1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[Fork] Asuswrt-Merlin 374.43 LTS releases (V36EA)

Discussion in 'Asuswrt-Merlin' started by john9527, Aug 14, 2014.

  1. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,777
    Location:
    United States
    @phx28777
    I had been bewildered as to why I wasn't seeing the same failure you were on nrsforu.com, so spent the day experimenting. Finally was able to recreate a fail.

    My normal operating mode with stubby is Cloudflare Primary and Cloudflare secondary in roundrobin, dnssec and ipv6 servers included. What I found is that switching to 'Ordered' mode creates the failure. It seems as if there is a bug that some failures are not retried correctly in ordered mode. Can you confirm you are using ordered mode? The bug also shows up if only one DoT server is selected in either roundrobin or ordered mode.

    So until the next release of getdns/stubby, my recommendations for DoT use are:
    • Do NOT use ordered mode, only roundrobin
    • Always select at least two servers from the server pulldown
    @jsbeddow
    With the DoT settings I've listed I haven't seen any failures in my normal browsing or streaming activity (the only fail I've been able to consistently reproduce is the cloudflare test site). If you did encounter any problems, you can always fall back to not using DoT (normal servers with or without dnssec) which hasn't changed.

    @Xentrk
    Just a callout FYI.

    EDIT: Now I'm confused again. I decided to run one more set of tests comparing dnsmasq dnssec with stubby dnssec. So we have the following for the nrsforu.com....

    Code:
                    stubby dnssec              dnsmasq dnssec
    Roundrobin      NOERROR                    SERVFAIL
    Ordered         SERVFAIL                   SERVFAIL
    So it appears as if stubby dnssec/roundrobin is the outlier, allowing a misconfigured site to pass.
     
    Last edited: Nov 9, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Mr_Andy

    Mr_Andy Occasional Visitor

    Joined:
    Dec 31, 2015
    Messages:
    29
    Location:
    UK
    N66U version V36EA

    I'm using DoT with Quad9, don't have DNSSEC enabled but I am using Ordered mode to Quad9 Secure Primary and Secondary. I've not noticed any DNS problems but if there is a bug should I also be using RoundRobin in this setup ??
     
  4. phx28777

    phx28777 Occasional Visitor

    Joined:
    Dec 2, 2017
    Messages:
    10
    @john9527

    Yes, I have always used ordered mode for DoT servers
    with Cloudlflare

    I thought I would try a different set of DoT servers
    Using Quad 9 Secure Primary and Secondary in ordered mode

    nrsforu.com resolves correctly

    Changing back to Cloudflare ordered

    nrsforu.com gives SERVFAIL

    Changing to Cloudflare roundrobin

    nrsforu.com resolves correctly
    I believe my testing confirms a problem with ordered mode using Cloudflare

    I will continue to use DoT round robin with Cloudflare and will let you know if I see any other failures
     
    il2 and jsbeddow like this.
  5. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,777
    Location:
    United States
    Wow....I think I may have figured this out......

    - The ordered retry bug I described earlier is real and my recommendations there stands

    - Now, why does roundrobin work on some sites that have an invalid dnssec configuration and fail with dnsmasq dnssec strict?

    nrsforu.com is marked as invalid dnssec by both
    https://dnssec-analyzer.verisignlabs.com/nrsforu.com
    http://dnsviz.net/d/www.nrsforu.com/dnssec/

    It turns out getdns/stubby has an equivalent (undocumented) setting to dnsmasq strict mode which is not being set (dnssec_return_only_secure which is currently set to FALSE)! Once this is set, nrsforu.com also fails with the recommended roundrobin configuration with either Cloudflare or Quad9. Like the dnsmasq setting, this basically invalidates the use of dnssec.
    @phx28777
    So, my conclusion for the nrsforu.com site is that it should NOT resolve with a fully functional dnssec.

    - I'll be making an update to the code to expose the 'strict' mode setting for the stubby dnssec support, similar to dnsmasq dnssec, to be used for diagnostic purposes only (default will be strict mode).

    @Xentrk FYI
     
    Xentrk, il2, jeff288 and 5 others like this.
  6. 000111

    000111 Senior Member

    Joined:
    Apr 1, 2014
    Messages:
    465
    Location:
    Florida
    Nice work!
     
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,237
    Location:
    Canada
    The growing pains of dealing with new technology... :)
     
  8. treboR2Robert

    treboR2Robert Occasional Visitor

    Joined:
    Aug 30, 2018
    Messages:
    36
    So for the time being,

    Using "ordered" is more secure and the better option ?

    Unless we want to visit nrsforu.com
     
  9. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,777
    Location:
    United States
    And think of all the fun with DoH (I enjoyed reading your posts/references in the other thread).
     
  10. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,777
    Location:
    United States
    Between a rock and a hard place....with ordered I believe any failure may not be retried, not only dnssec fails. This may be related to those that have intermittent problems when resolving known good sites.

    But in the end, it's basically going to come down to a choice of what's more important to you. If you have a site that you absolutely have to visit with a misconfigured dnssec, you're not going to be able to use dnssec until they fix it.
     
    Xentrk, Uncle_Gadget and jsbeddow like this.
  11. jeff288

    jeff288 Regular Contributor

    Joined:
    Nov 3, 2015
    Messages:
    154
    Location:
    KS, USA
    Is anyone else having issue with "bandwidth limiting" with the past few releases on N66U? I don't see anything unusual in my logs. It doesn't seem to work anymore but does when I create a new entry with the same device and seemed to stop again. One weird issue I recall lately when a guest was over was that something was eating all my bandwidth but no device showed up in the traffic page. I'll test some more to try to narrow this down. I've tried every new release for the past two years and didn't notice any issues with it until the past month and a half. I was kind of waiting for someone else to make a post so I can confirm but since it's just me maybe it's my router being quirky. Other than that, I just use the basic features and everything's worked just wonderfully.
     
  12. blueshark

    blueshark Regular Contributor

    Joined:
    Jan 23, 2018
    Messages:
    78
    Update-37B4 with Cloudflare roundrobin
    [​IMG]
     
  13. fatspirit

    fatspirit Occasional Visitor

    Joined:
    Dec 26, 2017
    Messages:
    13
    What servers from DNS Filtering tab have DNSSec support?

    And I have minor priority cosmetic request. Is it possible to add a space after "Please wait,"?
     
    Last edited: Nov 10, 2018 at 6:50 AM
  14. Bob.Dig

    Bob.Dig Occasional Visitor

    Joined:
    Apr 9, 2017
    Messages:
    26
    Location:
    Germany
    Thank you, works like a charm, really had missed this feature.
     
    Last edited: Nov 10, 2018 at 2:13 PM
  15. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,777
    Location:
    United States
    Which DDNS service?
     
  16. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    600
    Location:
    Pennsylvania USA
    If you want to use DNS filtering with DoT use Clean Browsing Adult or Family in the DoT (Stubby) settings in WAN settings. Would not recommend using the DNS Filter area with DNSSEC.
     
  17. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    600
    Location:
    Pennsylvania USA
    Using https://www.nrsforu.com/ I got a Site Maintenance message. DoT ordered with DNSSEC Quad9, Quad9 Alt, Cloudflare Primary. Using 36EA and 384.7_2 with Stubby.
     
  18. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,777
    Location:
    United States
    Yes, they had the announcement up earlier today (I'm still running some tests and saw it)
     
  19. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    600
    Location:
    Pennsylvania USA
    Do you have dnssec-proxy in the dnsmasq.conf?

    Sent from my SM-T380 using Tapatalk
     
  20. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,777
    Location:
    United States
    No.....but I do have proxy-dnssec :)
    (when stubby is active)
     
    Last edited: Nov 10, 2018 at 11:53 PM
  21. Bob.Dig

    Bob.Dig Occasional Visitor

    Joined:
    Apr 9, 2017
    Messages:
    26
    Location:
    Germany
    Only tested since yesterday, but so far so good with dyndns (dyn.com).

    It would be nice if the whole WAN-IP check of the router (not only DDNS) could be made externally but I guess that is much to complicated.
     
    Last edited: Nov 11, 2018 at 4:03 AM
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!