SMARTDNS Guide

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 17, 18, 19, 20  Next
View previous topic :: View next topic  
Author Message
luk3
DD-WRT Novice


Joined: 26 Oct 2022
Posts: 27
PostPosted: Sat Oct 14, 2023 15:24    Post subject: Cloudflare page doesn't show DoT active, but kdig does Reply with quote
After build r53616 (Oct 12), cloudflare check page https://1.1.1.1/help, doesn't show DNS over TLS as active even after nvram reset, only DNS over HTTP, but if you verify by command line it's working as bellow.

Tested build regression to r53562, and Cloudflare page status for DoT shows 'Yes' again, but since it's working on command line, kept last build r53633 (Oct 14).

Code:
kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 137 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: GP8Knf7qBae+aIfythytMbYnL+yowaWVeD6MoLHkVRg=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 48361
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 408 B

;; QUESTION SECTION:
;; example.com.                 IN      A

;; ANSWER SECTION:
example.com.            83797   IN      A       93.184.216.34

;; Received 468 B
;; Time 2023-10-14 12:17:35 -03
;; From 1.1.1.1@853(TCP) in 51.0 ms


edit:
Thanks to @egc queries by browser are working again!!
Back to top View user's profile Send private message
Sponsor
nonm
DD-WRT Novice


Joined: 15 Oct 2023
Posts: 1
PostPosted: Sun Oct 15, 2023 23:40    Post subject: Re: Cloudflare page doesn't show DoT active, but kdig does Reply with quote
luk3 wrote:
After build r53616 (Oct 12), cloudflare check page https://1.1.1.1/help, doesn't show DNS over TLS as active even after nvram reset, only DNS over HTTP, but if you verify by command line it's working as bellow.

Tested build regression to r53562, and Cloudflare page status for DoT shows 'Yes' again, but since it's working on command line, kept last build r53633 (Oct 14).

Code:
kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 137 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: GP8Knf7qBae+aIfythytMbYnL+yowaWVeD6MoLHkVRg=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 48361
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 408 B

;; QUESTION SECTION:
;; example.com.                 IN      A

;; ANSWER SECTION:
example.com.            83797   IN      A       93.184.216.34

;; Received 468 B
;; Time 2023-10-14 12:17:35 -03
;; From 1.1.1.1@853(TCP) in 51.0 ms


edit:
Thanks to @egc queries by browser are working again!!


Hi, what was the solutions? DoT not working for me on build 53633.
Back to top View user's profile Send private message
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1958
PostPosted: Mon Oct 16, 2023 0:16    Post subject: Reply with quote
Sorry that "luk3" didn't provide a more direct connection of the dots:

New Build - 10/14/2023 - r53633
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.
--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Back to top View user's profile Send private message Visit poster's website
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 889
PostPosted: Mon Oct 16, 2023 7:16    Post subject: Reply with quote
Nonm: Check my post in the build thread:
DoT in smartdns works if you remove the “—host-name” part from server-tls
_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Back to top View user's profile Send private message
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14249
Location: Texas, USA
PostPosted: Thu Oct 19, 2023 3:15    Post subject: Reply with quote
To correct some erroneous information in suggested configurations of SmartDNS, please read
the information in SmartDNS: -tls-host-verify broken since r53616 thread.

BrainSlayer wrote:
i used now the correct configuration syntax and this is my output. i see no error

server-tls 9.9.9.9:853 -host-name dns.quad9.net -tls-host-verify dns.quad9.net

(consider that there is no ":" in place after the argument. this is a incorrect syntax

server2:~ # kdig -d @1.1.1.1 +tls-ca example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 423 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: GP8Knf7qBae+aIfythytMbYnL+yowaWVeD6MoLHkVRg=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG: SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 34886
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 408 B

;; QUESTION SECTION:
;; example.com. IN A

;; ANSWER SECTION:
example.com. 84785 IN A 93.184.216.34

;; Received 468 B
;; Time 2023-10-19 09:00:36 +07
;; From 1.1.1.1@853(TCP) in 64.2 ms

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Back to top View user's profile Send private message Visit poster's website
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12920
Location: Netherlands
PostPosted: Thu Oct 19, 2023 8:36    Post subject: Reply with quote
It looks like we were wrong footed indeed.

On another note we finally get logging for SmartDNS that is to say the builds which have SSL.

If you have the Logging patch you can add in the SmartDNS additional options:
Code:
#log-file /jffs/smartdnsegc.log
log-level notice     # fatal,error,warn,notice,info,debug
#audit-enable yes
#audit-file /tmp/smartdns-audit.log


But logging will standard write to syslog and loglevel is 'warn'
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14249
Location: Texas, USA
PostPosted: Thu Oct 19, 2023 10:21    Post subject: Reply with quote
Thanks for adding clarification regarding the added logging feature. I presume the attached PDF in the OP will get updated as necessary. Cool
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Back to top View user's profile Send private message Visit poster's website
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12920
Location: Netherlands
PostPosted: Thu Oct 19, 2023 10:23    Post subject: Reply with quote
kernel-panic69 wrote:
Thanks for adding clarification regarding the added logging feature. I presume the attached PDF in the OP will get updated as necessary. Cool


Yes update will follow next week
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1020
PostPosted: Thu Nov 09, 2023 18:52    Post subject: Cloudflare IPv6 Issue Reply with quote
Could someone tell me why I am getting many of these in my log:
    local1.warn smartdns: http server query from 2606:4700:4700::1111:443 failed, server return http code : 403, Forbidden


My settings have all of the SmartDNS choices enabled and this is my Additional Options:


It looks like the SmartDNS connections to Cloudflare's two IPv6 addresses are not working?
_________________
Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
Back to top View user's profile Send private message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6447
Location: UK, London, just across the river..
PostPosted: Fri Nov 10, 2023 8:47    Post subject: Reply with quote
this looks odd..

local1.warn smartdns: http server query from 2606:4700:4700::1111:443 failed, server return http code : 403, Forbidden..

i don't know how request via http will be answered via https ??

And yes it will throw an error..
are those happening before the NTP time comes up...as i noticed SmartDNS reports err in certificate check due to NTP time is not up...as well some odd raw ports open locally on the new builds...
I haven't got a time to dig more on SmartDNS Github issues section...as there was an SmartDNS update recently..and ever since i haven't test it or play with it...
recently i removed my https servers and now use tls servers using the correct syntax

server-tls 9.9.9.9:853 -host-name dns.quad9.net -tls-host-verify dns.quad9.net

(Im not using IPv6 for DNS at all, as it gets funny..even with my Stubby DNS too)
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1020
PostPosted: Fri Nov 10, 2023 14:09    Post subject: Reply with quote
Alozaros wrote:
this looks odd..

local1.warn smartdns: http server query from 2606:4700:4700::1111:443 failed, server return http code : 403, Forbidden..

i don't know how request via http will be answered via https ??

And yes it will throw an error..
are those happening before the NTP time comes up...as i noticed SmartDNS reports err in certificate check due to NTP time is not up...as well some odd raw ports open locally on the new builds...
I haven't got a time to dig more on SmartDNS Github issues section...as there was an SmartDNS update recently..and ever since i haven't test it or play with it...
recently i removed my https servers and now use tls servers using the correct syntax

server-tls 9.9.9.9:853 -host-name dns.quad9.net -tls-host-verify dns.quad9.net

(Im not using IPv6 for DNS at all, as it gets funny..even with my Stubby DNS too)


I saw that and checked, I was specifying https but the error does say http. (Clock in fine, I checked the logs and have done many "restart smartdns" and still got the error.)

What did work for me was converting to TLS as you suggested. Now, no errors at all and when I test DNS, I see that both IPv4 and IPv6 DNS servers are in use. I'm guessing there is a bug in the latest SmartDNS instance. For reference, this is my SmartDNS Additional Options

_________________
Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
Back to top View user's profile Send private message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6447
Location: UK, London, just across the river..
PostPosted: Fri Nov 10, 2023 18:59    Post subject: Reply with quote
in general using DNS with filtering capabilities and DNS with no filtering (google) can yield
awkward results and it not recommended..however as SmartDNS is racing the fastest DNS and in this case it may work ok..

personally i stay away from google DNS...
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1020
PostPosted: Fri Nov 10, 2023 19:01    Post subject: Reply with quote
Alozaros wrote:
in general using DNS with filtering capabilities and DNS with no filtering (google) can yield
awkward results and it not recommended..however as SmartDNS is racing the fastest DNS and in this case it may work ok..

personally i stay away from google DNS...


I have mixed feelings about using Google. I don't trust them, but I have not read anything about the DNS service where they are tracking people. Is that why you avoid them?
_________________
Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
Back to top View user's profile Send private message
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 889
PostPosted: Tue Nov 14, 2023 10:52    Post subject: Reply with quote
I’m using smartdns and have some issues with dns resolution. In order to resolve I now use only the dns servers recommended by egc in his write up.
I cannot resolve some addresses used by banks for secure login,
I also don’t reach the site “sl.se” owned by the Stockholm commuting company, a major site in Sweden.
If I switch off WiFi on my iPhone no problem to access.
_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Back to top View user's profile Send private message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6447
Location: UK, London, just across the river..
PostPosted: Tue Nov 14, 2023 12:00    Post subject: Reply with quote
wabe wrote:
I’m using smartdns and have some issues with dns resolution. In order to resolve I now use only the dns servers recommended by egc in his write up.
I cannot resolve some addresses used by banks for secure login,
I also don’t reach the site “sl.se” owned by the Stockholm commuting company, a major site in Sweden.
If I switch off WiFi on my iPhone no problem to access.


reaching sites is less likely not due to problems with SmartDNS but... ISP blocking, use of VPN or your DNS has blocking list..in general SmartDNS on my R7000 works ok...

try using TLS servers if https servers give you an errors..

server-tls 9.9.9.9:853 -host-name dns.quad9.net -tls-host-verify dns.quad9.net
or
server-tls 1.1.1.1:853 -host-name cloudflare-dns.com -tls-host-verify cloudflare-dns.com
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
Goto page Previous  1, 2, 3 ... 17, 18, 19, 20  Next Display posts from previous:    Page 18 of 20
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum