DNSMasq issues DNSSEC Insecure DS warning on Build 41586

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
dragonC
DD-WRT User


Joined: 23 May 2015
Posts: 272
PostPosted: Mon Nov 25, 2019 0:14    Post subject: DNSMasq issues DNSSEC Insecure DS warning on Build 41586 Reply with quote
Seeing a lot of these on syslog on Build 41586. Not sure if they were there in earlier builds - just noticed them now:

daemon.warn dnsmasq[5388]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

I am using Cloudflare 1.1.1.1 & 1.0.0.1 for DNS Servers

These are DNSMasq options in nvram varabiles corresponding to the GUI toggles:

dnsmasq_enable=1
auth_dnsmasq=1
local_dns=1
dnsmasq_no_dns_rebind=1
dnsmasq_strict=1
dnsmasq_add_mac=0
dnssec=1
dnssec_cu=1
dnssec_proxy=1
dns_dnsmasq=1
dns_redirect=1

Is anyone else seeing these?
Back to top View user's profile Send private message
Sponsor
dragonC
DD-WRT User


Joined: 23 May 2015
Posts: 272
PostPosted: Mon Nov 25, 2019 17:28    Post subject: Reply with quote
Does anyone have insight into this? I’m not familiar with DNS stuff - would certainly appreciate some help:)
Back to top View user's profile Send private message
underdose
DD-WRT Novice


Joined: 12 Jun 2019
Posts: 20
PostPosted: Sat Nov 30, 2019 10:40    Post subject: Reply with quote
There are some changes within Cloudflare's DNS(over TLS) service so until it is fixed I'd advice you to use another DNS provider such as Quad9 (9.9.9.9).
Back to top View user's profile Send private message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6445
Location: UK, London, just across the river..
PostPosted: Sat Nov 30, 2019 12:17    Post subject: Reply with quote
1.1.1.1 CF just added

Using DNS over WARP

so they are not very working at the moment, i also noticed, they do not respond sometimes, that's

Just use CF along with Quad9 (9.9.9.9)...i believe 9.9.9.9 is much better and secure...
They also support DoT or DoH, as well DNScrypt,
in fact there are a lot of safe and useful other public DNS services that you can use trustfully...
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
dragonC
DD-WRT User


Joined: 23 May 2015
Posts: 272
PostPosted: Mon Dec 02, 2019 13:29    Post subject: Reply with quote
Thanks~ It didn't occur to me it could actually be the DNS provider (i.e. the warning is doing it job). I shifted to Quad9 and there's not warnings any more.

I am genuinely surprised CF's testing failed to catch issues like this.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum