Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Tue Oct 17, 2023 7:07 Post subject:
In the past i did some test to see/capture, if there is a difference with running tls verify command and i didnt see any difference...but the main encrypted request was there...so, i assumed those commands either not working (may be stripped)..or those very likely are not supported by the DNS provider (quad9) in my case...sadly don't remember if i tested entware SmartDNS as well...
I do know, that on small flash ram routers SmartDNS doesn't do the encryption, as the ssl is missing...that is why i run Stubby via Entware on those with no problems..
But thanks for clarifying the matter BS ! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
yep..you can install and run smartDNS via entware...with no problem, just have to completely disable the embedded version...and entware is on the Openssl 3.x.x ..but it shouldn't be a problem to run the DDWRT version of SmartDNS with 1.1.1x...
im not sure but, you can check at the ddwrt mirror or svn, the set of commands that you can use on DDWRT ..i guess BS had stripped off those commands that are not important for SmartDNS...all in order to save space...but i may be wrong...as well not all servers support those extra option...indeed or provide details...
anyway use https instead of tls DNS encryption...and don't bother...
if you want to go deeper use DNSCrypt-proxy v2 ...or Stubby it works ok with tls DNS
there is nothing stripped off. the only difference is (and thats the case for a long time) devices without openssl included ore using a smartdns which has no ssl/tls etc. support. if you compare the github sources with the dd-wrt sources you will find out that there is basicly no difference between upstream and dd-wrt. so if there is a fault here its the same fault with upstream version. but all error reports dont even explain what the matter is. is smartdns not running if this option is used or whats the case?
Smartdns stops working if you include “-host-name: xxx” in the server-tls command. This problem started with the recent upgrade of SmartDNS. _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
anyway use https instead of tls DNS encryption...and don't bother...
if you want to go deeper use DNSCrypt-proxy v2 ...or Stubby it works ok with tls DNS
if you want to go deeper use DNSCrypt-proxy v2 ...or Stubby it works ok with tls DNS
Before Smartdns was a thing I was using that and although "Anonymized DNSCrypt" is a very good feature I'm not going back to the land of unreliable DNS ever again. Don't get me wrong DNSCrypt is great in theory but in practice DoT and DoH provide a much simpler and much better experience. _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Tue Oct 17, 2023 11:17 Post subject:
TCB13 sorry but the link you shared doesn't provide any light on SmartDNS verify host and host name related stuff...regarding this thread.....
In general there are key differences in-between SmartDNS, Stubby, Unbound and ect. vs DNScrypt..where DNScrypt provides a step ahead...im not going into details lots of articles on the net...
In all my use of it...Im using it even now (v2 va Entware)..I've never had any issues with DNScypt v2, its a rock solid...and stable...the only disadvantage is...DNSCrypt-proxy v2 requires a bit more understanding and setting it up...as well it has some functional updates, where you have to open the .toml file and keep up to date..also it takes a bit more system resources...but not visibly more..
Stubby is the less resource taker..and rock solid too...but, both need Entware and there SmartDNS takes the lead, as it its embedded with DDWRT...and BS keeps it up to date asap..!
It will be interesting to see an approval, that those commands you are chasing, actually do something, for example if you use quad9 or cloudflare...and their payload captured via wireshark...sadly im just about to hit the road and have a 2 weeks work related trip...and wont have a physical presence to any unit i have... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Here is a quick test to show you what happens with a mismatch:
Hostname validation / TLS host validation isn't a new concept. It applies to any TLS negotiation be it HTTPS, DoT or DoH and it's an important security feature.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Tue Oct 17, 2023 14:26 Post subject:
..lets see the next build if it will fix your issue...and ill try to do more tests when i have a time...on your example you already compromised the name...manually...no idea why..
i would ve compare results with tls-host=one.one.one.one or tls-host-verify: or without...
.on your example you already compromised the name...manually...no idea why.
Because that's one easy way to simulate what will happen if an ISP/VPN provider is intercepting your traffic.
The ISP will have to fake replies using a certificate that is valid and that they can generate. In order to meet those two requirements they'll have to request a certificate from a certification authority (CA) that will never issue a certificate that includes one.one.one.one or cloudflare-dns.com as common names (CN). "tls-host-verify" will protect you because it will check the CNs provided in the certificate against what is expected (one.one.one.one). If they don't match you'll get an error.
Without this check your ISP can simply intercept your DNS requests and use any valid certificate (issued for any CN) to craft a bogus reply and compromise your DNS.
I really recommend you read about how TLS/SSL certificates work, what attack vectors are possible and how things are usually managed. What is the role of a CA on ensuring trust etc. _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Oct 18, 2023 6:27 Post subject:
yep there a lots of attacking vectors...
as well kdig is testing on different layer...so, its tests are not very real...in regards to a router and DNS management...
in general I retrain to discuss attacking vectors on the forum...but thanks anyway..i do understand where you are coming from...
i hope SmartDNS will be fixed...on 53694
cheers _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Wed Oct 18, 2023 8:22; edited 1 time in total
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Oct 18, 2023 10:10 Post subject:
tls-host= or tls-host-verify still not working on R7000 53694...
this doesnt work with SmartDNS
server-tls 9.9.9.9:853 -host-name: dns.quad9.net -tls-host-verify: dns.quad9.net
however this works
server-tls 9.9.9.9:853
so..somewhere things got lost either DDWRT side or due to a bug in their field..SmartDNS phased out those options...very likely...i guess.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Those are important security features as discussed. _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Just ignore the Chinese characters, look at the source codes. You can always use Google Translate to do a rough translation. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
/* if server is domain name, then verify domain */
if (server->tls_host_verify[0] == '\0' && check_is_ipaddr(server->server) != 0) {
safe_strncpy(server->tls_host_verify, server->server, DNS_MAX_CNAME_LEN);
}
...
