1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DoT and DNSSEC on 384.12

Discussion in 'Asuswrt-Merlin' started by Mutzli, Jun 24, 2019.

  1. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    230
    I'm not sure if my router is configured correctly and if DoT and DNSSEC implementation is working. I did some checking today if Stubby is working and if all DNS requests are secured. First thing I found was that not all traffic is going through port 853. I did a tcpdump of port 53 and port 853 and this was sent over port 53:
    tcpdump -ni eth0 -p port 53 or port 853
    11:25:17.413366 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 57361+ A? dns.msftncsi.com. (34)
    11:25:17.413820 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 61713+ AAAA? dns.msftncsi.com. (34)
    11:25:17.422094 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 57361 1/0/0 A 131.107.255.255 (50)
    11:25:17.426938 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 61713 1/0/0 AAAA fd3e:4f5a:5b81::1 (62)

    So then I checked netstat -lnptu and it reported tcp and udp on 127.0.1.1:53 instead of 127.0.1.1.853:
    netstat -lnptu | grep stubby
    tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 3025/stubby
    udp 0 0 127.0.1.1:53 0.0.0.0:* 3025/stubby

    Furthermore stubby -l showed that my DNSSEC validation is OFF? Even though I have it active in the router settings. Here is the log from stubby -l
    stubby -l
    [16:03:48.475418] STUBBY: Read config from file /etc/stubby/stubby.yml
    [16:03:48.475764] STUBBY: DNSSEC Validation is OFF
    [16:03:48.475805] STUBBY: Transport list is:
    [16:03:48.475839] STUBBY: - TLS
    [16:03:48.475872] STUBBY: Privacy Usage Profile is Strict (Authentication required)
    [16:03:48.475908] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
    [16:03:48.475942] STUBBY: Starting DAEMON....
    [16:03:49.598074] STUBBY: 1.1.1.1 : Upstream : Could not setup TLS capable TFO connect
    [16:03:49.598553] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
    [16:03:49.598776] STUBBY: 1.0.0.1 : Upstream : Could not setup TLS capable TFO connect
    [16:03:49.598919] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
    [16:03:49.599056] STUBBY: 2606:4700:4700::1111 : Upstream : Could not setup TLS capable TFO connect
    [16:03:49.599242] STUBBY: 2606:4700:4700::1111 : Conn opened: TLS - Strict Profile
    [16:03:49.599368] STUBBY: 2606:4700:4700::1001 : Upstream : Could not setup TLS capable TFO connect
    [16:03:49.599485] STUBBY: 2606:4700:4700::1001 : Conn opened: TLS - Strict Profile

    And here is my router config:
    upload_2019-6-24_12-10-3.png

    What am I missing?
     
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,592
    Do you have DNS filter set to Router?
     
  3. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    944
    Location:
    Pennsylvania USA
    You are missing nothing. Stubby is working as intended passing data to and from Dnsmasq on port 53 @ 121.0.1.1. Dnsmasq is doing the DNSSEC not Stubby (while it is possible to do DNSSEC via Stubby which is my preference). There is plenty of reading on the DoT/DNSSEC topic if you search for it on this forum.

    Also, running stubby -l by default will show that DNSSEC is not enabled in Stubby.

    See: https://www.snbforums.com/threads/dns-over-tls-problem.57247/
     
    Last edited: Jun 24, 2019
    Marin and Mutzli like this.
  4. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    872
    The port 53 queries are from the router itself due to the new 384.12 default setting of "No" for "Wan: Use local caching DNS server as system resolver" (Tools-Other Settings). Client requests will still go through Stubby.

    If you want the DNS checks to go through Stubby, change the setting to Yes. I wouldn't recommend it necessarily, since you may want the router to function for itself even if there is a problem with dnsmasq or stubby.

    If you want to disable the dns checks, run
    Code:
    nvram set dns_probe_content=""
    nvram commit
     
    QuikSilver, Mutzli and L&LD like this.
  5. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    230
    Thank you for the explanation, it makes perfect sense. Just wanted to make sure everything is working as intended.
     
    QuikSilver likes this.
  6. QuikSilver

    QuikSilver Senior Member

    Joined:
    Jan 30, 2019
    Messages:
    282
    Location:
    BFE
    Just an FYI....its my understanding that you don't need anything set in the Wan DNS 1 or 2 boxes when you have DOT Over TLS enabled and configured.
     
  7. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    872
    Not true in all cases, especially with the new defaults in 384.12.
     
    Swistheater and L&LD like this.
  8. kowra

    kowra Occasional Visitor

    Joined:
    Sep 6, 2014
    Messages:
    23
    sorry for hijacking the thread.
    but I did the OP steps, but can't find tcpdump to test it.. can you elaborate on how to test this is working correcly?


    firefox (Without DOT configured ) on https://www.cloudflare.com/ssl/encrypted-sni/ reported
    Secure DNS ?
    DNSSEC YES
    TLS 1.3 YES
    Encrypted SNI X

    PS: are the nvram commands above to stop the annoying connections to dns.msftncsi.com?
     
  9. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    872
    Yes.
     
    Swistheater likes this.
  10. Swistheater

    Swistheater Very Senior Member

    Joined:
    Jul 8, 2017
    Messages:
    1,139
    Location:
    Florida
    Have you figured out the issue yet? The traffic you are seeing is due to
    upload_2019-7-5_20-4-45.png
    the Wan: DNS system resolver option being selected as NO.
    this is telling your router to check with the DNS server you have specified within Wandns 1 and Wandns2 to check whether there is internet connection, however this is not traffic being done by your clients though.
    Your clients traffic should be traversing through port 853. all of your "routers traffic" will be showing up on port 53 which is going to be your Router talking to your ISP DNS or WAN1 &2 to see if the internet is connected. When you have the option Wan: system resolver Selected to YES of local caching instead of No you would see similar router traffic on port 53 using the lo option. when you have NO selected it appears on the eth0 option on port 53.

    if you turn off this option on the Administration tab
    upload_2019-7-5_20-10-52.png
    you wont see as much of this traffic on port 53.

    to fully appreciate this you can temporarily turn the Wan: system resolver option to YES
    and TCPDUMP port 53 using, note the eth0 option will now show no traffic.
    tcpdump -ni lo -p port 53
    you will see this same traffic
    when you select the option back to NO using.
    tcpdump -ni eth0 -p port 53

    That is because the network monitor option is using a different method to tell whether your router has internet connection.

    This is correct, but if you wanted you could specify a wan dns 1 and 2 , this will tell stubby not to use your ISP as resolv and to use what ever your specify, but this is not really relevant to the overall function of stubby.
     
    Last edited: Jul 5, 2019
    QuikSilver likes this.
  11. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    230
    Thanks for digging in a little deeper with port 53 and port 853. I'll try your suggestions next week, I'm currently out of town.
    Regarding manually entering a DNS server, isn't that only relevant when restarting the router so that a resolver is specified for eventual requests before stubby is up and running?
     
  12. gattaca

    gattaca Regular Contributor

    Joined:
    Feb 18, 2012
    Messages:
    111
    Swistheater likes this.
  13. Swistheater

    Swistheater Very Senior Member

    Joined:
    Jul 8, 2017
    Messages:
    1,139
    Location:
    Florida
    Yes, this was just to help detail explain why he was seeing the results he was seeing to clear up confusion.
     
    martinr likes this.