Menu
What's new
By:
Filters Better Search

Enable DNSSEC with OpenDNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cowboy

cowboy

Regular Contributor
I got interested in DNSSEC and want to enable it on my Asus AC88U router running Asuswrt-Merlin 384.15. But as I understand the DNS hosting provider has also to support it.

I am using OpenDNS server and few days ago they announced that they will start supporting DNSSEC in this blog post: DNSSEC General Availability

upload_2020-2-27_22-42-10.png


When I enable the "Validate unsigned DNSSEC replies" in the WAN DNS Settings, I can't reach any website anymore. So does DNSSEC work with OpenDNS or am I understanding something wrong from OpenDNS blog post ?

And how can I verify that I am using DNSSEC ?

upload_2020-2-27_22-41-25.png
 
Does a reboot help? :)
 
L&LD said:
Does a reboot help? :)
Click to expand...
I enabled it yesterday, but did not reboot. I will try that tomorrow in the morning.

Is anyone here who uses DNSSEC on Asuswrt-Merlin with OpenDNS and can confirm that everything works ?
 
Tried it. Sandbox and familyshield does work "Validate unsigned DNSSEC replies" enabled but production doesn't. Likely issue on their end.
 
krgck said:
Tried it. Sandbox and familyshield does work "Validate unsigned DNSSEC replies" enabled but production doesn't. Likely issue on their end.
Click to expand...
Thanks. Ok then maybe we have to wait a few days more.


I tried it also out and restarted my devices. But it did not solve the problem.
 
Last edited:
I asked the question on OpenDNS forum. Apparently I don't need to enable any settings on my router for DNSSEC to work. But I thought that for DNSSEC to work BOTH the server and client side have to enable it.

Here is the OpenDNS forum: DNSSEC does not work on Production Resolvers
 
It does say the target for production was the 24th, but maybe since it said target they haven't reached it yet and there is a delay? I've opened a support ticket on this.
 
BatJoe said:
It does say the target for production was the 24th, but maybe since it said target they haven't reached it yet and there is a delay? I've opened a support ticket on this.
Click to expand...
Update us if you have any news.
 
BatJoe said:
So I guess just use FamilyShield IPs if you want DNSSEC. But you will miss your porn sites lol
Click to expand...
Maybe in few weeks trying again the option might work
 
Interesting that they prefer customers not enable dnssec validation. I wonder what happens if they are blocking (rewriting) a name in a signed zone?
Support for client-side validation
Performing DNSSEC validation requires that the validating resolver maintain knowledge of the signatures of all parent domains for a given query. For this reason, clients of a recursive DNS resolver typically do not perform validation themselves, but rather rely on the recursive resolver to perform validation on their behalf.

While we will support use of the ‘DO’ bit in queries, Umbrella does not recommend that local DNS servers forwarding to our resolvers enable DNSSEC validation themselves.
Click to expand...
See https://learn-umbrella.cisco.com/feature-briefs/support-for-dnssec-in-umbrella
 
dave14305 said:
Interesting that they prefer customers not enable dnssec validation. I wonder what happens if they are blocking (rewriting) a name in a signed zone?

See https://learn-umbrella.cisco.com/feature-briefs/support-for-dnssec-in-umbrella
Click to expand...
Yea I have been a skeptic about the DNSSEC support every since @Zastoff informed me of the changes with OpenDNS. OpenDNS is trying to play catch up since now they have DoH servers, from my understanding their dnscrypt protocol standards are still behind though in regards to current status of dnscrypt is concerned.

Here is more about ciscos DoH
https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS

and more about the servers
Code: 
[static.'cisco-doh-ipv4-pri']
stamp = 'sdns://AgAAAAAAAAAADjIwOC42Ny4yMjIuMjIygAATZG9oLm9wZW5kbnMuY29tOjQ0MwovZG5zLXF1ZXJ5'

[static.'cisco-doh-ipv4-alt']
stamp = 'sdns://AgAAAAAAAAAADjIwOC42Ny4yMjAuMjIwgAATZG9oLm9wZW5kbnMuY29tOjQ0MwovZG5zLXF1ZXJ5'

[static.'cisco-doh-ipv6-pri']
stamp = 'sdns://AgAAAAAAAAAAEVsyNjIwOjExOTozNTo6MzVdgAATZG9oLm9wZW5kbnMuY29tOjQ0MwovZG5zLXF1ZXJ5'

[static.'cisco-doh-ipv6-alt']
stamp = 'sdns://AgAAAAAAAAAAEVsyNjIwOjExOTo1Mzo6NTNdgAATZG9oLm9wZW5kbnMuY29tOjQ0MwovZG5zLXF1ZXJ5'

[static.'cisco-doh-ipv4-family-pri']
stamp = 'sdns://AgAAAAAAAAAADjIwOC42Ny4yMjIuMTIzgAAgZG9oLmZhbWlseXNoaWVsZC5vcGVuZG5zLmNvbTo0NDMKL2Rucy1xdWVyeQ'

[static.'cisco-doh-ipv4-family-alt']
stamp = 'sdns://AgAAAAAAAAAADjIwOC42Ny4yMjAuMTIzgAAgZG9oLmZhbWlseXNoaWVsZC5vcGVuZG5zLmNvbTo0NDMKL2Rucy1xdWVyeQ'

[static.'cisco-doh-ipv6-family-pri']
stamp = 'sdns://AgAAAAAAAAAAElsyNjIwOjExOTozNTo6MTIzXYAAIGRvaC5mYW1pbHlzaGllbGQub3BlbmRucy5jb206NDQzCi9kbnMtcXVlcnk'

[static.'cisco-doh-ipv6-family-alt']
stamp = 'sdns://AgAAAAAAAAAAElsyNjIwOjExOTo1Mzo6MTIzXYAAIGRvaC5mYW1pbHlzaGllbGQub3BlbmRucy5jb206NDQzCi9kbnMtcXVlcnk'

which were provided by @DonnyJohnny in this post https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-75#post-553892
 
BatJoe said:
OpenDNS production IPs now validate with DNSSEC
Click to expand...
For me enabling the setting "Validate unsigned DNSSEC replies" still does not work
 
You must log in or register to reply here.

Similar threads

R
Would any of this make my browsing more secure? (WAN DNS settings)
2
Replies
20
Views
1K
aru
aru
RMerlin
  • Locked
Beta Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90)
4 5 6
Replies
102
Views
14K
RMerlin
RMerlin
drinkingbird
Any reason to use DNSSEC with Quad9?
2
Replies
21
Views
4K
CriticJay
C
silvanet
A little help with Asus ZenWiFi XT8-A480 and OpenDNS
Replies
8
Views
865
Tech9
Tech9
J
Solved OpenVPN clients can't resolve custom domains defined in dnsmasq config
Replies
2
Views
609
jkbach
J
Similar threads
Thread starter Title Forum Replies Date
A Enable Web Access from WAN can't stay enabled Asuswrt-Merlin 2
H WireGuard Server "Enable NAT - IPv6" Setting Question Asuswrt-Merlin 0
D SSH - Shortcut to Enable / Disbale Wireguard VPN Asuswrt-Merlin 1
R DNS Privacy Protocol wont enable Asuswrt-Merlin 2
N Enable baby jumbo frames on pppoe connection Asuswrt-Merlin 10
A whats the command to enable routing to my secondary wan? Asuswrt-Merlin 3
B Do you enable any of the following? Asuswrt-Merlin 5
P VPN Director enable/disable rules from iPhone shortcut Asuswrt-Merlin 3
F Disable/enable NAT Loopback? Asuswrt-Merlin 4
RMerlin CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled Asuswrt-Merlin 30

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 786 (members: 35, guests: 751)
Top