1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Enable DNSSEC with OpenDNS

Discussion in 'Asuswrt-Merlin' started by cowboy, Feb 27, 2020.

  1. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    110
    Location:
    Germany
    I got interested in DNSSEC and want to enable it on my Asus AC88U router running Asuswrt-Merlin 384.15. But as I understand the DNS hosting provider has also to support it.

    I am using OpenDNS server and few days ago they announced that they will start supporting DNSSEC in this blog post: DNSSEC General Availability

    upload_2020-2-27_22-42-10.png

    When I enable the "Validate unsigned DNSSEC replies" in the WAN DNS Settings, I can't reach any website anymore. So does DNSSEC work with OpenDNS or am I understanding something wrong from OpenDNS blog post ?

    And how can I verify that I am using DNSSEC ?

    upload_2020-2-27_22-41-25.png
     
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    13,044
    Does a reboot help? :)
     
    cowboy likes this.
  3. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    110
    Location:
    Germany
    I enabled it yesterday, but did not reboot. I will try that tomorrow in the morning.

    Is anyone here who uses DNSSEC on Asuswrt-Merlin with OpenDNS and can confirm that everything works ?
     
    L&LD likes this.
  4. krgck

    krgck Regular Contributor

    Joined:
    Sep 24, 2019
    Messages:
    54
    Tried it. Sandbox and familyshield does work "Validate unsigned DNSSEC replies" enabled but production doesn't. Likely issue on their end.
     
    cowboy and L&LD like this.
  5. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    110
    Location:
    Germany
    Thanks. Ok then maybe we have to wait a few days more.


    I tried it also out and restarted my devices. But it did not solve the problem.
     
    Last edited: Feb 28, 2020
  6. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    110
    Location:
    Germany
    I asked the question on OpenDNS forum. Apparently I don't need to enable any settings on my router for DNSSEC to work. But I thought that for DNSSEC to work BOTH the server and client side have to enable it.

    Here is the OpenDNS forum: DNSSEC does not work on Production Resolvers
     
  7. krgck

    krgck Regular Contributor

    Joined:
    Sep 24, 2019
    Messages:
    54
    Well that might be true, but why "familyshield" and "sandbox" does pass dnssec test and production does not?
    https://dnssec.vs.uni-due.de/
     
  8. BatJoe

    BatJoe Regular Contributor

    Joined:
    Aug 7, 2013
    Messages:
    61
    It does say the target for production was the 24th, but maybe since it said target they haven't reached it yet and there is a delay? I've opened a support ticket on this.
     
    wbennett77 and cowboy like this.
  9. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    110
    Location:
    Germany
    Update us if you have any news.
     
  10. BatJoe

    BatJoe Regular Contributor

    Joined:
    Aug 7, 2013
    Messages:
    61
    They literally deleted my support ticket asking about DNSSEC......
     
    cowboy likes this.
  11. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    110
    Location:
    Germany
    Wow just like that.
     
  12. BatJoe

    BatJoe Regular Contributor

    Joined:
    Aug 7, 2013
    Messages:
    61
    So I guess just use FamilyShield IPs if you want DNSSEC. But you will miss your porn sites lol
     
    ChatmanR and cowboy like this.
  13. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    110
    Location:
    Germany
    Maybe in few weeks trying again the option might work
     
  14. BatJoe

    BatJoe Regular Contributor

    Joined:
    Aug 7, 2013
    Messages:
    61
    OpenDNS production IPs now validate with DNSSEC
     
    cowboy and L&LD like this.
  15. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    3,462
    Location:
    USA
    Interesting that they prefer customers not enable dnssec validation. I wonder what happens if they are blocking (rewriting) a name in a signed zone?
    See https://learn-umbrella.cisco.com/feature-briefs/support-for-dnssec-in-umbrella
     
    cowboy likes this.
  16. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    1,225
    Yea I have been a skeptic about the DNSSEC support every since @Zastoff informed me of the changes with OpenDNS. OpenDNS is trying to play catch up since now they have DoH servers, from my understanding their dnscrypt protocol standards are still behind though in regards to current status of dnscrypt is concerned.

    Here is more about ciscos DoH
    https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS

    and more about the servers
    Code:
    [static.'cisco-doh-ipv4-pri']
    stamp = 'sdns://AgAAAAAAAAAADjIwOC42Ny4yMjIuMjIygAATZG9oLm9wZW5kbnMuY29tOjQ0MwovZG5zLXF1ZXJ5'
    
    [static.'cisco-doh-ipv4-alt']
    stamp = 'sdns://AgAAAAAAAAAADjIwOC42Ny4yMjAuMjIwgAATZG9oLm9wZW5kbnMuY29tOjQ0MwovZG5zLXF1ZXJ5'
    
    [static.'cisco-doh-ipv6-pri']
    stamp = 'sdns://AgAAAAAAAAAAEVsyNjIwOjExOTozNTo6MzVdgAATZG9oLm9wZW5kbnMuY29tOjQ0MwovZG5zLXF1ZXJ5'
    
    [static.'cisco-doh-ipv6-alt']
    stamp = 'sdns://AgAAAAAAAAAAEVsyNjIwOjExOTo1Mzo6NTNdgAATZG9oLm9wZW5kbnMuY29tOjQ0MwovZG5zLXF1ZXJ5'
    
    [static.'cisco-doh-ipv4-family-pri']
    stamp = 'sdns://AgAAAAAAAAAADjIwOC42Ny4yMjIuMTIzgAAgZG9oLmZhbWlseXNoaWVsZC5vcGVuZG5zLmNvbTo0NDMKL2Rucy1xdWVyeQ'
    
    [static.'cisco-doh-ipv4-family-alt']
    stamp = 'sdns://AgAAAAAAAAAADjIwOC42Ny4yMjAuMTIzgAAgZG9oLmZhbWlseXNoaWVsZC5vcGVuZG5zLmNvbTo0NDMKL2Rucy1xdWVyeQ'
    
    [static.'cisco-doh-ipv6-family-pri']
    stamp = 'sdns://AgAAAAAAAAAAElsyNjIwOjExOTozNTo6MTIzXYAAIGRvaC5mYW1pbHlzaGllbGQub3BlbmRucy5jb206NDQzCi9kbnMtcXVlcnk'
    
    [static.'cisco-doh-ipv6-family-alt']
    stamp = 'sdns://AgAAAAAAAAAAElsyNjIwOjExOTo1Mzo6MTIzXYAAIGRvaC5mYW1pbHlzaGllbGQub3BlbmRucy5jb206NDQzCi9kbnMtcXVlcnk'
    which were provided by @DonnyJohnny in this post https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-75#post-553892
     
    cowboy likes this.
  17. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    110
    Location:
    Germany
    For me enabling the setting "Validate unsigned DNSSEC replies" still does not work
     
  18. BatJoe

    BatJoe Regular Contributor

    Joined:
    Aug 7, 2013
    Messages:
    61
    They must be having issues. It was working.

    EDIT: They have updated their support page to state production IPs will have it March 10.
     
    Last edited: Mar 6, 2020
  19. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    110
    Location:
    Germany
    I turned it on and now DNSSEC works with OpenDNS as expected.