[Fork] Asuswrt-Merlin 374.43 LTS - DNS over TLS Beta - CLOSED

[JWoo]

Hi John. I wish you could support the latest generation of Asus routers too as you are very talented and put together great software.

 

[bbunge]

That's how the 'updater' works....

The framework is already in the beta if you want to experiment....
set the nvram variable
stubby_csv
to point to the full path/filename

It works (of course)

Copied the /rom/stubby-resolvers.csv to
/jffs/configs/stubby-resolvers.csv

To stubby-resolvers.csv added the line:
"Quad 9_alt",149.112.112.112,2620:fe::9,853,dns.quad9.net,,,yes,yes

In Putty:
nvram set stubby_csv=/jffs/configs/stubby-resolvers.csv

nvram commit

Selected the new entry in WAN-Internet Connection - DoT Servers

 

[joe a]

John, thank you very much for this firmware!

I have used (and continue to use) Tomato, Gargoyle, OpenWRT, and DD-WRT in the past, and I'm very impressed with your Merlin LTS fork. The stability, ease of installation, ease of updating, new features, and additional security updates definitely make this firmware shine.
I must say if stable versions of Micro$oft's operating systems performed as well as your betas, that would make my day job a lot easier.

Keep up the good work, sir!

 

[JWoo]

I have also used Tomato, Gargoyle, OpenWRT, and DD-WRT. I agree 100% with you that this LTS fork is stable, full featured and progressive in many ways... most lately with DoT. Thank you John for making very cool firmware that works well.

 

[Deleted member 27741]

Nice work as always, John. How will DoT work with Parental Control >> DNS filtering? I have been enjoying a mostly ad free internet experience using DNS filtering but don't really know how it would interact with DoT.

 

[john9527]

Nice work as always, John. How will DoT work with Parental Control >> DNS filtering? I have been enjoying a mostly ad free internet experience using DNS filtering but don't really know how it would interact with DoT.

You get to make a choice if you are using one of the ad blocking DNS servers via DNS filtering. The server itself has to support DoT to make use of it. I'm not aware of any of the ad blocking servers like OpenDNS supporting DoT right now

The DoT servers will work with ABSolution however as another possibility.

 

[Deleted member 27741]

So then if I have DoT enabled on the router AND DNS filtering enabled the DoT servers are just replaced with the DNS filter server for IP lookups and therefore no DoT under those conditions? I am thinking this is more complex than I realize.

 

[john9527]

So then if I have DoT enabled on the router AND DNS filtering enabled the DoT servers are just replaced with the DNS filter server for IP lookups and therefore no DoT under those conditions? I am thinking this is more complex than I realize.

Correct....those clients defined to DNS Filter, and not using Router or No Filtering as the target, are bypassing dnsmasq (which supports DoT) and going direct to the servers they have defined.

EDIT: The statement about the Router and No Filtering options are typical around the default configuration. You can construct options where things behave differently.

 

[ColinTaylor]

Last call for Beta feedback

FYI I've stopped using DoT since yesterday. The reason being I was slightly irritated with Chrome occasionally flashing up it's "This site can’t be reached" error page before replacing it with the actual page.

I'm assuming it does this when there hasn't been any upstream DoT requests for a long enough period that the session is disconnected. It then needs to reestablish the session before answering the new query, which introduces a longer than normal delay.

It's probably a small price to pay if you're concerned about people snooping on your DNS requests (which I'm not).

 

[john9527]

FYI I've stopped using DoT since yesterday. The reason being I was slightly irritated with Chrome occasionally flashing up it's "This site can’t be reached" error page before replacing it with the actual page.

Funny....I had that problem with Dnscrypt, but haven't had it with DoT.

I also use DNSFilter with just Global Mode set to Router, so Chromecast/Netflix/FireTVs google and other direct dns lookups are forced through the DoT server.

 

[RMerlin]

I must say if stable versions of Micro$oft's operating systems performed as well as your betas, that would make my day job a lot easier.

If they did, it would also put us out of work

 

[Deleted member 27741]

I don't know if other people notice/have this but my N66U says Internet status: disconnected on the network map page when I am using DoT (DNSSEC strict yes, rebind yes, enable DNS over TLS yes, Exclude DoT yes, DoT access ordered, cloudflare-dns.com as DoT server) even though internet is up and working fine. Probably an artifact of how the router decides it's connected to the internet not jiving with DoT and not important.

 

[john9527]

I don't know if other people notice/have this but my N66U says Internet status: disconnected on the network map page when I am using DoT

Shouldn't happen and I haven't seen it....can you post up a syslog from boot to a sharing site?

 

[Deleted member 27741]

Wife is on the internet so no reboots for awhile! I'll bet the "issue" will disappear on reboot anyhow. I'll send you a syslog link after a reboot (once the internet here is not in use) if the issue persists.

 

[underdose]

I don't know if other people notice/have this but my N66U says Internet status: disconnected on the network map page when I am using DoT (DNSSEC strict yes, rebind yes, enable DNS over TLS yes, Exclude DoT yes, DoT access ordered, cloudflare-dns.com as DoT server) even though internet is up and working fine. Probably an artifact of how the router decides it's connected to the internet not jiving with DoT and not important.

I had it too for 2 days but today it fixed itself after 2 reboots, and some changes to the WAN DNS Setting section which I don't remember. Current state of the settings is below:

 

[Deleted member 27741]

Issue resolved on reboot with settings as in my above post (132).

 

[john9527]

Final call for feedback!
(anybody test on an N16???)

For the formal release
update capability added....and a new twist if you hover on a selection for a second or two

 

[bbunge]

I went back to the "official" Asus firmware after complaints about the network from the family. I did notice that it took a bit longer to resolve an address and I was not able to get QOS to work to improve bufferbloat (QOS may be operator error). I do have two RT-AC68U's in a commercial application running this fork and I plan to upgrade them.

 

[underdose]

Issue resolved on reboot with settings as in my above post (132).

The cause seems like the DNS Rebind Protection. When it's set to YES, Web UI can't fetch connection status.

 

[john9527]

I went back to the "official" Asus firmware after complaints about the network from the family. I did notice that it took a bit longer to resolve an address and I was not able to get QOS to work to improve bufferbloat (QOS may be operator error). I do have two RT-AC68U's in a commercial application running this fork and I plan to upgrade them.

Sorry to hear that. For me, moving from DNSCrypt to DoT (Cloudfare) gave me a noticeable improvement in web browsing. QOS can be touchy and need to be tuned for your environment. If you care to try again, there are a couple of users that really have wrung out the fork QOS that may be able to help.