[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[Swistheater]

should include 0::1@53 in the listening addresses otherwise it acts as a DNS64 , and will not work without the presence of an IPV4 connection.

 

[Swistheater]

when I add the ipv6 addresses are added in the list it does show they are being connected to on the cloudflare help page

 

[dave14305]

I don't think ipv6 is properly integrated, yet, as the ipv6 dns servers selected in the GUI are not added to the stubby.yml file.

It looks like an ipv6 resolver is ignored if ipv6 isn’t enabled on the router. Is that true for your setup?

https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/services.c#L1930

Edit: fixed now by themiron.

 

[bbunge]

I am able to get the router to sync time and show connected to the internet after a reboot with DNSSEC enabled. I added these lines to /jffs/configs/dnsmasq.conf.add

server=/pool.ntp.org/1.1.1.1
server=127.0.0.1#53

Using Cloudflare resolvers.

 

[Swistheater]

if you only put the ipv6 DOT servers on the list internet connection becomes lost which I am assuming it must not be listening on ipv6

 

[bbunge]

It looks like an ipv6 resolver is ignored if ipv6 isn’t enabled on the router. Is that true for your setup?

https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/services.c#L1930

Some IPV4 resolvers will do IPV6 as well as IPV4. You can add the IPV6 resolvers manually in the GUI. However, stubby.yml will need

listen_addresses:
  - 127.0.0.1@53
  - 0::1@53

and dnsmasq.conf.add will need

server=/pool.ntp.org/1.1.1.1
server=127.0.0.1#53
server=0::1#53

 

[Swistheater]

Some IPV4 resolvers will do IPV6 as well as IPV4. You can add the IPV6 resolvers manually in the GUI. However, stubby.yml will need

listen_addresses:
  - 127.0.0.1@53
  - 0::1@53

and dnsmasq.conf.add will need

server=/pool.ntp.org/1.1.1.1
server=127.0.0.1#53
server=0::1#53

the way it is setup now if you add the ipv6 resolvers with the ip4, if you have a proper dual stack it behaves in a dns64 style implementation where it communicates between both, but like you said it will not actually include the resolvers as separate, so if you wanted to only resolve using ipv6 it wouldn't work.

 

[dave14305]

Some IPV4 resolvers will do IPV6 as well as IPV4. You can add the IPV6 resolvers manually in the GUI. However, stubby.yml will need

listen_addresses:
  - 127.0.0.1@53
  - 0::1@53

and dnsmasq.conf.add will need

server=/pool.ntp.org/1.1.1.1
server=127.0.0.1#53
server=0::1#53

I’m saying when the firmware writes the stubby.yml, it won’t write an ipv6 upstream resolver from your GUI selection if ipv6 (native, passthru, 6to4, etc) isn’t enabled on the router, regardless of how dnsmasq or stubby is listening.

 

[Swistheater]

I’m saying when the firmware writes the stubby.yml, it won’t write an ipv6 upstream resolver from your GUI selection if ipv6 (native, passthru, 6to4, etc) isn’t enabled on the router, regardless of how dnsmasq or stubby is listening.

it isn't even doing it when it is enabled, so IVP6 native is showing enabled on mine and when I add only an IPV6 resolver and no IPV4 I get no IPV6 addresses added to the stubby.yml and it doesn't say it is listening there either, so safe to assume it isn't listing it at all.

 

[dave14305]

it isn't even doing it when it is enabled, so IVP6 native is showing enabled on mine and when I add only an IPV6 resolver and no IPV4 I get no IPV6 addresses added to the stubby.yml and it doesn't say it is listening there either, so safe to assume it isn't listing it at all.

Ok, thanks for that confirmation. I don’t known that it matters whether stubby listens on ipv6 on the router, since only dnsmasq will send it requests locally, loopback to loopback.

 

[bluepoint]

Thanks.

Noticed that if I plug in any client and choose a filter other than Router or None DOT is then OFF according to the CF site. Any chosen server other than CF says DoT OFF. Wonder if that's bogus?

Any client you filtered with another server other than the router it will bypass Dot. That's why when you tested it, it says DOT is off.

 

[themiron]

Some IPV4 resolvers will do IPV6 as well as IPV4. You can add the IPV6 resolvers manually in the GUI. However, stubby.yml will need

listen_addresses:
  - 127.0.0.1@53
  - 0::1@53

these addresses are already occupied by dnsmasq unless default config (listening interface, binding, dns port) was changed by hands.

and dnsmasq.conf.add will need

server=/pool.ntp.org/1.1.1.1
server=127.0.0.1#53
server=0::1#53

same, dnsmasq already listens to that addresses, no point to loop it into itself.

it isn't even doing it when it is enabled, so IVP6 native is showing enabled on mine and when I add only an IPV6 resolver and no IPV4 I get no IPV6 addresses added to the stubby.yml and it doesn't say it is listening there either, so safe to assume it isn't listing it at all.

thanks for report, ipv6 addresses were skipped due bug, fixed now.

 

[Gitsum]

AX88U dirty upgrade form alpha 1, Bandwidth monitor page doesn't show any speeds on the speedometer looking gauges. Log shows "hour_monitor: dpi engine doesn't exist"

 

[RMerlin]

Seems to be the case from my experimentation, just don't know how to populate that client list. Stuff apears when it feels like it.

You can try clicking on "Refresh" on the networkmap, then wait about 2 minutes for things to stabilize. Until Asus fixes it, that's the best that can be done.

 

[bbunge]

these addresses are already occupied by dnsmasq unless default config (listening interface, binding, dns port) was changed by hands.


same, dnsmasq already listens to that addresses, no point to loop it into itself.

I've been a Stubby tester for several months. While not a programmer I do a lot of "try it if it dosen't work try something else." In this case the dnsmasq.conf.add recommend by skeal (which we used in our Stubby testing before- https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin) did not work for me. So, I tried something else and it worked. I really feel Stubby should not be listening on port 53 but something like port 5453 as we have done before. Let dnsmasq cache do its thing.
Edit: is it really a good idea to have dnsmasq and stubby listening on the same port?

 

[themiron]

I've been a Stubby tester for several months. While not a programmer I do a lot of "try it if it dosen't work try something else." In this case the dnsmasq.conf.add recommend by skeal (which we used in our Stubby testing before- https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin) did not work for me. So, I tried something else and it worked. I really feel Stubby should not be listening on port 53 but something like port 5453 as we have done before. Let dnsmasq cache do its thing.
Edit: is it really a good idea to have dnsmasq and stubby listening on the same port?

sure, it was done by reason. stubby must listen on default dns port, the only usable port for libc resolver. since addresses are different, there's nothing wrong with it.

 

[Gitsum]

AX88U dirty upgrade form alpha 1, Bandwidth monitor page doesn't show any speeds on the speedometer looking gauges. Log shows "hour_monitor: dpi engine doesn't exist"

Fixed it by toggling apps analysis off and on.

 

[RMerlin]

Edit: is it really a good idea to have dnsmasq and stubby listening on the same port?

Why not? Different interfaces, so there is nothing wrong in reusing the same port. As mentioned, it allows for the built-in resolver to also interface with it, just by changing the interface IP.

 

[bbunge]

Why not? Different interfaces, so there is nothing wrong in reusing the same port. As mentioned, it allows for the built-in resolver to also interface with it, just by changing the interface IP.

Guess I do no see your point. Same port traffic parallels through while different ports daisy chains traffic into dnsmasq then stubby-getdns and reverse.
Can you give us a way to modify stubby.yml? There are settings I would like to change that are not covered in the gui.

Sent from my SM-T380 using Tapatalk

 

[Swistheater]

Guess I do no see your point. Same port traffic parallels through while different ports daisy chains traffic into dnsmasq then stubby-getdns and reverse.
Can you give us a way to modify stubby.yml? There are settings I would like to change that are not covered in the gui.

Sent from my SM-T380 using Tapatalk

he said that will be in a future release.