SMS786
Senior Member
How does one access this debug info?
DNScrypt dnscrypt installer for asuswrt
- Thread starter bigeyes0x0
- Start date
-
- Tags
- dnscrypt
How does one access this debug info?
pattiri
Senior Member
Zastoff
Very Senior Member
I added my vpn providers 2 dns servers that support dnscrypt v2 to the dnscrypt-proxy.toml (ovpn.com)
A couple of days ago i also added 1.1.1.1 for testing DoH but get:Using DNS over HTTPS (DoH) NO
Rechecked settings but could not see anything wierd
So removed it again..
A couple of days ago i also added 1.1.1.1 for testing DoH but get:Using DNS over HTTPS (DoH) NO
Rechecked settings but could not see anything wierd
So removed it again..
Last edited:
skeal
Part of the Furniture
This debug doesn't work for me.
DNSleaktest shows no leaks
Config I'm sure is like described
Cannot figure this out
Last edited:
skeal
Part of the Furniture
Resolved: I turned off dnssec and rebind protection. The test works!
skeal
Part of the Furniture
Thank you for the great tutorial!!
Test: DNS server, DNSSEC and WebRTC
01. DNSSEC validation by dnsmasq Test: (need the firmware v384.6 or Newer for test)
02. DNS Spoofability and DNS Entrophy Test:
03. DNS Leak Test:
04. DNSSEC Test:
05. WebRTC Leak Test:
01. DNSSEC validation by dnsmasq Test: (need the firmware v384.6 or Newer for test)
LAN -> DHCP Server:
(and if this message appears or in Network Map -> Internet status shows Disconnected or the internet not work, it means that your DNS server does not have full suppport with DNSSEC)
- Enable DNSSEC support: Yes
- Enable DNS Rebind protection: Yes
- After Enable both, you have to Apply.
- Now you have to do this Test: https://rootcanary.org/test.html
Code:
Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?02. DNS Spoofability and DNS Entrophy Test:
- https://www.grc.com/dns/dns.htm (scroll down and click on "Initiate Standard DNS Spoofability Test")
- https://www.dns-oarc.net/oarc/services/dnsentropy
03. DNS Leak Test:
- https://www.dnsleaktest.com/ (use Extended test)
- https://ipleak.net/
04. DNSSEC Test:
05. WebRTC Leak Test:
Last edited:
Twiglets
Senior Member
I think cloudflare is being unfairly targetted !!!
I am using RMerlin V384.6 (have previously used V384.5 & V384.6 Beta 1).
I have DNSSEC validation on and use cloudflare and it has/does work fine. !!!???
I have run the 'DNSSEC Tests' as above and they validate OK.
I have IPv6 disabled as I do not need it and my ISP does not officially support it (although it does work).
Last edited:
skeal
Part of the Furniture
This is totally awesome!For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code:Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
If you restart the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, the internet does not work. That happens because:
I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.
I also recommend this:
01. LAN -> DHCP Server:
- Enable DNSSEC support: Yes
- Enable DNS Rebind protection: Yes
02. WAN:
- Connect to DNS Server automatically: No
- DNS Server1: 8.8.8.8 (because this DNS server has full support with DNSSEC)
- DNS Server2: 8.8.4.4 (because this DNS server has full support with DNSSEC)
03. Administration -> System:
- Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
04. In DNSCrypt v2 these are the only DNS servers that support DoH and two of them (aaflalo-me and cloudflare) do not have full support with DNSSEC for now, I recommend using another DNS server than these two. (I tested one by one with DNSSEC enabled, the DNS servers that had less than 200 ping and works without problems)
05. When you install DNSCrypt and select a DNS server Manually, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use: 8.8.8.8 (Full support with DNSSEC) [Do not use 1.1.1.1]
06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
Thanks to @RMerlin @snakebite3 @pattiri and @XIII
owine
Regular Contributor
Is anyone in contact with Cloudflare to help fix this? They claim to support DNSSEC so I would think they would have interest in ironing this out.
Has anyone tried without DNScrypt in the middle to isolate the issue?
I’d investigate, but can only reach CF via IPv6 which introduces a whole host of caveats to troubleshooting.
Has anyone tried without DNScrypt in the middle to isolate the issue?
I’d investigate, but can only reach CF via IPv6 which introduces a whole host of caveats to troubleshooting.
Twiglets
Senior Member
There is NO problem with cloudflare !!!
Treadler
Very Senior Member
There is NO problem with cloudflare !!!
With DNSSEC & DNS rebind protection both turned on, I had random problems with only some sites being unreachable. Not many, just some.
Both with, & without dnscrypt.
Removed dnscrypt, replaced Cloudflare with Quad9 & all is fixed. (DNSSEC & dns rebind protection still turned on).
Any recommended NON LOGGING DNS servers other than Google?For people who use Cloudflare DNS in DNSCrypt or in the Router and also have DNSSEC enabled in the Router, from version 384.6 or Newer, this message will appear in log:
Code:Jul 28 20:21:49 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:13 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:17 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Jul 28 20:22:22 dnsmasq[13607]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
If you restart the router using Cloudflare DNS in DNSCrypt and also have DNSSEC enabled, the internet does not work. That happens because:
I recommend that you stop using Cloudflare DNS on the router and on DNSCrypt for now (maybe in the future they fix it), this DNS server does not have full support with DNSSEC.
I also recommend this:
01. LAN -> DHCP Server:
- Enable DNSSEC support: Yes
- Enable DNS Rebind protection: Yes
02. WAN:
- Connect to DNS Server automatically: No
- DNS Server1: 8.8.8.8 (because this DNS server has full support with DNSSEC)
- DNS Server2: 8.8.4.4 (because this DNS server has full support with DNSSEC)
03. Administration -> System:
- Use an IP address for the NTP server instead of the domain name as @snakebite3 recommends and teaches, Example:
04. In DNSCrypt v2 these are the only DNS servers that support DoH and two of them (aaflalo-me and cloudflare) do not have full support with DNSSEC for now, I recommend using another DNS server than these two. (I tested one by one with DNSSEC enabled, the DNS servers that had less than 200 ping and works without problems)
05. When you install DNSCrypt and select a DNS server Manually, after will ask you for a DNS server for initializing dnscrypt-proxy and router services, use: 8.8.8.8 (Full support with DNSSEC) [Do not use 1.1.1.1]
06. Set timezone in DNSCrypt, after you have finished selecting the DNS server:
Thanks to @RMerlin @snakebite3 @pattiri and @XIII
Twiglets
Senior Member
There is not a reproducible problem with cloudflare that *everyone* can replicate AFAIK.
I am simply countering the 'cloudflare is broken ..... do not touch' message, of late, which is unfair as not everyone is having a problem.
I would suggest 1st try it (cloudflare) and see if there is a problem for you !!!
I am sure I am not the only one who is not having any issues using cloudflare.
I just feel it is a bit quick to tell everyone to avoid cloudflare when it might be a local problem or something else all together.
(Note: You are in Australia and I am in the UK, so different points of access to cloudflare and most other DNS providers, so not dealing with like for like.)
Treadler
Very Senior Member
I agree.
I would rather use Cloudflare, where I am it is the fastest public DNS, but due to the issues I had, I have to use the somewhat slower Quad9.
Quad9 working perfectly!
Seems I can’t have Quad9 & dnscrypt together though? Pity.....
Ping time alone isn't decisive to be fastest DNS.
Cloudflare seems to have one or two more tricks than Google.
Interested people may take a look at my earlier blog post: Cloudflare vs Google
Cloudflare seems to have one or two more tricks than Google.
Interested people may take a look at my earlier blog post: Cloudflare vs Google
Similar threads
Similar threads
Similar threads
-
DNScrypt Dnscrypt Proxy Installer For Asuswrt-Merlin late 2023 Releases
- Started by SomeWhereOverTheRainBow
- Replies: 8
-
-
-
Scribe scribe 3.x_y - syslog-ng and logrotate installer- Started by cmkelley
- Replies: 190
-
scMerlin scMerlin 2.5.1 - Service and script control menu for Asuswrt-Merlin, March 13, 2024- Started by thelonelycoder
- Replies: 34
-
uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers- Started by JGrana
- Replies: 29
-
Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian
- Started by JGrana
- Replies: 1
-
AdGuardHome Help for beginner with AdGuardHome Asuswrt-Merlin- Started by fanasus
- Replies: 26
-
Scribe Asuswrt-Merlin 388.2 is now available for select models
- Started by Weblee2407
- Replies: 10