384.11 Secure DNS

[Preskitt.man]

I installed 384.11-2. I then went to the WAN DNS page to implement DNSSEC. There was this message underneath the select box for DNS Privacy Protocol:
Your router's DHCP server is configured to provide a DNS server that's different from your router's IP address. This will prevent clients from using the DNS Privacy servers."
The WAN page currently point DNS1/2 to 1.1.1.1 and 1.0.0.1
I went over to the DHCP page, and DNS Server1/2 also pointed 1.1.1.1 and 1.0.0.1.
What am I missing?

 

[dave14305]

Clients will be told to use 1.1.1.1 directly instead of using the router and DoT (DNS Privacyj. Clear the DHCP DNS entries and advertise the router as the DNS server for clients.

 

[Preskitt.man]

Thanks!

Cleared the DNS entries on the DHCP page and clicked Yes on Advertise the Routers IP. Applied these settings, and the warning message went away. On the DNS page, I configured as follows:
DNS Server 1/2 : 1.1.1.1 1.0.0.1
Forward Local Domain Queries to Upstream DNS: No
Enable DNS Rebind Protection: No
Enable DNSSEC: Yes
Validate Unsigned DNSSEC replies: Yes
DNS Privacy Protocol : DoT
DNS over TLS Profile : Strict
Preset Servers: Selected Cloudfare 1.1.1.1 and 1.0.0.1

Obviously a bunch of new settings here - Not sure if all are selected for best use. Help file on this would sure be nice. Good news is, at a minimum, DNS is working on my networks.

 

[ColinTaylor]

... and advertise the router as the DNS server for clients.

I know I've laboured this point before but I'm really uncomfortable when people recommend setting this value to "Yes". Two reasons:

1. The setting isn't "Advertise the router as the DNS". The actual setting is "Advertise router's IP in addition to user-specified DNS". So the setting is not applicable when there are no user-specified DNSs. (Therefore telling people to change it is misleading)

2. When people do want to set user-specified DNS(s) they could easily miss changing this back to "No". In such a situation the clients would also be using the router's DNS which is probably not what they intended.

 

[Treadler]

Thanks!

Cleared the DNS entries on the DHCP page and clicked Yes on Advertise the Routers IP. Applied these settings, and the warning message went away. On the DNS page, I configured as follows:
DNS Server 1/2 : 1.1.1.1 1.0.0.1
Forward Local Domain Queries to Upstream DNS: No
Enable DNS Rebind Protection: No
Enable DNSSEC: Yes
Validate Unsigned DNSSEC replies: Yes
DNS Privacy Protocol : DoT
DNS over TLS Profile : Strict
Preset Servers: Selected Cloudfare 1.1.1.1 and 1.0.0.1

Obviously a bunch of new settings here - Not sure if all are selected for best use. Help file on this would sure be nice. Good news is, at a minimum, DNS is working on my networks.

Looks like you’re on the right track now.

This may help?..........
https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

 

[Marin]

Enable DNS Rebind Protection: No

You would benefit by setting this as "Yes"

 

[Treadler]

You would benefit by setting this as "Yes"

I missed that, yes, yes!

 

[dave14305]

I know I've laboured this point before but I'm really uncomfortable when people recommend setting this value to "Yes".

Yes, but the guy in that thread wasn’t nearly as smart as me.

I shall temper my enthusiasm for extra DNS directives.

 

[Preskitt.man]

Thanks all - the Wiki link helps out a lot. Looks like the only things I needed to change was the Enable DNS rebind protection to Yes, and advertise the router as the DNS server for clients to No.

 

[Preskitt.man]

Just one other question - I did go to the Cloudfare Browsing experience security check site. As the Wiki suggested, the Secure DNS site had a Red X, while DNSSEC and TLS 1.3 were both Green. The Encrypted SNI also had the Red X. Is this an unimplemented feature in 384.11-2, an implementation error on my part, or suspected bug in the Cloudfare site.

 

[Swistheater]

There are only a few browsers that support encrypted sni it is still something new to the home user

 

[Preskitt.man]

interestingly, Android 9.0 has DoT built in as an option, and when I tested with it at the Cloudfare site, had Green check marks across the board, including encrypted SNI. In any case, not so paranoid that I think this really matters. If I were living in China, might feel differently.

 

[Swistheater]

interestingly, Android 9.0 has DoT built in as an option, and when I tested with it at the Cloudfare site, had Green check marks across the board, including encrypted SNI. In any case, not so paranoid that I think this really matters. If I were living in China, might feel differently.

I suspect encrypted sni will be pretty standard at some point as more browsers come around to supporting it.

 

[58chev]

Hope someone can help me.
Getting frustrated with trying to get DoT set up.
When I make the necessary changes my router shows Internet Status: Disconnected

I have even got to the point of resetting my router and starting from scratch.
OpenVPN Server turned on and setup. AMTM, Diversion and Skynet are the only extras installed.

I have followed the settings here and on github and I'm at a loss.
Also followed suggestions HERE
tcpdump -ni eth0 -p port 53 or port 853 Obviously all requests are using 53

After every change, I have to revert back to turning DoT off to get my internet connection back.
Maybe someone can post up screens of your working settings?

 

[Dabombber]

What do you have "Wan: Use local caching DNS server as system resolver (default: No)" set to in the "Tools > Other Settings" page. If it's set to Yes, try changing it to No. It could be stopping your router from getting the time, which is needed for most certificate stuff.

 

[L&LD]

Hope someone can help me.
Getting frustrated with trying to get DoT set up.
When I make the necessary changes my router shows Internet Status: Disconnected

I have even got to the point of resetting my router and starting from scratch.
OpenVPN Server turned on and setup. AMTM, Diversion and Skynet are the only extras installed.

I have followed the settings here and on github and I'm at a loss.
Also followed suggestions HERE
tcpdump -ni eth0 -p port 53 or port 853 Obviously all requests are using 53

After every change, I have to revert back to turning DoT off to get my internet connection back.
Maybe someone can post up screens of your working settings?

View attachment 17828 View attachment 17829 View attachment 17830

I would test entering the CloudFlare servers in Connect to DNS Servers Automatically (set it to 'No' to enter the servers you want).

 

[RMerlin]

Set "Wan: Use local caching DNS server as system resolver " to No on the Tools -> Other Settings page.

 

[58chev]

@Dabombber @L&LD @RMerlin
Thanks folks that seems to have done it.