Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Enable DNSSEC support question

Discussion in 'Asuswrt-Merlin' started by jgrove, Mar 6, 2016.

  1. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    I'm currently having a problem where I can't reach any DNSSEC enabled sites.... Disabling DNSSEC lets me access the domains again.

    Currently on 380.62_1.

    For example, doing a dig using my two resolvers manually works fine:

    Code:
    dig internet.nl +dnssec +multi +short @95.85.9.86
    
    185.49.141.28
    
    A 7 2 3600 20161013033608 20160922044936 28409 internet.nl. eptGraOJ6tTrYncrlecCaUjulDlgJ9FMp/qUZb6vYH9toBvDYt5DX+Do 7J9tAf4ydkf9Iq514ktyANVm/OGhphMMJuG30aO3p3dtEvhtb0k+Ud6U OqsUvEGOKb18g4ucmnM7+lJHDhdgQEkPa/Q5e/Rn0pUUKT+KxK4ksCMK FT8=
    Code:
    dig internet.nl +dnssec +multi +short @185.83.217.248
    
    185.49.141.28
    
    A 7 2 3600 20161013033608 20160922044936 28409 internet.nl. eptGraOJ6tTrYncrlecCaUjulDlgJ9FMp/qUZb6vYH9toBvDYt5DX+Do 7J9tAf4ydkf9Iq514ktyANVm/OGhphMMJuG30aO3p3dtEvhtb0k+Ud6U OqsUvEGOKb18g4ucmnM7+lJHDhdgQEkPa/Q5e/Rn0pUUKT+KxK4ksCMK FT8=
    However, when I use the router as the resolver, it just fails...
    Code:
    dig internet.nl +dnssec +multi +short @192.168.1.1
    
    ;; Truncated, retrying in TCP mode.
    Looks like the response from my router is too big when there is DNSSEC enabled.

    If I use my router when I dig a non-DNSSEC domain, it also works fine.
    So it's just with the DNSSEC domains


    Sent from my iPhone using Tapatalk
     
  2. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,633
    Location:
    Canada
    Truncated replies is perfectly normal with DNSSEC, these replies are often too large to fit in an UDP packet.

    Make sure your upstream nameservers do support DNSSEC, and that your router's clock is accurate.
     
  3. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    Well the DNS resolvers are supposed to support it... how can I confirm though?

    I'm using:
    ns1.nl.dns.d0wn.biz 95.85.9.86 2a03:b0c0:0:1010::62:f001
    ns2.nl.dns.d0wn.biz 185.83.217.248 2a02:2ca0:64:22::2


    And my router clock is supposed to be super accurate now, apparently because I'm using this -> https://github.com/kvic-z/goodies-asuswrt/wiki/Install-NTP-Daemon-for-Asuswrt-Merlin


    Sent from my iPhone using Tapatalk
     
  4. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,633
    Location:
    Canada
    I don't think that server supports DNSSEC. The "ad" flag (for Authenticated answer) is missing when querying for a DNSSEC-enabled domain:

    Code:
    [email protected]:~$ dig pir.org +dnssec +multi @95.85.9.86
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> pir.org +dnssec +multi @95.85.9.86
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30056
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;pir.org.        IN A
    
    ;; ANSWER SECTION:
    pir.org.        300 IN A 97.107.141.235
    pir.org.        300 IN RRSIG A 5 2 300 (
                    20161016084000 20161002084000 19094 pir.org.
                    KAdeaOBCKHL3AXEpDqvc5Snvta9ljpnACpb2acGnFeA0
                    mu1YZ0RrjETMgAXroHLWfg6ranTxmfhgG7N/g2Tvj2v4
                    L5uo+8tIChQoR2u26NdPBPPqJy/ks04FDCfSk6znMmOU
                    feiYbQoU/puc4kI1kVzwhG9gXrUQ+QbFEJu3zR8= )
    
    ;; Query time: 100 msec
    ;; SERVER: 95.85.9.86#53(95.85.9.86)
    ;; WHEN: Sun Oct 02 19:34:14 EDT 2016
    ;; MSG SIZE  rcvd: 219
    
    
    Querying the same domain from 8.8.8.8 properly has the ad flag set.
     
    Veldkornet likes this.
  5. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    Aha, thanks! At least I know it's not me ;) I'll let the provider know so that they can work on it.


    Sent from my iPhone using Tapatalk
     
  6. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    @RMerlin, could you add the OpenNIC trust anchor as well? I've added it myself for the moment, but ideally it would be nice if it was added with the one from IANA.

    I believe it's
    Code:
    trust-anchor=.,7372,8,2,14a2b8caf58bfaae0bd7c257488a341fcc542f9f88f0b678d620324ce7b55285

    Sent from my iPhone using Tapatalk
     
  7. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,633
    Location:
    Canada
    As far as I can tell, you can have only one root trust anchor in dnsmasq. I haven't seen a single reference to dnsmasq handling multiple root anchors.

    The OpenNIC anchor would only work if using OpenNIC's own resolvers. In that case, you are looking at a very specific custom configuration, something that is best handled by a postconf script since the trust anchor to use depends on which resolver you use.
     
  8. Azuse

    Azuse New Around Here

    Joined:
    Feb 23, 2017
    Messages:
    9
    Old thread I know, however I'm experiencing the aforementioned issue of dnssec reportedly being enable through multiple test sites, yet having never enabled it in router settings on the current 380.65_2 firmware i.e. dns is set to router ip, dnssec is turned off on router, websites report dnssec in use.

    Resolvers are dns.watch in case it's relevant.
     
  9. paulbates

    paulbates Regular Contributor

    Joined:
    Aug 31, 2015
    Messages:
    94
    Location:
    Dearborn, Mi
    Another helpful site is http://dnsviz.net

    It provides a visual representation of where DNSSec is (or is not) active

    Paul
     
  10. reerden

    reerden Regular Contributor

    Joined:
    Nov 10, 2014
    Messages:
    79
    Those test sites report if your upstream server has DNSSEC enabled and thus refuses to resolve domains with invalid DNSSEC signatures. What DNSSEC in Merlin does is securing the so called 'last mile'. In other words, the DNS request between your router and the upstream server by checking the signature again on the router.

    Usually, DNSSEC signatures aren't checked by the client. So the signature is never checked locally on your PC or your router, only by the upstream DNS server you configured. In theory this means someone could potentially manipulate the DNS response between the DNS server and your router. Enabling DNSSEC on Merlin means your router now rechecks the signature before resolving it for your PC.

    So if your configured DNS server supports DNSSEC, it's a good idea to enable it on your own router too.
     
  11. hobgoblin

    hobgoblin New Around Here

    Joined:
    Jul 26, 2017
    Messages:
    2
    Please, could you tell me how can I do so (enabling/disabling dnssec on asus ac56u), I googled it but I didn't find any how-to
     
  12. Makaveli

    Makaveli Regular Contributor

    Joined:
    Nov 4, 2016
    Messages:
    178
    Location:
    Canada
    Under Advanced Settings - Lan - DHCP Server

    [​IMG]
     
    hobgoblin likes this.
  13. hobgoblin

    hobgoblin New Around Here

    Joined:
    Jul 26, 2017
    Messages:
    2
    Thank you Makaveli, I did'nt notice it:rolleyes:
     
    Last edited: Aug 14, 2017
  14. Luboknok

    Luboknok Occasional Visitor

    Joined:
    Jan 9, 2017
    Messages:
    14
    Does DNSSEC work while DNSCRYPT is running on Merlin? I understand OPENDNS doesn't support DNSSEC but what about the other servers?
     
  15. pattiri

    pattiri Regular Contributor

    Joined:
    Dec 27, 2016
    Messages:
    116
    Location:
    Istanbul, Turkey
    Yes it does but you need to use/find a server which supports DNSSEC. In my opinion only DNSCRYPT is enough
     
  16. Makaveli

    Makaveli Regular Contributor

    Joined:
    Nov 4, 2016
    Messages:
    178
    Location:
    Canada
    I use Google's DNS server which supports DNSSEC
     

Share This Page