DoT and DNSSEC on 384.12

[Mutzli]

I'm not sure if my router is configured correctly and if DoT and DNSSEC implementation is working. I did some checking today if Stubby is working and if all DNS requests are secured. First thing I found was that not all traffic is going through port 853. I did a tcpdump of port 53 and port 853 and this was sent over port 53:
tcpdump -ni eth0 -p port 53 or port 853
11:25:17.413366 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 57361+ A? dns.msftncsi.com. (34)
11:25:17.413820 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 61713+ AAAA? dns.msftncsi.com. (34)
11:25:17.422094 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 57361 1/0/0 A 131.107.255.255 (50)
11:25:17.426938 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 61713 1/0/0 AAAA fd3e:4f5a:5b81::1 (62)

So then I checked netstat -lnptu and it reported tcp and udp on 127.0.1.1:53 instead of 127.0.1.1.853:
netstat -lnptu | grep stubby
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 3025/stubby
udp 0 0 127.0.1.1:53 0.0.0.0:* 3025/stubby

Furthermore stubby -l showed that my DNSSEC validation is OFF? Even though I have it active in the router settings. Here is the log from stubby -l
stubby -l
[16:03:48.475418] STUBBY: Read config from file /etc/stubby/stubby.yml
[16:03:48.475764] STUBBY: DNSSEC Validation is OFF
[16:03:48.475805] STUBBY: Transport list is:
[16:03:48.475839] STUBBY: - TLS
[16:03:48.475872] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[16:03:48.475908] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[16:03:48.475942] STUBBY: Starting DAEMON....
[16:03:49.598074] STUBBY: 1.1.1.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598553] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:03:49.598776] STUBBY: 1.0.0.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598919] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:03:49.599056] STUBBY: 2606:4700:4700::1111 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599242] STUBBY: 2606:4700:4700::1111 : Conn opened: TLS - Strict Profile
[16:03:49.599368] STUBBY: 2606:4700:4700::1001 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599485] STUBBY: 2606:4700:4700::1001 : Conn opened: TLS - Strict Profile

And here is my router config:

What am I missing?

 

[L&LD]

Do you have DNS filter set to Router?

 

[bbunge]

I'm not sure if my router is configured correctly and if DoT and DNSSEC implementation is working. I did some checking today if Stubby is working and if all DNS requests are secured. First thing I found was that not all traffic is going through port 853. I did a tcpdump of port 53 and port 853 and this was sent over port 53:
tcpdump -ni eth0 -p port 53 or port 853
11:25:17.413366 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 57361+ A? dns.msftncsi.com. (34)
11:25:17.413820 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 61713+ AAAA? dns.msftncsi.com. (34)
11:25:17.422094 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 57361 1/0/0 A 131.107.255.255 (50)
11:25:17.426938 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 61713 1/0/0 AAAA fd3e:4f5a:5b81::1 (62)

So then I checked netstat -lnptu and it reported tcp and udp on 127.0.1.1:53 instead of 127.0.1.1.853:
netstat -lnptu | grep stubby
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 3025/stubby
udp 0 0 127.0.1.1:53 0.0.0.0:* 3025/stubby

Furthermore stubby -l showed that my DNSSEC validation is OFF? Even though I have it active in the router settings. Here is the log from stubby -l
stubby -l
[16:03:48.475418] STUBBY: Read config from file /etc/stubby/stubby.yml
[16:03:48.475764] STUBBY: DNSSEC Validation is OFF
[16:03:48.475805] STUBBY: Transport list is:
[16:03:48.475839] STUBBY: - TLS
[16:03:48.475872] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[16:03:48.475908] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[16:03:48.475942] STUBBY: Starting DAEMON....
[16:03:49.598074] STUBBY: 1.1.1.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598553] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:03:49.598776] STUBBY: 1.0.0.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598919] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:03:49.599056] STUBBY: 2606:4700:4700::1111 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599242] STUBBY: 2606:4700:4700::1111 : Conn opened: TLS - Strict Profile
[16:03:49.599368] STUBBY: 2606:4700:4700::1001 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599485] STUBBY: 2606:4700:4700::1001 : Conn opened: TLS - Strict Profile

And here is my router config:
View attachment 18385

What am I missing?

You are missing nothing. Stubby is working as intended passing data to and from Dnsmasq on port 53 @ 121.0.1.1. Dnsmasq is doing the DNSSEC not Stubby (while it is possible to do DNSSEC via Stubby which is my preference). There is plenty of reading on the DoT/DNSSEC topic if you search for it on this forum.

Also, running stubby -l by default will show that DNSSEC is not enabled in Stubby.

See: https://www.snbforums.com/threads/dns-over-tls-problem.57247/

 

[dave14305]

The port 53 queries are from the router itself due to the new 384.12 default setting of "No" for "Wan: Use local caching DNS server as system resolver" (Tools-Other Settings). Client requests will still go through Stubby.

If you want the DNS checks to go through Stubby, change the setting to Yes. I wouldn't recommend it necessarily, since you may want the router to function for itself even if there is a problem with dnsmasq or stubby.

If you want to disable the dns checks, run

nvram set dns_probe_content=""
nvram commit

 

[Mutzli]

You are missing nothing. Stubby is working as intended passing data to and from Dnsmasq on port 53 @ 121.0.1.1. Dnsmasq is doing the DNSSEC not Stubby (while it is possible to do DNSSEC via Stubby which is my preference). There is plenty of reading on the DoT/DNSSEC topic if you search for it on this forum.

Also, running stubby -l by default will show that DNSSEC is not enabled in Stubby.

See: https://www.snbforums.com/threads/dns-over-tls-problem.57247/

Thank you for the explanation, it makes perfect sense. Just wanted to make sure everything is working as intended.

 

[QuikSilver]

I'm not sure if my router is configured correctly and if DoT and DNSSEC implementation is working. I did some checking today if Stubby is working and if all DNS requests are secured. First thing I found was that not all traffic is going through port 853. I did a tcpdump of port 53 and port 853 and this was sent over port 53:
tcpdump -ni eth0 -p port 53 or port 853
11:25:17.413366 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 57361+ A? dns.msftncsi.com. (34)
11:25:17.413820 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 61713+ AAAA? dns.msftncsi.com. (34)
11:25:17.422094 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 57361 1/0/0 A 131.107.255.255 (50)
11:25:17.426938 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 61713 1/0/0 AAAA fd3e:4f5a:5b81::1 (62)

So then I checked netstat -lnptu and it reported tcp and udp on 127.0.1.1:53 instead of 127.0.1.1.853:
netstat -lnptu | grep stubby
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 3025/stubby
udp 0 0 127.0.1.1:53 0.0.0.0:* 3025/stubby

Furthermore stubby -l showed that my DNSSEC validation is OFF? Even though I have it active in the router settings. Here is the log from stubby -l
stubby -l
[16:03:48.475418] STUBBY: Read config from file /etc/stubby/stubby.yml
[16:03:48.475764] STUBBY: DNSSEC Validation is OFF
[16:03:48.475805] STUBBY: Transport list is:
[16:03:48.475839] STUBBY: - TLS
[16:03:48.475872] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[16:03:48.475908] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[16:03:48.475942] STUBBY: Starting DAEMON....
[16:03:49.598074] STUBBY: 1.1.1.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598553] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:03:49.598776] STUBBY: 1.0.0.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598919] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:03:49.599056] STUBBY: 2606:4700:4700::1111 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599242] STUBBY: 2606:4700:4700::1111 : Conn opened: TLS - Strict Profile
[16:03:49.599368] STUBBY: 2606:4700:4700::1001 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599485] STUBBY: 2606:4700:4700::1001 : Conn opened: TLS - Strict Profile

And here is my router config:
View attachment 18385

What am I missing?

Just an FYI....its my understanding that you don't need anything set in the Wan DNS 1 or 2 boxes when you have DOT Over TLS enabled and configured.

 

[dave14305]

Just an FYI....its my understanding that you don't need anything set in the Wan DNS 1 or 2 boxes when you have DOT Over TLS enabled and configured.

Not true in all cases, especially with the new defaults in 384.12.

 

[kowra]

sorry for hijacking the thread.
but I did the OP steps, but can't find tcpdump to test it.. can you elaborate on how to test this is working correcly?


firefox (Without DOT configured ) on https://www.cloudflare.com/ssl/encrypted-sni/ reported
Secure DNS ?
DNSSEC YES
TLS 1.3 YES
Encrypted SNI X

PS: are the nvram commands above to stop the annoying connections to dns.msftncsi.com?

 

[dave14305]

PS: are the nvram commands above to stop the annoying connections to dns.msftncsi.com?

Yes.

 

[Swistheater]

I'm not sure if my router is configured correctly and if DoT and DNSSEC implementation is working. I did some checking today if Stubby is working and if all DNS requests are secured. First thing I found was that not all traffic is going through port 853. I did a tcpdump of port 53 and port 853 and this was sent over port 53:
tcpdump -ni eth0 -p port 53 or port 853
11:25:17.413366 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 57361+ A? dns.msftncsi.com. (34)
11:25:17.413820 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 61713+ AAAA? dns.msftncsi.com. (34)
11:25:17.422094 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 57361 1/0/0 A 131.107.255.255 (50)
11:25:17.426938 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 61713 1/0/0 AAAA fd3e:4f5a:5b81::1 (62)

So then I checked netstat -lnptu and it reported tcp and udp on 127.0.1.1:53 instead of 127.0.1.1.853:
netstat -lnptu | grep stubby
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 3025/stubby
udp 0 0 127.0.1.1:53 0.0.0.0:* 3025/stubby

Furthermore stubby -l showed that my DNSSEC validation is OFF? Even though I have it active in the router settings. Here is the log from stubby -l
stubby -l
[16:03:48.475418] STUBBY: Read config from file /etc/stubby/stubby.yml
[16:03:48.475764] STUBBY: DNSSEC Validation is OFF
[16:03:48.475805] STUBBY: Transport list is:
[16:03:48.475839] STUBBY: - TLS
[16:03:48.475872] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[16:03:48.475908] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[16:03:48.475942] STUBBY: Starting DAEMON....
[16:03:49.598074] STUBBY: 1.1.1.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598553] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:03:49.598776] STUBBY: 1.0.0.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598919] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:03:49.599056] STUBBY: 2606:4700:4700::1111 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599242] STUBBY: 2606:4700:4700::1111 : Conn opened: TLS - Strict Profile
[16:03:49.599368] STUBBY: 2606:4700:4700::1001 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599485] STUBBY: 2606:4700:4700::1001 : Conn opened: TLS - Strict Profile

And here is my router config:
View attachment 18385

What am I missing?

Have you figured out the issue yet? The traffic you are seeing is due to

the Wan: DNS system resolver option being selected as NO.
this is telling your router to check with the DNS server you have specified within Wandns 1 and Wandns2 to check whether there is internet connection, however this is not traffic being done by your clients though.
Your clients traffic should be traversing through port 853. all of your "routers traffic" will be showing up on port 53 which is going to be your Router talking to your ISP DNS or WAN1 &2 to see if the internet is connected. When you have the option Wan: system resolver Selected to YES of local caching instead of No you would see similar router traffic on port 53 using the lo option. when you have NO selected it appears on the eth0 option on port 53.

if you turn off this option on the Administration tab

you wont see as much of this traffic on port 53.

to fully appreciate this you can temporarily turn the Wan: system resolver option to YES
and TCPDUMP port 53 using, note the eth0 option will now show no traffic.
tcpdump -ni lo -p port 53
you will see this same traffic
when you select the option back to NO using.
tcpdump -ni eth0 -p port 53

That is because the network monitor option is using a different method to tell whether your router has internet connection.

Just an FYI....its my understanding that you don't need anything set in the Wan DNS 1 or 2 boxes when you have DOT Over TLS enabled and configured.

This is correct, but if you wanted you could specify a wan dns 1 and 2 , this will tell stubby not to use your ISP as resolv and to use what ever your specify, but this is not really relevant to the overall function of stubby.

 

[Mutzli]

Have you figured out the issue yet? The traffic you are seeing is due to
View attachment 18541
the Wan: DNS system resolver option being selected as NO.
this is telling your router to check with the DNS server you have specified within Wandns 1 and Wandns2 to check whether there is internet connection, however this is not traffic being done by your clients though.
Your clients traffic should be traversing through port 853. all of your "routers traffic" will be showing up on port 53 which is going to be your Router talking to your ISP DNS or WAN1 &2 to see if the internet is connected. When you have the option Wan: system resolver Selected to YES of local caching instead of No you would see similar router traffic on port 53 using the lo option. when you have NO selected it appears on the eth0 option on port 53.

if you turn off this option on the Administration tab
View attachment 18542
you wont see as much of this traffic on port 53.

to fully appreciate this you can temporarily turn the Wan: system resolver option to YES
and TCPDUMP port 53 using, note the eth0 option will now show no traffic.
tcpdump -ni lo -p port 53
you will see this same traffic
when you select the option back to NO using.
tcpdump -ni eth0 -p port 53

That is because the network monitor option is using a different method to tell whether your router has internet connection.



This is correct, but if you wanted you could specify a wan dns 1 and 2 , this will tell stubby not to use your ISP as resolv and to use what ever your specify, but this is not really relevant to the overall function of stubby.

Thanks for digging in a little deeper with port 53 and port 853. I'll try your suggestions next week, I'm currently out of town.
Regarding manually entering a DNS server, isn't that only relevant when restarting the router so that a resolver is specified for eventual requests before stubby is up and running?

 

[gattaca]

Didn't we go thru this earlier in this thread? --> https://www.snbforums.com/threads/dns-security.56784/page-2#post-494790

The one setting "the Wan: DNS system resolver option being selected as NO." was changed from a default of Yes to No in 384.12. I think all other recommendations remain the same?

 

[Swistheater]

Didn't we go thru this earlier in this thread? --> https://www.snbforums.com/threads/dns-security.56784/page-2#post-494790

The one setting "the Wan: DNS system resolver option being selected as NO." was changed from a default of Yes to No in 384.12. I think all other recommendations remain the same?

Yes, this was just to help detail explain why he was seeing the results he was seeing to clear up confusion.