swistheater Very Senior Member

    Joined:
    Jul 8, 2017
    Messages:
    982
    Location:
    Florida
    I suspect encrypted sni will be pretty standard at some point as more browsers come around to supporting it.
     
  14. 58chev

    58chev Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    87
    Location:
    Etobicoke, Canada
    Hope someone can help me. :confused:
    Getting frustrated with trying to get DoT set up.
    When I make the necessary changes my router shows Internet Status: Disconnected

    I have even got to the point of resetting my router and starting from scratch.
    OpenVPN Server turned on and setup. AMTM, Diversion and Skynet are the only extras installed.

    I have followed the settings here and on github and I'm at a loss.
    Also followed suggestions HERE
    tcpdump -ni eth0 -p port 53 or port 853 Obviously all requests are using 53

    After every change, I have to revert back to turning DoT off to get my internet connection back. :(
    Maybe someone can post up screens of your working settings?

    ASUS Wireless Router RT-AC66U_B1 - DHCP Server.png ASUS Wireless Router RT-AC66U_B1 - DNS-based Filtering.png ASUS Wireless Router RT-AC66U_B1 - Internet Connection (1).png
     
  15. Dabombber

    Dabombber Regular Contributor

    Joined:
    Apr 29, 2016
    Messages:
    86
    What do you have "Wan: Use local caching DNS server as system resolver (default: No)" set to in the "Tools > Other Settings" page. If it's set to Yes, try changing it to No. It could be stopping your router from getting the time, which is needed for most certificate stuff.
     
  16. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,362
    I would test entering the CloudFlare servers in Connect to DNS Servers Automatically (set it to 'No' to enter the servers you want).
     
  17. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,379
    Location:
    Canada
    Set "Wan: Use local caching DNS server as system resolver " to No on the Tools -> Other Settings page.
     
  18. 58chev

    58chev Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    87
    Location:
    Etobicoke, Canada
    L&LD likes this.