[SOLVED] SmartDNS: -tls-host-verify broken since r53616

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4  Next
Author Message
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Mon Oct 16, 2023 11:32    Post subject: [SOLVED] SmartDNS: -tls-host-verify broken since r53616 Reply with quote
Hello,

As reported before here https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=335210 but now an issue across multiple builds a SmartDNS config that uses the option: "-host-name" and/or "-tls-host-verify" will not work.

Example config:

Code:
server-tls 1.1.1.1:853 -host-name: cloudflare-dns.com -tls-host-verify: cloudflare-dns.com
server-tls 1.0.0.1:853 -host-name: cloudflare-dns.com -tls-host-verify: cloudflare-dns.com
server-https https://1.1.1.1/dns-query -host-name: cloudflare-dns.com -tls-host-verify: cloudflare-dns.com
server-https https://1.0.0.1/dns-query -host-name: cloudflare-dns.com -tls-host-verify: cloudflare-dns.com


This is a critical security feature as it blocks MITM against SmartDNS. Please fix it.

SmartDNS Readme: https://pymumu.github.io/smartdns/en/configuration/
Quote:
[-host-name]:TLS Server name. - to disable SNI name.
[-host-ip]: host ip address.
[-tls-host-verify]: TLS cert hostname to verify.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14054
Location: Texas, USA

PostPosted: Mon Oct 16, 2023 11:48    Post subject: Reply with quote
Nothing after this, 53616 should've been broken as well:

https://svn.dd-wrt.com/changeset/53593
https://svn.dd-wrt.com/changeset/53594

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Mon Oct 16, 2023 11:53    Post subject: Reply with quote
kernel-panic69 wrote:
Nothing after this, 53616 should've been broken as well:

https://svn.dd-wrt.com/changeset/53593
https://svn.dd-wrt.com/changeset/53594


I just tried r53662 and it is broken as well Sad

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14054
Location: Texas, USA

PostPosted: Mon Oct 16, 2023 12:10    Post subject: Reply with quote
Just sent an email to BrainSlayer. I am not going to diff out DD-WRT repo with upstream.

https://github.com/pymumu/smartdns/commits/master

https://svn.dd-wrt.com/browser/src/router/smartdns

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1811
Location: Hung Hom, Hong Kong

PostPosted: Mon Oct 16, 2023 12:18    Post subject: Reply with quote
This kind of problems is best solved by NOT using the WEBUI, but to use a custom config file for SmartDNS in maybe /jffs/etc? This can rule out config file generation (by WEBUI) issues.

Using Unbound as an example (I am using it), one can copy /tmp/unbound.conf to /jffs/etc and edit it to test Unhound features not available in WEBUI. Unbound daemon also has an option to specify full path to a custom unbound.conf.

Can you do the same with SmartDNS?

Linux - SmartDNS
https://pymumu.github.io/smartdns/en/install/linux/

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 888

PostPosted: Mon Oct 16, 2023 13:02    Post subject: Reply with quote
mwchang wrote:
This kind of problems is best solved by NOT using the WEBUI, but to use a custom config file for SmartDNS in maybe /jffs/etc? This can rule out config file generation (by WEBUI) issues.

Using Unbound as an example (I am using it), one can copy /tmp/unbound.conf to /jffs/etc and edit it to test Unhound features not available in WEBUI. Unbound daemon also has an option to specify full path to a custom unbound.conf.

Can you do the same with SmartDNS?

Linux - SmartDNS
https://pymumu.github.io/smartdns/en/install/linux/

You may have a custom configuration in /jffs/etc for SmartDNS too.

_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Mon Oct 16, 2023 13:06    Post subject: Reply with quote
kernel-panic69 wrote:
Just sent an email to BrainSlayer. I am not going to diff out DD-WRT repo with upstream.


Thanks for moving things up. This issue kind of exposes DD-WRT to MITM attacks because one can't validate the name on the TLS certificate and/or the server hostname.

For what's worth this can be even a bug in the upstream SmartDNS... however I highly doubt it as nobody is complaining on their Github.

mwchang wrote:
This kind of problems is best solved by NOT using the WEBUI, but to use a custom config file for SmartDNS in maybe /jffs/etc? This can rule out config file generation (by WEBUI) issues.


The WebUI saves the SmartDNS config to /tmp/smartdns.conf and I can see the file everything is there and correct. The file gets the same contents on both broken and not broken versions.

This was most likely some bug introduced while merging the latest version of SmartDNS to DD-WRT or something DD-WRT specific that is breaking the TLS validation.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14054
Location: Texas, USA

PostPosted: Mon Oct 16, 2023 13:51    Post subject: Reply with quote
Should be corrected in upcoming alpha / beta release:

https://svn.dd-wrt.com/changeset/53673

https://svn.dd-wrt.com/changeset/53679

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net


Last edited by kernel-panic69 on Tue Oct 17, 2023 2:50; edited 1 time in total
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Mon Oct 16, 2023 14:34    Post subject: Reply with quote
kernel-panic69 wrote:
Should be corrected in upcoming alpha / beta release:

https://svn.dd-wrt.com/changeset/53673


Great!

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6338
Location: UK, London, just across the river..

PostPosted: Mon Oct 16, 2023 15:03    Post subject: Reply with quote
how do you know security is broken...have you captured a compromised stuff..
can we see your tcpdump or wireshark cap file to back up your claim ??

otherwise...

my SmartDNS config is simple and always work...no need of extra config lines...

server 9.9.9.9 -bootstrap-dns
server-https https://9.9.9.9/dns-query
server-https https://5.2.75.75/dns-query
log-file /opt/tmp/smartdnslogg.log
log-level info

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55009 WAP
TP-Link WR1043NDv2 -DD-WRT 55109 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 55052 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55109 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55052 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55109 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Mon Oct 16, 2023 15:26    Post subject: Reply with quote
Alozaros wrote:
how do you know security is broken...have you captured a compromised stuff..
can we see your tcpdump or wireshark cap file to back up your claim ??

otherwise...

my SmartDNS config is simple and always work...no need of extra config lines...

server 9.9.9.9 -bootstrap-dns
server-https https://9.9.9.9/dns-query
server-https https://5.2.75.75/dns-query
log-file /opt/tmp/smartdnslogg.log
log-level info


Without "-host-name" and/or "-tls-host-verify" you're more exposed to MITM attacks against SmartDNS from your ISP/VPN provider etc. It isn't a claim nor an opinion, it is a fact.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12780
Location: Netherlands

PostPosted: Mon Oct 16, 2023 15:56    Post subject: Reply with quote
TCB13 wrote:
Alozaros wrote:
how do you know security is broken...have you captured a compromised stuff..
can we see your tcpdump or wireshark cap file to back up your claim ??

otherwise...

my SmartDNS config is simple and always work...no need of extra config lines...

server 9.9.9.9 -bootstrap-dns
server-https https://9.9.9.9/dns-query
server-https https://5.2.75.75/dns-query
log-file /opt/tmp/smartdnslogg.log
log-level info


Without "-host-name" and/or "-tls-host-verify" you're more exposed to MITM attacks against SmartDNS from your ISP/VPN provider etc. It isn't a claim nor an opinion, it is a fact.


Just post a link so that everybody can read it for themself Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1811
Location: Hung Hom, Hong Kong

PostPosted: Mon Oct 16, 2023 16:41    Post subject: Reply with quote
TCB13 wrote:
The WebUI saves the SmartDNS config to /tmp/smartdns.conf and I can see the file everything is there and correct. The file gets the same contents on both broken and not broken versions.

Better manually execute SmartDNS directly with that smartdns.conf to make sure that it's using the config file. Enable logging in smartdns.conf without WEBUI, which might help.

What if DD-WRT re-generate /tmp/smartdns.conf on each execuation? Any partial execution during startup that might alter its content?

What if you use the SmartDNS in Entware for the same smartdns.conf? Smile
Quote:
This was most likely some bug introduced while merging the latest version of SmartDNS to DD-WRT or something DD-WRT specific that is breaking the TLS validation.

I dunno whether source codes of SmartDNS might be altered for matching DD-WRT.... very unlikely. But if recent versions of SmartDNS require OpenSSL 3.x, it could be a problem.

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6338
Location: UK, London, just across the river..

PostPosted: Mon Oct 16, 2023 21:28    Post subject: Reply with quote
yep..you can install and run smartDNS via entware...with no problem, just have to completely disable the embedded version...and entware is on the Openssl 3.x.x ..but it shouldn't be a problem to run the DDWRT version of SmartDNS with 1.1.1x...

im not sure but, you can check at the ddwrt mirror or svn, the set of commands that you can use on DDWRT ..i guess BS had stripped off those commands that are not important for SmartDNS...all in order to save space...but i may be wrong...as well not all servers support those extra option...indeed or provide details...

anyway use https instead of tls DNS encryption...and don't bother...
if you want to go deeper use DNSCrypt-proxy v2 ...or Stubby it works ok with tls DNS

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55009 WAP
TP-Link WR1043NDv2 -DD-WRT 55109 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 55052 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55109 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55052 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55109 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Tue Oct 17, 2023 0:54    Post subject: Reply with quote
Alozaros wrote:
yep..you can install and run smartDNS via entware...with no problem, just have to completely disable the embedded version...and entware is on the Openssl 3.x.x ..but it shouldn't be a problem to run the DDWRT version of SmartDNS with 1.1.1x...

im not sure but, you can check at the ddwrt mirror or svn, the set of commands that you can use on DDWRT ..i guess BS had stripped off those commands that are not important for SmartDNS...all in order to save space...but i may be wrong...as well not all servers support those extra option...indeed or provide details...

anyway use https instead of tls DNS encryption...and don't bother...
if you want to go deeper use DNSCrypt-proxy v2 ...or Stubby it works ok with tls DNS



there is nothing stripped off. the only difference is (and thats the case for a long time) devices without openssl included ore using a smartdns which has no ssl/tls etc. support. if you compare the github sources with the dd-wrt sources you will find out that there is basicly no difference between upstream and dd-wrt. so if there is a fault here its the same fault with upstream version. but all error reports dont even explain what the matter is. is smartdns not running if this option is used or whats the case?

_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum