[Fork] Asuswrt-Merlin 374.43 LTS - DNS over TLS Beta - CLOSED

[john9527]

It's a Beta (V34B6)! Feedback is always welcome!

BETA RELEASE: Update-34B6
11-August-2018
Merlin fork 374.43_34B6j9527
Download http://bit.ly/1UGjcOX
============================

Support for DNSCrypt v1 has been removed and replaced with DNS over TLS (DoT)

Some quick notes:

• Only the ARM based routers are working at this time (AC56, AC68). Working to understand issues with the MIPS routers (N16, AC66, N66). All fork routers should now be working with the 34B6 release!
• There should be no need to do a factory reset when loading the beta.
• Only the 'E' build is being made available for the beta. The 'L' builds will be supported at formal release.
• If you are a current DNSCrypt user and load the beta, your DNSCrypt settings will be kept unless you do factory reset. You can then return to the previous fork release if needed and DNSCrypt will still be configured.
• There is now a multi-select dialogue for the DoT servers. Hold down Ctrl (or Cmd for Safari) to select multiple servers.
• If you have IPv6 active and your selected DoT servers support both IPv4 and IPv6, both will automatically be configured.
• Cloudflare does have problems with DNSSEC enabled (not related to this implementation). You can either disable DNSSEC or uncheck the 'Strict DNSSEC enforcement' option when using Cloudflare.
• The DoT support is provided by a program called 'stubby', so you may see that name in the syslog.
  Here's an example from the boot sequence
  

  Aug  1 09:44:49 stubby-proxy: configured strict mode
  Aug  1 09:44:49 stubby-proxy: configured server 'Cloudflare' at address 1.1.1.1:853
  Aug  1 09:44:49 stubby-proxy: configured server 'Cloudflare' at address [2606:4700:4700::1111]:853
  Aug  1 09:44:49 stubby-proxy: configured server 'Quad 9' at address 9.9.9.9:853
  Aug  1 09:44:49 stubby-proxy: configured server 'Quad 9' at address [2620:fe::fe]:853
  Aug  1 09:44:49 stubby-proxy: start stubby (0)
  Aug  1 09:44:49 dnsmasq: DNSSEC dnssec-check-unsigned disabled
  Aug  1 09:44:49 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
  Aug  1 09:44:49 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf )
  Aug  1 09:44:49 dnsmasq[5585]: started, version 2.80test3 cachesize 1500
  Aug  1 09:44:49 dnsmasq[5585]: DNSSEC validation enabled but all unsigned answers are trusted
  Aug  1 09:44:49 dnsmasq[5585]: configured with trust anchor for <root> keytag 20326
  Aug  1 09:44:49 dnsmasq[5585]: configured with trust anchor for <root> keytag 19036
  Aug  1 09:44:49 dnsmasq[5585]: warning: ignoring resolv-file flag because no-resolv is set
  Aug  1 09:44:49 dnsmasq[5585]: asynchronous logging enabled, queue limit is 5 messages
  Aug  1 09:44:49 dnsmasq-dhcp[5585]: DHCP, IP range 192.168.1.128 -- 192.168.1.252, lease time 12h
  Aug  1 09:44:49 dnsmasq[5585]: using nameserver 127.0.0.1#5453
  Aug  1 09:44:49 dnsmasq[5585]: using nameserver ::1#5453

• Just for fun....if anyone is wondering about the changes in the release....here's the diff from 33E7
  

  623 files changed, 141211 insertions(+), 772 deletions(-)

SHA256

(Default 'E' Build)
d02ccd03fa3033753218f5593cbf9f3813c5314f3e8f655d66a01ce3f92ac9ee  RT-N16_374.43_34B6j9527.trx
7f1150503e8e7e08d01fbb61b21e9cbe827bb9021f0250be05b67017a09c1d11  RT-AC66U_374.43_34B6j9527.trx
355c33dc0dc893c76c97ee7ef182eb9d729933dd1a5845366cfca3d7dc2fd400  RT-N66U_374.43_34B6j9527.trx
8ce44a48a62804366f37f6355400fa953ae2e052343ac21dba8edee9301cd493  RT-AC68U_374.43_34B6j9527.trx
f19823b6872475ea02f53035af0fd2866c10356b7ff7f59ab7347555cd7df639  RT-AC56U_374.43_34B6j9527.trx

 

[john9527]

Reserved post

 

[ColinTaylor]

I see the notes mention that DNS rebind has been implemented. I also see there is a dns_norebind NVRAM variable. Is there a menu option for this? Can't see anything in Merlin_Fork_Options.txt

EDIT: Setting dns_norebind=1 manually updates dnsmasq.conf as expected.

 

[john9527]

I see the notes mention that DNS rebind has been implemented. I also see there is a dns_norebind NVRAM variable. Is there a menu option for this? Can't see anything in Merlin_Fork_Options.txt

Yes, it's there on the WAN DNS config page.

I didn't add it to my options file since it's a backport from Merlin and not unique to the fork (I do need to add the DoT option info though).

 

[ColinTaylor]

Yes, it's there on the WAN DNS config page.

Doh! That's the first place I looked, but for some reason couldn't see it. I think I need a new pair of glasses.

 

[ColinTaylor]

Noticed this in the log (and shown above) as a consequence of the new "server=" lines. I'm guessing you're happy with that but thought I'd mention it anyway.

Aug  1 21:19:11 dnsmasq[23595]: warning: ignoring resolv-file flag because no-resolv is set

 

[john9527]

Noticed this in the log (and shown above) as a consequence of the new "server=" lines. I'm guessing you're happy with that but thought I'd mention it anyway.

Aug  1 21:19:11 dnsmasq[23595]: warning: ignoring resolv-file flag because no-resolv is set

Yes, it's normal and was also present with dnscrypt. Both solutions use the server= lines to point dnsmasq to the proxy helper and then disable the use of the resolve file.

 

[jrmwvu04]

I’m in. I’ve enabled DoT with quad 9 and strict dnssec with no real idea what any of it means or what the benefits would be. But hey, it’s another test subject right?

 

[john9527]

I’m in. I’ve enabled DoT with quad 9 and strict dnssec with no real idea what any of it means or what the benefits would be. But hey, it’s another test subject right?

LOL.....great response.
All your DNS queries are now encrypted so your ISP can't collect that data on you (DoT). And with DNSSEC its checking to make sure your DNS responses are coming from where you sent the query...no spoofing redirects allowed.

 

[ColinTaylor]

All your DNS queries are now encrypted so your ISP can't collect that data on you (DoT).

Ah, but how do you know it's working and not just placebo?

BTW Can you get any kind of stats out of stubby-proxy?

 

[john9527]

Ah, but how do you know it's working and not just placebo?

BTW Can you get any kind of stats out of stubby-proxy?

Surprisingly, I haven't found any DoT test sites besides the Cloudflare site in the DNSSEC thread. It doesn't only work on the Cloudfare server to see if DoT is active....for example, Quad 9 will show up as 'WoodyNet'. Stats, none that I have found.

You can stop the service (service stop_stubby) and restart it from the command line with
stubby -g -l -C /etc/stubby.yml
and you can watch all the TLS negotiations take place.

 

[jrmwvu04]

I ran all the tests and discovered WoodyNet as well. If it’s not too off topic.. I saw there were numerous options for servers in the GUI - any thoughts on the choices? I have heard of quad 9 and Cloudflare. And then there’s this dnssec issue with Cloudflare. Not looking for a definitive rundown, just opinions.

 

[john9527]

any thoughts on the choices?

Not really....Cloudflare and Quad 9 are likely to give the best performance generally with geographically distributed servers. The next ones on the list, Surfnet, are run by the stubby developers, so might be good ones to try if you are having problems.

 

[ColinTaylor]

I used DNSBench to the benchmark 1.1.1.1 vs 9.9.9.9 and 1.1.1.1 was significantly faster from where I am.

I'm not sure about the use of the IPv6 servers though. At the moment the router is configured to use an IPv6 6in4 tunnel which is relatively slow (even though the LAN clients don't use IPv6). So I'm thinking I might disable the IPv6 servers.

 

[john9527]

I used DNSBench to the benchmark 1.1.1.1 vs 9.9.9.9 and 1.1.1.1 was significantly faster from where I am.

I'm not sure about the use of the IPv6 servers though. At the moment the router is configured to use an IPv6 6in4 tunnel which is relatively slow (even though the LAN clients don't use IPv6). So I'm thinking I might disable the IPv6 servers.

Hmmm....good feedback. Maybe I tried to keep things too simple. I can add some radio buttons to select which you want if IPv6 is active.

 

[ColinTaylor]

Hmmm....good feedback. Maybe I tried to keep things too simple. I can add some radio buttons to select which you want if IPv6 is active.

I'm not sure whether my setup is common enough to warrant an additional option. I'm not sure there are many people that have enabled IPv6 on their routers and then deliberately stopped their clients from using it.

 

[MFM000]

I'm running the fork as an AP (Merlin on router).
Looking to have DoT implementation. (Here until it appears elsewhere).
No WAN tab so I'm assuming that there is no GUI setup for this to be my network's DNS (DoT & DNSSEC) server.

Is there some appropriate config file cleverness for DoT that I can use to work around?

 

[tomsk]

Looks interesting and wonder if its something Merlin might want to incorporate into the main fork in time.

 

[maurer]

does it work with AB-solution?

 

[jrmwvu04]

Not really....Cloudflare and Quad 9 are likely to give the best performance generally with geographically distributed servers. The next ones on the list, Surfnet, are run by the stubby developers, so might be good ones to try if you are having problems.

No issues so far with quad 9 best I can tell