Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Sat Aug 28, 2021 22:20 Post subject:
yep DDWRT NTP has hard coded NTP addresses no idea if they are ips or resolving names...if those are names you'd need working dns...
try it, in the past if i don't put DNS in static DNS
DNScrypt v1.xx was not working...its been a time since i dont use it and moved to v2 from the green link...
if you put something in no-resolv server= than those will be used by dnsmasq...i haven't tried to leave static DNS blank, will do for a test tomm _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
If you leave blank, where does it get the IP for NTP to sync time?
cause so much junk in logs since I installed this build couldn't find nothing even in '/var/log/messages.0'
...gots tons of DHCP renews & WiFi connects. Anyways I retrieved this from log after reboot and then thought WTH it ain't too hard to figure iffin someone really looks but then on the other other hand KP posted the code crap and I still had this bit so I thought I would just throw it out there also
So, contrary to popular belief, ntp server name can be left blank. Thanks again for the clarification. _________________ Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Sun Aug 29, 2021 8:38 Post subject:
was kindly explained...here
SurprisedItWorks wrote:
RainGater wrote:
mrjcd wrote:
DD-WRT builtin NTP will revert to IP addy to sync time ... that is if you leave:
Time Settings >> Server IP/Name 'blank'
If you leave blank, where does it get the IP for NTP to sync time?
There are numerical IP addresses of NTP servers hardwired into dd-wrt. You don't need DNS to get time. Just leave the time-server field empty.
But, you also kept asking about static DNS box's, as well NTP time box...to not complicate i said to use an IP, as i always use that google time NTP ip .... this saves you the hassle, if something goes wrong with the hardcoded DDWRT NTP time servers ip/names...witch gets messy sometimes...and this is a fact... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
But, you also kept asking about static DNS box's, as well NTP time box...to not complicate i said to use an IP, as i always use that google time NTP ip .... this saves you the hassle, if something goes wrong with the hardcoded DDWRT NTP time servers ip/names...witch gets messy sometimes...and this is a fact...
Of course, it was explained after posting this thread. You, OTOH, were adamant in saying that without a valid IP for NTP, DNSCrypt will not work, which is not the case as it's hardwired by default in DDWRT.
And, I asked about Static DNS IPs as you kept saying that without a valid IP, the boot-up operations will not work. If you have no-resolv flag setup, then it doesn't matter what you put in static dns 1/2/3 as it's not used. That's what I was asking all along and no concrete answer from anyone.
Anyways, the best way to find out about all these settings is by trial and error, which is what I was trying to avoid as I figured the *gurus* out here will know more about these things as they may have been using it all along. I got some useful info on this thread and will start my learning process as time passes by.
Thanks everyone for your contribution and much appreciate it. _________________ Netgear R7800 [DD-WRT]; ASUS RT-87U [DD-WRT]; ASUS RT-AC68U [FreshTomato]
Last edited by RainGater on Sun Aug 29, 2021 22:45; edited 1 time in total
I run dnscrypt-proxy2 from entware. Can anyone explain why dnsleak.com shows only 2 servers answering and sometimes 7? The number of servers answering varies between 2 and 7. Are dnscrypt servers that unreliable?
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Mon Sep 27, 2021 6:49 Post subject:
its normal, some are faster than others…and not always all are queried at the same time, depends from roundrobins _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Aside from MITM attack prevention, is there much benefit to encrypting DNS? SNI is not encrypted and even if you use Firefox browser to enable ESNI (Encrypted SNI), the "Hello" part reveals domain names you query. ISP's and MITM can see those domains. Firefox and Cloudflare are working on ECH (Encrypted Hello), but it is going to take a long before it gains popularity.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Wed Sep 29, 2021 18:20 Post subject:
well, hello is only to negotiate the server security / cypher suites and than ongoing stuff is encrypted...so, no sensitive data there...but, yep ISP can see the DNS you use or sites you have that hello to and that's is all...so, all DNS requests are encrypted...but, than again hello is funny...
By the way i use tls 1.3 only where ECH is supported wherever layer 7 or layer 3, also FFx uses DOH and ECH is supported too, as long the other side supports it..
https://blog.cloudflare.com/encrypted-client-hello/ _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
How do you test whether Encrypted Hello (ECH) works? Which servers support it?
Firefox removed support from ESNI from 90.X ESR and non-ESR versions. Only Firefox ESR 78.X supports ESNI. It was so strange that they disabled it, but there was no way to use it when DoH was not enabled in Firefox, but was enabled system-wide via local DNS server or DNS proxy installed on device. You were forced to enable DoH via Firefox to pass Cloudflare ESNI test. That made it difficult to monitor and prevented Windows hosts file from being applied.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Sep 30, 2021 7:03 Post subject:
yep, that is true about DNS block list is not applied...via (layer 7 dns)
you can clearly see the results via wireshark, tcpdump... hello is not encrypted, im using 9.9.9.9 via ffx (layer 7 dns)...but than again it cares key exchange and cypher negotiation...only... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
How can I use my local DNS server isolated from WAN, but filter out traffic made by the router itself when it calls home?
If I force every local client to use DoH via my local DNS server (via static settings and/or DHCP), the router itself will not use local DNS server and will send plaintext queries to manufacturer. The only way to filter that router traffic is to set local DNS server to also be a WAN DNS server and use local DNS server private IP as WAN DNS server IP.
Doesn't that expose my local DNS server to WAN, making a public DNS server? I don't host any services, have no opened ports, and have strict NAT rules, but once in a while I see my ISP try to use my network to resolve Google or ISP DNS domains, both of which I have black-holed because both are major privacy violator. I also get DoS/DDoS once in a while my local DNS server appears to be the target.
I can set 127.0.0.1 to be my WAN DNS address, which forces router manufacturer home calling to use loopback interface and receive REFUSED responses to all of its queries. It doesn't affect LAN client DNS resolution. I can also set local DNS server service to deny packets from router itself, which results in "Timed out" response.
I don't know what the best solution is...
Why is WAN DNS even necessary? Any client can override WAN DNS. Let's say there are no clients, no router manufacturer home calling, just a residential router trying to obtain public IP over WAN. Is WAN DNS needed just to resolve ISP domain for the IP that router acquires?
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Sun Oct 03, 2021 3:47 Post subject:
MonarchX wrote:
How can I use my local DNS server isolated from WAN, but filter out traffic made by the router itself when it calls home?
If I force every local client to use DoH via my local DNS server (via static settings and/or DHCP), the router itself will not use local DNS server and will send plaintext queries to manufacturer. The only way to filter that router traffic is to set local DNS server to also be a WAN DNS server and use local DNS server private IP as WAN DNS server IP.
Doesn't that expose my local DNS server to WAN, making a public DNS server? I don't host any services, have no opened ports, and have strict NAT rules, but once in a while I see my ISP try to use my network to resolve Google or ISP DNS domains, both of which I have black-holed because both are major privacy violator. I also get DoS/DDoS once in a while my local DNS server appears to be the target.
I can set 127.0.0.1 to be my WAN DNS address, which forces router manufacturer home calling to use loopback interface and receive REFUSED responses to all of its queries. It doesn't affect LAN client DNS resolution. I can also set local DNS server service to deny packets from router itself, which results in "Timed out" response.
I don't know what the best solution is...
Why is WAN DNS even necessary? Any client can override WAN DNS. Let's say there are no clients, no router manufacturer home calling, just a residential router trying to obtain public IP over WAN. Is WAN DNS needed just to resolve ISP domain for the IP that router acquires?
I would really like to help you, but I don't know, if its just me, but you use strange way to explain the things...like a terminology and there i loose connection what is all about..
1. First lets start with router model/current firmware number...
MonarchX wrote:
How can I use my local DNS server isolated from WAN, but filter out traffic made by the router itself when it calls home?
so, you want your router to not make DNS requests over the WAN at all and run only local DNS for the LAN or you want to ignore the WAN dns and use the DNS you have specified either in x3 box's or DNSmasq ... in that case use ignore WAN DNS setting, and forced DNS, or in DNSmasq no-resolv and server=9.9.9.9 or any other server..
MonarchX wrote:
If I force every local client to use DoH via my local DNS server (via static settings and/or DHCP), the router itself will not use local DNS server and will send plaintext queries to manufacturer. The only way to filter that router traffic is to set local DNS server to also be a WAN DNS server and use local DNS server private IP as WAN DNS server IP.
2. Give us more details about your settings as its unclear what is all about
What do you run for DoH, how did you set it up, how do you test it...it seams there is something wrong there...
This line is not clear to me, what do you mean 'manufacturer'
'the router itself will not use local DNS server and will send plaintext queries to manufacturer'
MonarchX wrote:
but once in a while I see my ISP try to use my network to resolve Google or ISP DNS domains, both of which I have black-holed because both are major privacy violator. I also get DoS/DDoS once in a while my local DNS server appears to be the target.
3. As we don't know your set up and there is clearly something wrong with it...how do you test that and capture those...as this is not normal...what do you have in DNSmasq advanced config...
MonarchX wrote:
'I also get DoS/DDoS once in a while my local DNS server appears to be the target.'
4. more details needed any logs will be useful
MonarchX wrote:
I can set 127.0.0.1 to be my WAN DNS address, which forces router manufacturer home calling to use loopback interface and receive REFUSED responses to all of its queries. It doesn't affect LAN client DNS resolution. I can also set local DNS server service to deny packets from router itself, which results in "Timed out" response.
5.please elaborate 'router manufacturer' - i clearly do not know what do you mean, do you mean clients that use their baked(hard-coded) DNS?
In general stub resolver like Stubby for DNS over TLS works on loopback interface 127.0.0.1 on specified port and refuses all normal DNS requests via port 53 tcp/udp, do you have a Stub resolver...(google it)
MonarchX wrote:
Why is WAN DNS even necessary? Any client can override WAN DNS. Let's say there are no clients, no router manufacturer home calling, just a residential router trying to obtain public IP over WAN. Is WAN DNS needed just to resolve ISP domain for the IP that router acquires?
7.Best and the most secure way to use DNS is via either Stub resolver DOH ot DOT or DNScrypt, they both operate in conjunction with DNSmasq.
For us, to be able to help you, we need to know lot more details about your current set up, as well router settings (pictures) and ect., you can hide the sensitive data. There is clearly something odd in your DNS set up, but things are clouded... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
.... this saves you the hassle, if something goes wrong with the hardcoded DDWRT NTP time servers ip/names...witch gets messy sometimes...and this is a fact...