[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[RMerlin]

However, every time i reboot the router the DOT protocol stops working (though it remains enabled in web ui) but instead of the cloudflare's DNS my ISP's DNS shows on https://www.dnsleaktest.com/

Can't reproduce that here, works for me right away on a reboot. Make sure your NTP server is properly configured, and that you don't have any custom iptables/dnsmasq configuration that conflicts with DoT. You also might want to set DNS Privacy mode to Strict if it wasn't.

That transparent proxy probably just intercepts traffic on port 53. DNS over TLS avoids that by using port 853 instead. Until your ISP decides to block/redirect that port as well...

If possible, I would consider looking for another ISP who doesn't try so hard to monitor ALL of your traffic.

 

[Butterfly Bones]

https://cmdns.dev.dns-oarc.net/

is a pretty cool test site as well

This is what I get with the URL Chrome on Linux will not go on.
-----------------
Your connection is not private
Attackers might be trying to steal your information from cmdns.dev.dns-oarc.net (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_DATE_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy policy
cmdns.dev.dns-oarc.net normally uses encryption to protect your information. When Google Chrome tried to connect to cmdns.dev.dns-oarc.net this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be cmdns.dev.dns-oarc.net, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit cmdns.dev.dns-oarc.net right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

 

[RMerlin]

Thread cleaned up. Please focus folks.

 

[Swistheater]

Can't reproduce that here, works for me right away on a reboot. Make sure your NTP server is properly configured, and that you don't have any custom iptables/dnsmasq configuration that conflicts with DoT. You also might want to set DNS Privacy mode to Strict if it wasn't.

That transparent proxy probably just intercepts traffic on port 53. DNS over TLS avoids that by using port 853 instead. Until your ISP decides to block/redirect that port as well...

If possible, I would consider looking for another ISP who doesn't try so hard to monitor ALL of your traffic.

They fixed the.issue by turning on dns filter and putting global in router mode.

 

[Swistheater]

This is what I get with the URL Chrome on Linux will not go on.
-----------------
Your connection is not private
Attackers might be trying to steal your information from cmdns.dev.dns-oarc.net (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_DATE_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy policy
cmdns.dev.dns-oarc.net normally uses encryption to protect your information. When Google Chrome tried to connect to cmdns.dev.dns-oarc.net this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be cmdns.dev.dns-oarc.net, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit cmdns.dev.dns-oarc.net right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Yea I just checked and notice the host for the test allowed their cert to become invalid.

 

[dave14305]

Has anyone observed if DoT over port 853 is classified by QoS as Net control packets, like regular dns would be?

 

[bbunge]

RT-AC66U_B1, removed dnsmasq.conf.add then flashed alpha 3. Using Q9 resolvers with DNSSEC - no apparent issues after flash and a deliberate reboot. Download speed seems a bit slow tonight but that could be a neighborhood CenturyLink DSL issue. Not using IPV6. Pleased enough with this to consider moving from John's fork on my RT-AC68U`s.

Sent from my SM-T380 using Tapatalk

 

[jerry6]

loaded 284.11 alpha3 seems to be working well , hsave not touched the dns settingd]d , could someone point me to page with info on these settings , no idea which dns serve to choose or any advantage disadvantage of sny of the choices . will it interfere with the vpn client on my computer /

thanks .

 

[L&LD]

loaded 284.11 alpha3 seems to be working well , hsave not touched the dns settingd]d , could someone point me to page with info on these settings , no idea which dns serve to choose or any advantage disadvantage of sny of the choices . will it interfere with the vpn client on my computer /

thanks .

See the first post and you may want to ask in the other 384.11 Alpha thread to not derail this one's focus on DoT working or not.

 

[Swistheater]

loaded 284.11 alpha3 seems to be working well , hsave not touched the dns settingd]d , could someone point me to page with info on these settings , no idea which dns serve to choose or any advantage disadvantage of sny of the choices . will it interfere with the vpn client on my computer /

thanks .

Most people use cloudflare or quad 9. I have not seen anyone go super off the grid and use the development DOT servers.

 

[RMerlin]

Agreed, using the two Cloudflare servers is probably the safest bet right now.

Consider Quad9 only if you wish to benefit from their filtering capabilities (they block malicious domains).

 

[Milan]

alpha3 loaded on AC3200 using both Cloudflare servers and DNSSEC, working fine.

 

[Gingernut]

Forward local domain queries to upstream DNS option on WAN page defaults back to off when applied.

 

[dave14305]

Forward local domain queries to upstream DNS option on WAN page defaults back to off when applied.

But it works if you set it on the LAN DHCP server page, so I’m guessing it needs some cleanup so it’s not confusing in two different places in the GUI.

 

[themiron]

alpha3 loaded on AC3200 using both Cloudflare servers and DNSSEC, working fine.

fyi, as tured out earlier CF performs DNSSEC on its own, no need to enable it on router.
but might be useful with other DoT servers w/o "builtin" DNSSEC

 

[bbunge]

fyi, as tured out earlier CF performs DNSSEC on its own, no need to enable it on router.
but might be useful with other DoT servers w/o "builtin" DNSSEC

Ah, no. If you used one of the web DNSSEC tests they just prove that your chosen upstream resolvers can do DNSSEC. You must enable DNSSEC in your router!

Sent from my SM-T380 using Tapatalk

 

[bbunge]

With alpha 3 my iOS Dig test did not return the "ad" flag. Created dnsmasq.conf.add with proxy-dnssec and restarted dnsmasq. Now Dig gets the "ad" flag.

Request proxy-dnssec be included in the next build.
Thanks

Sent from my SM-T380 using Tapatalk

 

[bbunge]

Agreed, using the two Cloudflare servers is probably the safest bet right now.

Consider Quad9 only if you wish to benefit from their filtering capabilities (they block malicious domains).

Cleanbrowsing also works well and has three filtering options. Supports DNSSEC. Can be added manually to Merlin build.

Sent from my SM-T380 using Tapatalk

 

[Swistheater]

It would be nice to include options to use getdns features as well in stead of built in dnssec

 

[Swistheater]

Cleanbrowsing also works well and has three filtering options. Supports DNSSEC. Can be added manually to Merlin build.

Sent from my SM-T380 using Tapatalk

Cleanbrowsing is good when it doesnt act buggy