Menu
What's new
By:
Filters Better Search

DoT w/ DNSSEC

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

V

Volfi

Regular Contributor
When I try to use DoT with DNSSEC, https://1.1.1.1/help reports I am not using DoT.
Switching off DNSSEC makes DoT test as "ON".
Did not dig deeper, but is this test error, my setup error, or firmware error / feature?

dns.png
 
From RMerl's website wiki:
NOTE: There is currently an issue with the popular DoT/DoH test site provided by Cloudflare where it will fail to use properly signed DNSSEC hostnames during the test, causing the test to fail to correctly detect that you are using DoT. This does not indicate that your setup doesn't work, and is something that will hopefully eventually be fixed by Cloudflare. You can avoid this by temporarily disabling validation of unsigned records, however it is recommended to re-enable that option afterward.
Click to expand...
 
Thank you, so my config is correct and I shall continue using it, right?
 
Volfi said:
Thank you, so my config is correct and I shall continue using it, right?
Click to expand...
If you want to make sure your configuration is working use tcpdump on your SSH console to follow your connection:

Code: 
tcpdump -ni eth0 -p port 53 or port 853

All secure connections should be made using port 853. Your log should look like this:
Code: 
13:15:30.647085 IP Your.IP.Address.48415 > 1.1.1.2.853: Flags [P.], seq 1:275, ack 1, win 229, length 274
13:15:30.664337 IP 1.1.1.2.853 > Your.IP.Address.48415: Flags [.], ack 275, win 66, length 0
13:15:30.667557 IP 1.1.1.2.853 > Your.IP.Address.48415: Flags [.], seq 1:1461, ack 275, win 66, length 1460
13:15:30.667610 IP Your.IP.Address.48415 > 1.1.1.2.853: Flags [.], ack 1461, win 251, length 0

You can install tcpdump with the following command:

Code: 
opkg install tcpdump
 
Mutzli said:
If you want to make sure your configuration is working use tcpdump on your SSH console to follow your connection:

Code: 
tcpdump -ni eth0 -p port 53 or port 853

All secure connections should be made using port 853. Your log should look like this:
Code: 
13:15:30.647085 IP Your.IP.Address.48415 > 1.1.1.2.853: Flags [P.], seq 1:275, ack 1, win 229, length 274
13:15:30.664337 IP 1.1.1.2.853 > Your.IP.Address.48415: Flags [.], ack 275, win 66, length 0
13:15:30.667557 IP 1.1.1.2.853 > Your.IP.Address.48415: Flags [.], seq 1:1461, ack 275, win 66, length 1460
13:15:30.667610 IP Your.IP.Address.48415 > 1.1.1.2.853: Flags [.], ack 1461, win 251, length 0

You can install tcpdump with the following command:

Code: 
opkg install tcpdump
Click to expand...
Still does not test DNSSEC. Use Dig to do that.
 
You must log in or register to reply here.

Similar threads

RMerlin
  • Locked
Beta Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90)
4 5 6
Replies
102
Views
14K
RMerlin
RMerlin
url004
NXDOMAIN on server but the router can resolve queries
Replies
1
Views
153
url004
url004
vStache
RT-AX86U 388.1 (and 388.2 B1) DNS/Internet Connectivity issues - router is setup from scratch
Replies
4
Views
1K
L&LD
L&LD
U
External DNS Server customization (DNSSEC, DoT, etc) clarification question
Replies
14
Views
2K
Username00
U
A
DNS Director - Issues when using Private DNS on mobile devices
Replies
15
Views
1K
Unetwork
U
Similar threads
Thread starter Title Forum Replies Date
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
U Solved Cloudflare DoT test Asuswrt-Merlin 5
D WAN DNS Setting: Using different DoT servers Asuswrt-Merlin 19
D Can't seem to get DoT to work with Cloudflare Asuswrt-Merlin 23
RMerlin CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled Asuswrt-Merlin 30
P AdGuard DNNSEC vs router DNSSEC settings on Asuswrt-Merlin 14

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 692 (members: 24, guests: 668)
Top