DNS over TLS & EDNS Client Subnet

[wordlesswind]

Hello,

I note that Asuswrt-Merlin has disabled ECS.

[Beta] Asuswrt-Merlin 384.11 Beta is now available

I can confirm that the latest beta and traceroute works as intended on my AX88U

www.snbforums.com

But is this disabled by setting the subnet to 0.0.0.0/0?

Because I have experienced problems with the use of.

dig "@router.asus.com" o-o.myaddr.google.com TXT

; <<>> DiG 9.16.34 <<>> @router.asus.com o-o.myaddr.google.com TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31621
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;o-o.myaddr.google.com.         IN      TXT

;; ANSWER SECTION:
o-o.myaddr.google.com.  180     IN      TXT     "edns0-client-subnet 120.204.17.12/0"
o-o.myaddr.google.com.  180     IN      TXT     "120.204.17.12"

;; Query time: 525 msec
;; SERVER: 192.168.50.1#53(192.168.50.1)
;; WHEN: Mon Dec 05 22:13:08 ;; MSG SIZE  rcvd: 124

The DoT server I'm using (dot.pub) seems to treat 0.0.0.0/0 as a normal ECS message.

It then returns an ECS message which causes the site's diversion to be set incorrectly.

For example vip1.loli.io will return CNAME vip1-cdn-jp1.loli.io for requests from Chinese mainland.
However, because of the /0 ECS message, the server returns information about the default line.

dig '@router.asus.com' vip1.loli.io

; <<>> DiG 9.16.34 <<>> @router.asus.com vip1.loli.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15800
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;vip1.loli.io.                  IN      A

;; ANSWER SECTION:
vip1.loli.io.           582     IN      CNAME   vip1.loli.io.cdn.cloudflare.net.
vip1.loli.io.cdn.cloudflare.net. 282 IN A       172.67.214.101
vip1.loli.io.cdn.cloudflare.net. 282 IN A       104.21.86.31

;; Query time: 9 msec
;; SERVER: 192.168.50.1#53(192.168.50.1)
;; WHEN: Mon Dec 05 22:30:02 ;; MSG SIZE  rcvd: 118

So is there a way to disable ECS without setting the subnet to 0.0.0.0/0?
Or is there an easy way to enable ECS?

Best regards,
wordlesswind

 

[RMerlin]

But is this disabled by setting the subnet to 0.0.0.0/0?

I don't disable EDNS, where did you see that?

 

[wordlesswind]

I don't disable EDNS, where did you see that?

oh...I got it wrong, so why is there a problem with me?

kdig @dot.pub +subnet=0.0.0.0/0 +tls-ca o-o.myaddr.google.com TXT
;; TLS session (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 25456
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; CLIENT-SUBNET: 0.0.0.0/0/24
;; PADDING: 332 B

;; QUESTION SECTION:
;; o-o.myaddr.google.com.               IN      TXT

;; ANSWER SECTION:
o-o.myaddr.google.com.  180     IN      TXT     "edns0-client-subnet 113.96.17.244/0"
o-o.myaddr.google.com.  180     IN      TXT     "113.96.17.244"

;; Received 468 B
;; Time 2022-12-05 23:18:00 CST
;; From 120.53.53.53@853(TCP) in 370.4 ms

This problem occurs when the DoT server obtains the ECS information for the /0 network segment.

It behaves the same as if I had requested the router, so I assume that Asuswrt-Merlin disables ECS.

 

[wordlesswind]

Come to think of it, that's how it behaved when I was using the official RT-AX55 firmware. So it's an error from stock.

Right now I have the AC86U as the AiMesh router and the AX55 as the node.

But I don't know how to debug it.

 

[wordlesswind]

The output of Google Public DNS is similar, except that they actively block the /0 segment.

kdig @dns.google +tls-ca o-o.myaddr.google.com TXT
;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 16321
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 332 B

;; QUESTION SECTION:
;; o-o.myaddr.google.com.               IN      TXT

;; ANSWER SECTION:
o-o.myaddr.google.com.  60      IN      TXT     "172.253.192.11"
o-o.myaddr.google.com.  60      IN      TXT     "edns0-client-subnet 2605:*:*:*::/56"

;; Received 468 B
;; Time 2022-12-05 23:37:46 CST
;; From 2001:4860:4860::8888@853(TCP) in 107.1 ms

kdig @dns.google +subnet=0.0.0.0/0 +tls-ca o-o.myaddr.google.com TXT
;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 44531
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; CLIENT-SUBNET: 0.0.0.0/0/0
;; PADDING: 379 B

;; QUESTION SECTION:
;; o-o.myaddr.google.com.               IN      TXT

;; ANSWER SECTION:
o-o.myaddr.google.com.  60      IN      TXT     "173.194.94.133"

;; Received 468 B
;; Time 2022-12-05 23:37:56 CST
;; From 2001:4860:4860::8844@853(TCP) in 109.8 ms

This is still the same as when I request DNS data from my router, when I use Google DoT at my router.

So ASUS has got something wrong in DNS Privacy.
Or ASUS just disables ECS via the /0 network segment, but this causes related problems.

 

[RMerlin]

This is configured in Stubby, and it is by design, since DNS Privacy is meant to enhance privacy:

edns_client_subnet_private: Use EDNS0 Client Subnet privacy so the client subnet is not sent to authoritative servers

 

[wordlesswind]

This is configured in Stubby, and it is by design, since DNS Privacy is meant to enhance privacy:

edns_client_subnet_private: Use EDNS0 Client Subnet privacy so the client subnet is not sent to authoritative servers

thank you, I have found it: https://www.snbforums.com/threads/customize-stubby-yml.71920/#post-682523