ASUS RT-AC87U / FW Merlin 384.13_10 vulnerable due to dnsmasq?

[JIPG]

High temps aren't really a problem for these routers. My RT-AC87U has been running around 90 degrees Celsius for the 4 summers since I got it (spring 2017), it hasn't skipped a beat and it's still running as a champ. I'd bet it would have kept running for 5 more years if it weren't for the firmware, which is the real issue.

Ditto. Even the (in)famous WIFI 5 GHz chip has worked like a champ. I have upgraded to the AX88U just to have a better CPU and to continue using Merlin FW, but I had no regret during the five years I have been using it.

 

[Marucins]

I'm angry too. It's a pity the project has been abandoned. To be fully functional, I moved to dd-wrt

ftp://ftp.dd-wrt.com/betas/2021/02-08-2021-r45711/asus-rt-ac87u/

DD-WRT » Router Database

dd-wrt.com

 

[Jack Yaz]

I'm angry too. It's a pity the project has been abandoned. To be fully functional, I moved to dd-wrt

ftp://ftp.dd-wrt.com/betas/2021/02-08-2021-r45711/asus-rt-ac87u/

DD-WRT » Router Database

dd-wrt.com

Angry because software that is provided absolutely free of charge by someone in their free time has to end support sometime for older models? Good riddance. Have fun with DD-WRT

 

[Marucins]

The venom is already beginning. Where does this anger come from?
People above write about safety - I understand that you do not care?

 

[grifo]

I'm angry too. It's a pity the project has been abandoned. To be fully functional, I moved to dd-wrt

ftp://ftp.dd-wrt.com/betas/2021/02-08-2021-r45711/asus-rt-ac87u/

DD-WRT » Router Database

dd-wrt.com

What WAN to LAN speed do you get with dd-wrt? Does the 5 GHz radio work?

 

[GSpock]

You could install Unbound (which is easy thanks to the excellent unbound_manager script by @Martineau) as a workaround for these dnsmasq vulnerabilities and if other serious vulnerabilities don't come up too soon you could keep using your RT-AC87U until there's a good selection of wifi 6E routers, probably next year. Wifi 6E is the biggest wifi upgrade in years.

Thanks for the suggestion. I went to amtm and choose 7 to install unbound then got this message:
"unbound Manager requires the Entware repository
installed. Enter ep to install Entware now."

So, keyed-in ep and than got this:
"No compatible device(s) found to install
Entware on. A USB storage device formatted
with one of these file systems is required:
ext2, ext3, ext4
Use Format disk (fd) to format FAT or NTFS
formatted devices to ext*"

I currently indeed have a FAT USB connected to usb2.0 port. When I go with the GUI to format this disk, the choice is FAT or NTFS, there is nothing about ext*. Is it really OK to run the fd command and reformat that usb stick to ext*?
(Note that I put another USB stick in the USB3.0 port that was pre-formated in ext4, but as soon as I plugged it in, the RT-AC87U went crazy saying I was running out of nvram while indicator was at 27% !!! after one minute, the system was completely unstable, loosing all wifi .... had to power it off/on & remove that stick so that everyting was again OK)

Thx,
GS

 

[grifo]

Yes you can use amtm's fd to reformat the drive, I've never tried it but I trust @thelonelycoder did a top job with it. Of course save any data you want to keep somewhere else first then copy it back.

What USB stick is it? As with Entware and Unbound the drive activity will go up and people have reported USB sticks failures. Older good branded sticks seem to work out best, I've been using an ext2 formatted 2012 Kingston DataTraveler 100 G2 for years on my RT-AC87U and it's still going well.

 

[L&LD]

@GSpock use the amtm Step-by-Step Guide in the link in my signature below for help in preparing and setting up your USB drive properly for amtm and Entware use.

Just skip the part about 'installing' amtm, that is not needed since RMerlin 384.15_0 release final.

 

[GSpock]

@GSpock use the amtm Step-by-Step Guide in the link in my signature below for help in preparing and setting up your USB drive properly for amtm and Entware use.

Just skip the part about 'installing' amtm, that is not needed since RMerlin 384.15_0 release final.

Many thanks @L&LD, will try it.

 

[AndreasT]

Then, it is time to install the ASUS beta. It is a pity to loose the Merlin FW, but the security is first.

Not my field of expertise by far but as I understand it these specific vulnerabilities can affect the DNS forwarding client Dnsmasq in the router by brute force attacks causing buffer overflows or cache poisoning.

The solution seems simple if you don't have a lot of clients, just set up static DNS entries directly on your devices thus bypassing Dnsmasq.

As per this article:

"Another option would be to statically configure a trusted DNS server, like Cloudflare or Google DNS servers, so that DNS requests are not handled by the home router and go directly to the [remote] DNS server.

I was thinking if this would even work using static adresses for DNS in the router's DHCP setup while also disabling the advertising of the routers IP.

I hope someone who knows about these things can chime in.

 

[grifo]

Yes that would work (unless any of your end devices are themselves running an outdated version of dnsmasq) however you'd lose the benefits of malware, adware and trackers blocking by Diversion which a lot of people here use so the better solution if one can't or doesn't want to update to 386.1 is to use Unbound as resolver or forwarder instead of dnsmasq on their router.

 

[AndreasT]

Yes that would work (unless any of your end devices are themselves running an outdated version of dnsmasq) however you'd lose the benefits of malware, adware and trackers blocking by Diversion which a lot of people here use so the better solution if one can't or doesn't want to update to 386.1 is to use Unbound as resolver or forwarder instead of dnsmasq on their router.

Nice, thank you very much. Would it even work using DHCP with static servers set up in the router?

Anyway my RT-AC3200 just bought itself some time by this until I'll replace it when a 3 band wifi6 E router becomes available and is hopefully supported by Merlin sometime im the future.

I don't use Diversion so for me that is not an issue (looks interesting though). I looked into Unbound but it looked fairly complicated for a semi-noob and also needs Entware so I don't want to sink the time needed into setting it up if I can avoid it.

 

[grifo]

Yes if you set static DNS servers like Cloudflare's etc. on the DHCP page, with the "advertise the router's IP as DNS" off, only those will be advertised to your end devices and they will bypass the router's dnsmasq. If you have any end device with manually configured IPs you'll have to change their DNS servers manually. DNS requests from the router itself would still be vulnerable.

BTW it's not difficult to set up Entware and Unbound via amtm, it's worth checking out @L&LD's guide.

 

[AndreasT]

Yes if you set static DNS servers like Cloudflare's etc. on the DHCP page, with the "advertise the router's IP as DNS" off, only those will be advertised to your end devices and they will bypass the router's dnsmasq.

Sweet, thanks again. I'll look into those addons as time permits, for now those vulnerabilities are adressed for me.

 

[grifo]

You're welcome. It's also worth mentioning that if you're not using the addons and don't absolutely need any of the Merlin specific features you could well go back to Asus stock firmware that has these vulnerabilities already fixed.

 

[AndreasT]

There are other reasons why I'm using Merlin, such as custom DDNS, cron and VPN routing off the top of my head so I really don't want to go back