What's new

[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
What would be interesting is to add a Filter feature that would point DoT at certain devices using the DNS filter, but that is a little ambiguous at best.

well the global mode can always just be set to say for example Cloudflare and then individual predefined devices can be added to the list as ROUTER being their filter and DoT option turned on. This would do the same thing.
 
Last edited:
One possible workaround for DNSSEC issue is to disable (set to No) "Wan: Use local caching DNS server as system resolver" at Tools / Other settings page.

I get this after a reboot with DNSSEC enabled and the DNS server as system reolver disabled on a AC86U. I also noticed that you have to reboot the router not just apply button when changing the DNSSEC setting...

Debug Information
Connected to 1.1.1.1 No
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center YYZ

Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 Yes
2606:4700:4700::1001 Yes
 
The problem might have been that I didn't have the DNSfilter global mode set to anything, just the individual kids devices in client list, while DoT was enabled.

I'll test again with global mode set to router.

Thx
Here's what I did with the chromecast that insist on using hardcoded DNS.
Set global to "no filtering" then I added chromecast to the client list with the router as the filtering DNS, it works. I haven't heard any complain yet from my children.:)
 
Here's what I did with the chromecast that insist on using hardcoded DNS.
Set global to "no filtering" then I added chromecast to the client list with the router as the filtering DNS, it works. I haven't heard any complain yet from my children.:)
I only get DoT if DNS filter is set to Global or No Filter. I don't have any clients selected. Not sure if that's correct. Server set for CF.
 
Last edited:
Does not seem to interfere with my unbound setup (which uses DoT), if I set "DNS Privacy Protocol" to "None" and manually set the time.

(ntp is not working; even after adding server=/pool.ntp.org/1.1.1.1 to /jffs/configs/dnsmasq.conf.add)

In case I decide to migrate to firmware DoT, how can I use the SPKI Fingerprint feature?

Is this a security feature? How do I determine the value for a DNS host?
 
I only get DoT if DNS filter is set to Global or No Filter. I don't have any clients selected. Not sure if that's correct. Server set for CF.
Do not use DNSfilter if you do not need to force clients to the filter you want. DNSfilter Global will override your WAN DNS.
 
Do not use DNSfilter if you do not need to force clients to the filter you want. DNSfilter Global will override your WAN DNS.
Thanks.

Noticed that if I plug in any client and choose a filter other than Router or None DOT is then OFF according to the CF site. Any chosen server other than CF says DoT OFF. Wonder if that's bogus?
 
Not sure which models you guys are running but my 86U acts a little different.

DNSfilter works now so that's out of the way, solved it setting global mode to router.

Got DoT enabled with the two Cloudfair DNS servers.

Got Google servers set as my DHCP DNS servers.

When I do a DNS leak test it says I'm using Google's servers, not sure why.

Screenshot_2019-04-15-21-21-11-733_com.android.chrome.jpg



One observation while testing different configurations was that the Forward local domain queries to upstream DNS option won't stay enabled after applying.
 
Not sure which models you guys are running but my 86U acts a little different.

DNSfilter works now so that's out of the way, solved it setting global mode to router.

Got DoT enabled with the two Cloudfair DNS servers.

Got Google servers set as my DHCP DNS servers.

When I do a DNS leak test it says I'm using Google's servers, not sure why.

View attachment 17069


One observation while testing different configurations was that the Forward local domain queries to upstream DNS option won't stay enabled after applying.
I normally leave DHCP servers blank, is that wrong? Not sure when I'd use it.
 
I normally leave DHCP servers blank, is that wrong? Not sure when I'd use it.

No, but then your clients use your ISP DNS servers by default.

I need to use DNS filtering for kid control.

So we can't use DoT if that's the case even it global option is set to no filtering?
 
In case I decide to migrate to firmware DoT, how can I use the SPKI Fingerprint feature?

Some servers require you to specify the SPKI fingerprint, others don't. It depends on your upstream server.
 
Update my AX88U tonight. All good. I previously had Stubby and ntpMerlin installed which I removed before I loaded this alpha.

My VPN server is working OK too. And I didn't need to add 'server=/pool.ntp.org/1.1.1.1' either. Router boots with full Internet from cold/completed power off.

Cloudflare DNS Checker confirms DoT enabled as does a couple of other sites.
 
Some servers require you to specify the SPKI fingerprint, others don't. It depends on your upstream server.
I'm using Cloudflare DNS (1.1.1.1).

I was hoping one could add a fingerprint here (published by the DNS provider) and the DNS software would then verify that the fingerprint of the certificate that your configured DNS server is using matches that fingerprint, but that's not how it works? (Or it is, but only some support this?)
 
Not sure which models you guys are running but my 86U acts a little different.

DNSfilter works now so that's out of the way, solved it setting global mode to router.

Got DoT enabled with the two Cloudfair DNS servers.

Got Google servers set as my DHCP DNS servers.

When I do a DNS leak test it says I'm using Google's servers, not sure why.

View attachment 17069


One observation while testing different configurations was that the Forward local domain queries to upstream DNS option won't stay enabled after applying.
When DNSFilter is set to Router, and LAN DHCP DNS Server 1 is not empty, DNSFilter enforces all the clients' DNS traffic to LAN DHCP DNS server 1. So erase the LAN DHCP DNS servers and then Router mode will force all DNS traffic to the router LAN IP (i.e. dnsmasq) which will forward requests to Stubby which will forward to your selected DoT servers.
 
I was hoping one could add a fingerprint here (published by the DNS provider) and the DNS software would then verify that the fingerprint of the certificate that your configured DNS server is using matches that fingerprint, but that's not how it works? (Or it is, but only some support this?)

The SPKI field is there, feel free to provide it if you want. Cloudflare simply didn't provide one in the stubby example configuration, that's why that field doesn't get prefilled when using the Cloudflare presets.
 
Any feedback on the webui implementation? Does it look intuitive to use in its current form?
 
Update my AX88U tonight. All good. I previously had Stubby and ntpMerlin installed which I removed before I loaded this alpha.

My VPN server is working OK too. And I didn't need to add 'server=/pool.ntp.org/1.1.1.1' either. Router boots with full Internet from cold/completed power off.

Cloudflare DNS Checker confirms DoT enabled as does a couple of other sites.
Do you have DNSSEC enabled? If not enable it and try a reboot.

Sent from my SM-T380 using Tapatalk
 
Do you have DNSSEC enabled? If not enable it and try a reboot.

Sent from my SM-T380 using Tapatalk

Until a fixed build is released, it's better for people to keep DNSSEC disabled for now, unless they are familiar enough to manually implement the dnsmasq workaround.
 
Status
Not open for further replies.

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top