1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNS Security

Discussion in 'Asuswrt-Merlin' started by Davidncali001, May 27, 2019.

  1. Davidncali001

    Davidncali001 Regular Contributor

    Joined:
    Dec 25, 2017
    Messages:
    65
    Location:
    S.F Bay Area, CA
    I am having different results using the rootcanary.org test in different browsers. I'll link some photos of my setup and some photos of rootcanary using Firefox (no red X's) and Chrome (lots of red X's)

    I have my DNS global filter set to Router.

    Could someone inform me if my setup is correct and what might be the problem? I am using the 2nd and latest beta of RMerlin's firmware: 384.12_Alpha (2).

    https://rootcanary.org/test.html
     

    Attached Files:

  2. scjr

    scjr Very Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    588
    Location:
    "While I Breathe, I Hope"
    Your settings are correct. Most tests sites are showing incorrect results, when using Cloudflare with validation of unsigned records enabled.

    https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

     
    Davidncali001 likes this.
  3. Davidncali001

    Davidncali001 Regular Contributor

    Joined:
    Dec 25, 2017
    Messages:
    65
    Location:
    S.F Bay Area, CA
    scjr likes this.
  4. scjr

    scjr Very Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    588
    Location:
    "While I Breathe, I Hope"
    Not sure. Someone with more experience will explain. My settings and yours are the same. I get incorrect results as well—though I haven’t tried multiple browsers.
     
    Davidncali001 likes this.
  5. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,176
    Location:
    /etc
    Because the test evaluates the browser not the settings you have. Thus two browsers and two different results.
     
    QuikSilver, scjr and Davidncali001 like this.
  6. Davidncali001

    Davidncali001 Regular Contributor

    Joined:
    Dec 25, 2017
    Messages:
    65
    Location:
    S.F Bay Area, CA
    OK, thank you for the explanation.
     
    scjr likes this.
  7. Kingp1n

    Kingp1n Regular Contributor

    Joined:
    Feb 27, 2018
    Messages:
    182
    Should the connect to DNS server automatically be set to 'yes'?
     
  8. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,972
    Location:
    United Kingdom
    Only if you want to connect to your ISP’s DNS. But if you want to take control, and specify which DNSs you connect to, then No. and when you set No, you will see spaces for 2 domain name servers appear for you to fill with your choice.
     
    Kingp1n and Davidncali001 like this.
  9. Kingp1n

    Kingp1n Regular Contributor

    Joined:
    Feb 27, 2018
    Messages:
    182
    So if you select yes and then enabled DoT and choose cloudflare as primary and secondary DNS, what wld be the outcome?
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,574
    Location:
    UK
    The "normal" WAN DNS settings (either manual or automatic) are ignored when DoT is enabled.
     
    QuikSilver and Kingp1n like this.
  11. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,972
    Location:
    United Kingdom
    And following Colin’s answer, this might anticipate the next question.
     
    Last edited: May 27, 2019
    ColinTaylor likes this.
  12. Kingp1n

    Kingp1n Regular Contributor

    Joined:
    Feb 27, 2018
    Messages:
    182
    So in my case it doesn't matter whether I select yes/no under connect to DNS server automatically when DoT is enabled below correct since the settings are ignored once DOT is enabled? I currently have connect automatically to yes and DoT enabled with cloudflare DNS servers. I apologize for the noob questions
     
    Last edited: May 27, 2019
  13. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,574
    Location:
    UK
    Correct.
     
    ChatmanR and Kingp1n like this.
  14. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    772
    The only time it could matter is for the router’s own DNS queries, depending on your value for the setting “Wan: Use local caching DNS server as system resolver”. If yes, everything will use dnsmasq and DoT. If no, the router will use the WAN DNS servers to lookup hostnames for a few specific purposes, unrelated to your LAN clients. If you don’t want your ISP DNS servers used at all, you should change that. It’s not a big deal either way, but some people have strong opinions about sharing with their ISP.
     
    ChatmanR, MDM, Davidncali001 and 2 others like this.
  15. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,397
    I think that this setting, 'Connect to DNS Servers Automatically' should be set to 'No'. And the CloudFlare servers used in the fields that appear.

    When I had it set to 'Yes', I was using my ISP's DNS servers (and very slow they were for checking for script updates via amtm with 'su'). ;)

    This can be checked by looking at the resolv.conf file in /etc/
     
    martinr, Davidncali001 and Kingp1n like this.
  16. Kingp1n

    Kingp1n Regular Contributor

    Joined:
    Feb 27, 2018
    Messages:
    182
    L&LD and all...thanks for all support and helping me here. I did check resolv.conf file and when it was set yes, I would see the following input: nameserver 127.0.0.1. However, I changed it to reflect 'no' and rebooted the router and now the file is empty. Is this what your were referring too? Thanks again.

    btw...i have comcast as my internet provider.
     
    scjr likes this.
  17. scjr

    scjr Very Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    588
    Location:
    "While I Breathe, I Hope"
    @Kingp1n,

    If you have ‘Connect to DNS Server automatically’ set to Yes or No (enter your DNS servers manually) and you’re using DoT, this setting is overridden by DNS Privacy.

    I’ve tried both ways. I settled on No and entered Cloudflare servers, because I don’t want the ISP’s servers used at all. DoT will function either way. I’ve attached my current settings.
     

    Attached Files:

    FQs19 and Kingp1n like this.
  18. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,397
    It seems like you had the WAN: Use local caching DNS server as system resolver default to 'No' option in Other Settings set to 'Yes'?

    If you do, you should disable it.

    https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-16#post-494084


    Check that resolv.conf file again, it takes a moment to get populated. :)
     
    Kingp1n likes this.
  19. gattaca

    gattaca Regular Contributor

    Joined:
    Feb 18, 2012
    Messages:
    105
    I love this thread. I was about to post my "setup" woes from this weekend's project. I finally, after playing with the AMTM setups since February, swapped in the Merlin + amtm + skynet + diversion + goodies on my AC86. It's now the first level router in my setup.

    The multiple DNS settings in LAN+WAN+Tools>Other are a nightmare of confusion. I spent hours reading several different threads in these forums just about the DNS settings to be sure I got them right. I got burned by the one hiding in Tools>Other b/c I took down the DNS resolution for a few hours while I hunted it down. The natives were not happy.

    It would be GREAT if we had these posted nto L&LD's most excellent setup tutorial or added to Merlin's github page. I have screen caps asking a lot of the same questions. I actually think I understand which ones do what what now but for the casual user, it's just *@(@* confusing if it's not something you do often. Thanks!
     
  20. Kingp1n

    Kingp1n Regular Contributor

    Joined:
    Feb 27, 2018
    Messages:
    182
    Thanks again I did disabled and will continue to monitor. Thanks again to all. I agree with gattaca...this should be added to Merlin's GitHub to minimize the same questions being asked over and over. I myself don't use these settings often so I'm trying the new DoT capabilities but as gattaca mentioned, the multiple DNS settings in LAN+WAN+Tools>Other can easily beocme confusing.
     
    pusb87 likes this.