1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[Fork] Asuswrt-Merlin 374.43 LTS - DNS over TLS Beta

Discussion in 'Asuswrt-Merlin' started by john9527, Aug 1, 2018.

  1. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,449
    Location:
    United States
    It's a Beta (V34B6)! Feedback is always welcome!

    BETA RELEASE: Update-34B6
    11-August-2018
    Merlin fork 374.43_34B6j9527
    Download http://bit.ly/1UGjcOX
    ============================

    Support for DNSCrypt v1 has been removed and replaced with DNS over TLS (DoT)

    Some quick notes:
    • Only the ARM based routers are working at this time (AC56, AC68). Working to understand issues with the MIPS routers (N16, AC66, N66). All fork routers should now be working with the 34B6 release!
    • There should be no need to do a factory reset when loading the beta.
    • Only the 'E' build is being made available for the beta. The 'L' builds will be supported at formal release.
    • If you are a current DNSCrypt user and load the beta, your DNSCrypt settings will be kept unless you do factory reset. You can then return to the previous fork release if needed and DNSCrypt will still be configured.
    • There is now a multi-select dialogue for the DoT servers. Hold down Ctrl (or Cmd for Safari) to select multiple servers.
    • If you have IPv6 active and your selected DoT servers support both IPv4 and IPv6, both will automatically be configured.
    • Cloudflare does have problems with DNSSEC enabled (not related to this implementation). You can either disable DNSSEC or uncheck the 'Strict DNSSEC enforcement' option when using Cloudflare.
    • The DoT support is provided by a program called 'stubby', so you may see that name in the syslog.
      Here's an example from the boot sequence
      Code:
      Aug  1 09:44:49 stubby-proxy: configured strict mode
      Aug  1 09:44:49 stubby-proxy: configured server 'Cloudflare' at address 1.1.1.1:853
      Aug  1 09:44:49 stubby-proxy: configured server 'Cloudflare' at address [2606:4700:4700::1111]:853
      Aug  1 09:44:49 stubby-proxy: configured server 'Quad 9' at address 9.9.9.9:853
      Aug  1 09:44:49 stubby-proxy: configured server 'Quad 9' at address [2620:fe::fe]:853
      Aug  1 09:44:49 stubby-proxy: start stubby (0)
      Aug  1 09:44:49 dnsmasq: DNSSEC dnssec-check-unsigned disabled
      Aug  1 09:44:49 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
      Aug  1 09:44:49 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf )
      Aug  1 09:44:49 dnsmasq[5585]: started, version 2.80test3 cachesize 1500
      Aug  1 09:44:49 dnsmasq[5585]: DNSSEC validation enabled but all unsigned answers are trusted
      Aug  1 09:44:49 dnsmasq[5585]: configured with trust anchor for <root> keytag 20326
      Aug  1 09:44:49 dnsmasq[5585]: configured with trust anchor for <root> keytag 19036
      Aug  1 09:44:49 dnsmasq[5585]: warning: ignoring resolv-file flag because no-resolv is set
      Aug  1 09:44:49 dnsmasq[5585]: asynchronous logging enabled, queue limit is 5 messages
      Aug  1 09:44:49 dnsmasq-dhcp[5585]: DHCP, IP range 192.168.1.128 -- 192.168.1.252, lease time 12h
      Aug  1 09:44:49 dnsmasq[5585]: using nameserver 127.0.0.1#5453
      Aug  1 09:44:49 dnsmasq[5585]: using nameserver ::1#5453
      
    • Just for fun....if anyone is wondering about the changes in the release....here's the diff from 33E7
      Code:
      623 files changed, 141211 insertions(+), 772 deletions(-)
      

    SHA256
    Code:
    (Default 'E' Build)
    d02ccd03fa3033753218f5593cbf9f3813c5314f3e8f655d66a01ce3f92ac9ee  RT-N16_374.43_34B6j9527.trx
    7f1150503e8e7e08d01fbb61b21e9cbe827bb9021f0250be05b67017a09c1d11  RT-AC66U_374.43_34B6j9527.trx
    355c33dc0dc893c76c97ee7ef182eb9d729933dd1a5845366cfca3d7dc2fd400  RT-N66U_374.43_34B6j9527.trx
    8ce44a48a62804366f37f6355400fa953ae2e052343ac21dba8edee9301cd493  RT-AC68U_374.43_34B6j9527.trx
    f19823b6872475ea02f53035af0fd2866c10356b7ff7f59ab7347555cd7df639  RT-AC56U_374.43_34B6j9527.trx
    
     
    Last edited: Aug 11, 2018
    Xentrk, joe a, thelonelycoder and 9 others like this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,449
    Location:
    United States
    Reserved post
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,101
    Location:
    UK
    I see the notes mention that DNS rebind has been implemented. I also see there is a dns_norebind NVRAM variable. Is there a menu option for this? Can't see anything in Merlin_Fork_Options.txt

    EDIT: Setting dns_norebind=1 manually updates dnsmasq.conf as expected. :)
     
  5. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,449
    Location:
    United States
    Yes, it's there on the WAN DNS config page.

    I didn't add it to my options file since it's a backport from Merlin and not unique to the fork (I do need to add the DoT option info though).
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,101
    Location:
    UK
    Doh! That's the first place I looked, but for some reason couldn't see it. I think I need a new pair of glasses.
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,101
    Location:
    UK
    Noticed this in the log (and shown above) as a consequence of the new "server=" lines. I'm guessing you're happy with that but thought I'd mention it anyway.
    Code:
    Aug  1 21:19:11 dnsmasq[23595]: warning: ignoring resolv-file flag because no-resolv is set
     
  8. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,449
    Location:
    United States
    Yes, it's normal and was also present with dnscrypt. Both solutions use the server= lines to point dnsmasq to the proxy helper and then disable the use of the resolve file.
     
  9. jrmwvu04

    jrmwvu04 Senior Member

    Joined:
    Mar 29, 2016
    Messages:
    425
    Location:
    United States
    I’m in. I’ve enabled DoT with quad 9 and strict dnssec with no real idea what any of it means or what the benefits would be. But hey, it’s another test subject right?
     
  10. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,449
    Location:
    United States
    LOL.....great response.:D
    All your DNS queries are now encrypted so your ISP can't collect that data on you (DoT). And with DNSSEC its checking to make sure your DNS responses are coming from where you sent the query...no spoofing redirects allowed.
     
    nodnarb91, Lotta Cox and HowIFix like this.
  11. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,101
    Location:
    UK
    Ah, but how do you know it's working and not just placebo?

    BTW Can you get any kind of stats out of stubby-proxy?
     
  12. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,449
    Location:
    United States
    Surprisingly, I haven't found any DoT test sites besides the Cloudflare site in the DNSSEC thread. It doesn't only work on the Cloudfare server to see if DoT is active....for example, Quad 9 will show up as 'WoodyNet'. Stats, none that I have found.

    You can stop the service (service stop_stubby) and restart it from the command line with
    stubby -g -l -C /etc/stubby.yml
    and you can watch all the TLS negotiations take place.
     
    Last edited: Aug 1, 2018
    Uncle_Gadget likes this.
  13. jrmwvu04

    jrmwvu04 Senior Member

    Joined:
    Mar 29, 2016
    Messages:
    425
    Location:
    United States
    I ran all the tests and discovered WoodyNet as well. If it’s not too off topic.. I saw there were numerous options for servers in the GUI - any thoughts on the choices? I have heard of quad 9 and Cloudflare. And then there’s this dnssec issue with Cloudflare. Not looking for a definitive rundown, just opinions.
     
  14. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,449
    Location:
    United States
    Not really....Cloudflare and Quad 9 are likely to give the best performance generally with geographically distributed servers. The next ones on the list, Surfnet, are run by the stubby developers, so might be good ones to try if you are having problems.
     
    jrmwvu04 likes this.
  15. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,101
    Location:
    UK
    I used DNSBench to the benchmark 1.1.1.1 vs 9.9.9.9 and 1.1.1.1 was significantly faster from where I am.

    I'm not sure about the use of the IPv6 servers though. At the moment the router is configured to use an IPv6 6in4 tunnel which is relatively slow (even though the LAN clients don't use IPv6). So I'm thinking I might disable the IPv6 servers.
     
  16. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,449
    Location:
    United States
    Hmmm....good feedback. Maybe I tried to keep things too simple. I can add some radio buttons to select which you want if IPv6 is active.
     
  17. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,101
    Location:
    UK
    I'm not sure whether my setup is common enough to warrant an additional option. I'm not sure there are many people that have enabled IPv6 on their routers and then deliberately stopped their clients from using it.:D
     
  18. MFM000

    MFM000 New Around Here

    Joined:
    Oct 20, 2014
    Messages:
    5
    I'm running the fork as an AP (Merlin on router).
    Looking to have DoT implementation. (Here until it appears elsewhere).
    No WAN tab so I'm assuming that there is no GUI setup for this to be my network's DNS (DoT & DNSSEC) server.

    Is there some appropriate config file cleverness for DoT that I can use to work around?
     
  19. tomsk

    tomsk Very Senior Member

    Joined:
    Sep 3, 2016
    Messages:
    510
    Looks interesting and wonder if its something Merlin might want to incorporate into the main fork in time.
     
  20. maurer

    maurer Regular Contributor

    Joined:
    May 13, 2014
    Messages:
    77
    does it work with AB-solution?
     
  21. jrmwvu04

    jrmwvu04 Senior Member

    Joined:
    Mar 29, 2016
    Messages:
    425
    Location:
    United States
    No issues so far with quad 9 best I can tell
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!