Posted: Sat Oct 14, 2023 15:24 Post subject: Cloudflare page doesn't show DoT active, but kdig does
After build r53616 (Oct 12), cloudflare check page https://1.1.1.1/help, doesn't show DNS over TLS as active even after nvram reset, only DNS over HTTP, but if you verify by command line it's working as bellow.
Tested build regression to r53562, and Cloudflare page status for DoT shows 'Yes' again, but since it's working on command line, kept last build r53633 (Oct 14).
Posted: Sun Oct 15, 2023 23:40 Post subject: Re: Cloudflare page doesn't show DoT active, but kdig does
luk3 wrote:
After build r53616 (Oct 12), cloudflare check page https://1.1.1.1/help, doesn't show DNS over TLS as active even after nvram reset, only DNS over HTTP, but if you verify by command line it's working as bellow.
Tested build regression to r53562, and Cloudflare page status for DoT shows 'Yes' again, but since it's working on command line, kept last build r53633 (Oct 14).
Sorry that "luk3" didn't provide a more direct connection of the dots:
New Build - 10/14/2023 - r53633 _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Nonm: Check my post in the build thread:
DoT in smartdns works if you remove the “—host-name” part from server-tls _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Nov 10, 2023 8:47 Post subject:
this looks odd..
local1.warn smartdns: http server query from 2606:4700:4700::1111:443 failed, server return http code : 403, Forbidden..
i don't know how request via http will be answered via https ??
And yes it will throw an error..
are those happening before the NTP time comes up...as i noticed SmartDNS reports err in certificate check due to NTP time is not up...as well some odd raw ports open locally on the new builds...
I haven't got a time to dig more on SmartDNS Github issues section...as there was an SmartDNS update recently..and ever since i haven't test it or play with it...
recently i removed my https servers and now use tls servers using the correct syntax
(Im not using IPv6 for DNS at all, as it gets funny..even with my Stubby DNS too) _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
local1.warn smartdns: http server query from 2606:4700:4700::1111:443 failed, server return http code : 403, Forbidden..
i don't know how request via http will be answered via https ??
And yes it will throw an error..
are those happening before the NTP time comes up...as i noticed SmartDNS reports err in certificate check due to NTP time is not up...as well some odd raw ports open locally on the new builds...
I haven't got a time to dig more on SmartDNS Github issues section...as there was an SmartDNS update recently..and ever since i haven't test it or play with it...
recently i removed my https servers and now use tls servers using the correct syntax
(Im not using IPv6 for DNS at all, as it gets funny..even with my Stubby DNS too)
I saw that and checked, I was specifying https but the error does say http. (Clock in fine, I checked the logs and have done many "restart smartdns" and still got the error.)
What did work for me was converting to TLS as you suggested. Now, no errors at all and when I test DNS, I see that both IPv4 and IPv6 DNS servers are in use. I'm guessing there is a bug in the latest SmartDNS instance. For reference, this is my SmartDNS Additional Options
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Nov 10, 2023 18:59 Post subject:
in general using DNS with filtering capabilities and DNS with no filtering (google) can yield
awkward results and it not recommended..however as SmartDNS is racing the fastest DNS and in this case it may work ok..
personally i stay away from google DNS... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
in general using DNS with filtering capabilities and DNS with no filtering (google) can yield
awkward results and it not recommended..however as SmartDNS is racing the fastest DNS and in this case it may work ok..
personally i stay away from google DNS...
I have mixed feelings about using Google. I don't trust them, but I have not read anything about the DNS service where they are tracking people. Is that why you avoid them? _________________ Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
I’m using smartdns and have some issues with dns resolution. In order to resolve I now use only the dns servers recommended by egc in his write up.
I cannot resolve some addresses used by banks for secure login,
I also don’t reach the site “sl.se” owned by the Stockholm commuting company, a major site in Sweden.
If I switch off WiFi on my iPhone no problem to access. _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Tue Nov 14, 2023 12:00 Post subject:
wabe wrote:
I’m using smartdns and have some issues with dns resolution. In order to resolve I now use only the dns servers recommended by egc in his write up.
I cannot resolve some addresses used by banks for secure login,
I also don’t reach the site “sl.se” owned by the Stockholm commuting company, a major site in Sweden.
If I switch off WiFi on my iPhone no problem to access.
reaching sites is less likely not due to problems with SmartDNS but... ISP blocking, use of VPN or your DNS has blocking list..in general SmartDNS on my R7000 works ok...
try using TLS servers if https servers give you an errors..
server-tls 9.9.9.9:853 -host-name dns.quad9.net -tls-host-verify dns.quad9.net
or
server-tls 1.1.1.1:853 -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913