[Beta] Asuswrt-Merlin 384.11 Beta is now available

[EmeraldDeer]

Do you know of an accurate site or method I can use to confirm that TLS is working?

If you think about it, how would a website detect DNS over TLS unless it is the website of your DNS over TLS provider?

If you are using Cloudflare, then:

https://1.1.1.1/help
I would not recommend DNS over HTTPS (DoH) even if it was available

https://www.cloudflare.com/ssl/encrypted-sni/
I am not sure Encrypted SNI is available yet

 

[RMerlin]

My guess is that OVPN Server and or Client cannot start without a WAN connection and or NTP update.

That would make sense, since both of these require an accurate clock for SSL/TLS.

Also, the IPv6 listening address ( - 0::1@53 )is not added when IPv6 is enabled.

It shouldn't be required, that interface is only used for dnsmasq to communicate with it. As long dmsmasq tries to use 127.0.1.1:853, stubby will receive the query, and then forward it to the appropriate IPv6 server as needed.

 

[zaxcom]

https://www.cloudflare.com/ssl/encrypted-sni/

That site shows I am not using TLS, and I am configured to use Cloudflare DNS-TLS in the router

 

[Mutzli]

That site shows I am not using TLS, and I am configured to use Cloudflare DNS-TLS in the router

I'm getting the following:

 

[RMerlin]

I have removed the beta 1 build for both the RT-AC87U and RT-AC3100 for now. The info I have gathered so far was that Asus introduced a change to the squash compression, which does not seem to work so well. Their own RT-AC68U 45708 release suffered from the same issue.

 

[zaxcom]

I'm getting the following:
View attachment 17246

This is my router setup.

 

[bluzfanmr1]

Do you know of an accurate site or method I can use to confirm that TLS is working?

Try this?

https://www.snbforums.com/threads/p...1-with-dns-over-tls.56095/page-25#post-484597

 

[HardCat]

I am getting the following error while trying to connect to the router with ssh:

Apr 27 14:27:34 dropbear[2125]: Early exit: Bad buf_getptr

The ssh server on the router is configured for Lan Only, either password or keys. I have performed a full reset after upgrading. Any clues to what's happening here appreciated...

@RMerlin - has this been reported previously or do I have a config problem? Unable to access router via ssh.

 

[Swistheater]

I have removed the beta 1 build for both the RT-AC87U and RT-AC3100 for now. The info I have gathered so far was that Asus introduced a change to the squash compression, which does not seem to work so well. Their own RT-AC68U 45708 release suffered from the same issue.

score 1 for merlin 0 for asus devs

 

[DonnyJohnny]

i am curious to see whatever other options are recommended.. do you have any links to sources of the "experts" i would like to examine the materials.

Hi,

Sorry i didnt check thoroughly on the wiki. How to use the postconf is already in wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

 

[Swistheater]

Hi,

Sorry i didnt check thoroughly on the wiki. How to use the postconf is already in wiki
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

it works very well, but what i was referring to is the newer updated specs the stubby devs are using.

 

[zaxcom]

Try this?

https://www.snbforums.com/threads/p...1-with-dns-over-tls.56095/page-25#post-484597

Sorry if I sound like a newbie on this but where do I get the TCP Dump pkg

 

[EmeraldDeer]

This is my router setup.

I would disable DNSSEC through Stubby because it is being removed in the next release anyway.
DNSSEC will still work by proxy from dnsmasq and will be less DNS traffic.

The Cloudflare tests might work afterwards.

 

[DonnyJohnny]

That would make sense, since both of these require an accurate clock for SSL/TLS.



It shouldn't be required, that interface is only used for dnsmasq to communicate with it. As long dmsmasq tries to use 127.0.1.1:853, stubby will receive the query, and then forward it to the appropriate IPv6 server as needed.

Thx.
I am too eager to test ipv6 and didnt notice that it works with just the ipv4 listening.
Previously my firefox PC browser disable ipv6. So it didnt work. I began working on my ipad and it work with adding in ipv6 listening address. I thought it is required. haha..

 

[Swistheater]

yes it is better to use dnssec via dnsmasq as it relies more on hard coding for validation and handles caching better. --- I like the default caching is set to 1500 nice...

- on top of this alot of the dnssec features built into stubby are still under development-- makes me feel like it is not 100%

 

[DonnyJohnny]

This is my router setup.

Please choose Connect to DNS Server automatically (YES) and NO NEED dns filter!

 

[zaxcom]

I would disable DNSSEC through Stubby because it is being removed in the next release anyway.
DNSSEC will still work by proxy from dnsmasq and will be less DNS traffic.
View attachment 17249 View attachment 17250
The Cloudflare tests might work afterwards.

That worked. Turned off DNSSEC and now Cloudflare reports I am using TLS. Thanks everyone!!!!

 

[Swistheater]

I would disable DNSSEC through Stubby because it is being removed in the next release anyway.
DNSSEC will still work by proxy from dnsmasq and will be less DNS traffic.
View attachment 17249 View attachment 17250
The Cloudflare tests might work afterwards.

i believe it has already been removed in beta 1 because i am able to use just dnsmasq with gui.

 

[zaxcom]

Please choose Connect to DNS Server automatically (YES) and NO NEED dns filter!

I need the DNS filter because I have some IOT devices that have other DNS servers hard coded.

 

[EmeraldDeer]

Sorry if I sound like a newbie on this but where do I get the TCP Dump pkg

I have not used this myself yet, but:

• Tcpdump is an Entware package (opkg install tcpdump)
• If I recall correctly, it can save minimal information to a text file
• If you save a binary trace, then you will need to get the file to your PC and load it into Wireshark