DNS Security

[Davidncali001]

I am having different results using the rootcanary.org test in different browsers. I'll link some photos of my setup and some photos of rootcanary using Firefox (no red X's) and Chrome (lots of red X's)

I have my DNS global filter set to Router.

Could someone inform me if my setup is correct and what might be the problem? I am using the 2nd and latest beta of RMerlin's firmware: 384.12_Alpha (2).

https://rootcanary.org/test.html

 

[scjr]

Your settings are correct. Most tests sites are showing incorrect results, when using Cloudflare with validation of unsigned records enabled.

https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

NOTE: There is currently an issue with the popular DoT/DoH test site provided by Cloudflare where it will fail to use properly signed DNSSEC hostnames during the test, causing the test to fail to correctly detect that you are using DoT. This does not indicate that your setup doesn't work, and is something that will hopefully eventually be fixed by Cloudflare. You can avoid this by temporarily disabling validation of unsigned records, however it is recommended to re-enable that option afterward.

 

[Davidncali001]

Your settings are correct.

https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

thank you, but why the different rootcanary results using different browsers?

 

[scjr]

thank you, but why the different rootcanary results using different browsers?

Not sure. Someone with more experience will explain. My settings and yours are the same. I get incorrect results as well—though I haven’t tried multiple browsers.

 

[skeal]

thank you, but why the different rootcanary results using different browsers?

Because the test evaluates the browser not the settings you have. Thus two browsers and two different results.

 

[Davidncali001]

Because the test evaluates the browser not the settings you have. Thus two browsers and two different results.

OK, thank you for the explanation.

 

[Kingp1n]

Should the connect to DNS server automatically be set to 'yes'?

 

[martinr]

Should the connect to DNS server automatically be set to 'yes'?

Only if you want to connect to your ISP’s DNS. But if you want to take control, and specify which DNSs you connect to, then No. and when you set No, you will see spaces for 2 domain name servers appear for you to fill with your choice.

 

[Kingp1n]

Only if you want to connect to your ISP’s DNS. But if you want to take control, and specify which DNSs you connect to, then No. and when you set No, you will see spaces for 2 domain name servers appear for you to fill with your choice.

So if you select yes and then enabled DoT and choose cloudflare as primary and secondary DNS, what wld be the outcome?

 

[ColinTaylor]

So if you select yes and then enabled DoT and choose cloudflare as primary and secondary DNS, what wld be the outcome?

The "normal" WAN DNS settings (either manual or automatic) are ignored when DoT is enabled.

 

[martinr]

So if you select yes and then enabled DoT and choose cloudflare as primary and secondary DNS, what wld be the outcome?

And following Colin’s answer, this might anticipate the next question.

 

[Kingp1n]

The "normal" WAN DNS settings (either manual or automatic) are ignored when DoT is enabled.

So in my case it doesn't matter whether I select yes/no under connect to DNS server automatically when DoT is enabled below correct since the settings are ignored once DOT is enabled? I currently have connect automatically to yes and DoT enabled with cloudflare DNS servers. I apologize for the noob questions

 

[ColinTaylor]

So in my case it doesn't matter whether I select yes/no under connect to DNS server automatically when DoT is enabled below correct since the settings are ignored once DOT is enabled? I currently have connect automatically to yes and DoT enabled with cloudflare DNS servers. I apologize for the noob questions

Correct.

 

[dave14305]

So in my case it doesn't matter whether I select yes/no under connect to DNS server automatically when DoT is enabled below correct? I currently have connect automatically to yes and DoT enabled with cloudflare DNS servers. I apologize for the noob questions

The only time it could matter is for the router’s own DNS queries, depending on your value for the setting “Wan: Use local caching DNS server as system resolver”. If yes, everything will use dnsmasq and DoT. If no, the router will use the WAN DNS servers to lookup hostnames for a few specific purposes, unrelated to your LAN clients. If you don’t want your ISP DNS servers used at all, you should change that. It’s not a big deal either way, but some people have strong opinions about sharing with their ISP.

 

[L&LD]

So in my case it doesn't matter whether I select yes/no under connect to DNS server automatically when DoT is enabled below correct since the settings are ignored once DOT is enabled? I currently have connect automatically to yes and DoT enabled with cloudflare DNS servers. I apologize for the noob questions

I think that this setting, 'Connect to DNS Servers Automatically' should be set to 'No'. And the CloudFlare servers used in the fields that appear.

When I had it set to 'Yes', I was using my ISP's DNS servers (and very slow they were for checking for script updates via amtm with 'su').

This can be checked by looking at the resolv.conf file in /etc/

 

[Kingp1n]

L&LD and all...thanks for all support and helping me here. I did check resolv.conf file and when it was set yes, I would see the following input: nameserver 127.0.0.1. However, I changed it to reflect 'no' and rebooted the router and now the file is empty. Is this what your were referring too? Thanks again.

btw...i have comcast as my internet provider.

 

[scjr]

@Kingp1n,

If you have ‘Connect to DNS Server automatically’ set to Yes or No (enter your DNS servers manually) and you’re using DoT, this setting is overridden by DNS Privacy.

I’ve tried both ways. I settled on No and entered Cloudflare servers, because I don’t want the ISP’s servers used at all. DoT will function either way. I’ve attached my current settings.

 

[L&LD]

L&LD and all...thanks for all support and helping me here. I did check resolv.conf file and when it was set yes, I would see the following input: nameserver 127.0.0.1. However, I changed it to reflect 'no' and rebooted the router and now the file is empty. Is this what your were referring too? Thanks again.

btw...i have comcast as my internet provider.

It seems like you had the WAN: Use local caching DNS server as system resolver default to 'No' option in Other Settings set to 'Yes'?

If you do, you should disable it.

https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-16#post-494084


Check that resolv.conf file again, it takes a moment to get populated.

 

[gattaca]

I love this thread. I was about to post my "setup" woes from this weekend's project. I finally, after playing with the AMTM setups since February, swapped in the Merlin + amtm + skynet + diversion + goodies on my AC86. It's now the first level router in my setup.

The multiple DNS settings in LAN+WAN+Tools>Other are a nightmare of confusion. I spent hours reading several different threads in these forums just about the DNS settings to be sure I got them right. I got burned by the one hiding in Tools>Other b/c I took down the DNS resolution for a few hours while I hunted it down. The natives were not happy.

It would be GREAT if we had these posted nto L&LD's most excellent setup tutorial or added to Merlin's github page. I have screen caps asking a lot of the same questions. I actually think I understand which ones do what what now but for the casual user, it's just *@(@* confusing if it's not something you do often. Thanks!

 

[Kingp1n]

It seems like you had the WAN: Use local caching DNS server as system resolver default to 'No' option in Other Settings set to 'Yes'?

If you do, you should disable it.

https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-16#post-494084


Check that resolv.conf file again, it takes a moment to get populated.

Thanks again I did disabled and will continue to monitor. Thanks again to all. I agree with gattaca...this should be added to Merlin's GitHub to minimize the same questions being asked over and over. I myself don't use these settings often so I'm trying the new DoT capabilities but as gattaca mentioned, the multiple DNS settings in LAN+WAN+Tools>Other can easily beocme confusing.