new to dns over tls

[admiral2145]

I just setup dns over tls (rt-ac68u) and I'm not sure how to tell if its working or not...also do we need to put in a tls port?
if there is a guide I must have missed it.
thx in advance.

 

[Treadler]

I just setup dns over tls (rt-ac68u) and I'm not sure how to tell if its working or not...also do we need to put in a tls port?
if there is a guide I must have missed it.
thx in advance.

https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

 

[EmeraldDeer]

I just setup dns over tls (rt-ac68u) and I'm not sure how to tell if its working or not...also do we need to put in a tls port?
if there is a guide I must have missed it.
thx in advance.

There is no guide. The seemingly endless discussions did not converge on a recommended configuration or even an understanding.

If you happened to have chosen Cloudflare this link will confirm DNS over TLS function:
https://1.1.1.1/help

 

[ajh]

There is no guide. The seemingly endless discussions did not converge on a recommended configuration or even an understanding.

Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions.

1. In the webui go to WAN / Internet Connection / WAN DNS Setting
2. Set Connect to DNS Server automatically to No. (When using DoT this setting governs what happens in case your selected DoT DNS server doesn't load correctly. Setting it to Yes means that your router will start off with your ISP's DNS server before the router loads your selected DoT server. Setting it to No means that your router will start off with whatever fallback DNS server you select.)
3. At DNS Server1, enter 1.1.1.1. (As most will recognize, this is for Cloudflare. I chose it because I personally choose to assiduously avoid using my ISP's DNS server for any purpose, even the time check at router startup.)
4. At DNS Server2, enter 1.0.0.1. (This is Cloudflare's secondary address.)
5. Set Forward local domain queries to upstream DNS to No. (Whether it's your ISP's DNS server, Cloudflare or whatever, the upstream DNS doesn't know your local network map.)
6. Set Enable DNS Rebind protection to Yes. (Doing so helps to defend against possible cross-scripting attacks.)
7. Set Enable DNSSEC support to Yes. (@RMerlin recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
8. Set Validate unsigned DNSSEC replies to Yes. (@RMerlin also recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
9. Set Prevent client auto DoH to Auto.
10. At DNS Privacy Protocol, select DNS-over-TLS (DoT).
11. At DNS-over-TLS Profile, select Strict.
12. At Preset servers, select your preferred DNS service. I went with Quad9's 9.9.9.9 and 149.112.112.112 because I prefer Quad9 and like its filtering of malicious websites. (If you choose 2 different services, such as Quad9 and Cloudflare, the router will alternate between the two, rather than using one as primary and another as backup).
13. Hit Apply.

Thanks to @themiron and @RMerlin for implementing DoT. Thanks to all for alpha and beta testing this feature and for your earlier comments on configuration options.

Once again, this is just what I've chosen based on my judgments of what I've read on this forum. Exercise your own judgment. Good luck!

[1/24/20 edit] Added thanks to @themiron, who developed DoT in Merlin almost entirely himself.

 

[bbunge]

Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions.

1. In the webui go to WAN / Internet Connection / WAN DNS Setting
2. Set Connect to DNS Server automatically to No. (When using DoT this setting governs what happens in case your selected DoT DNS server doesn't load correctly. Setting it to Yes means that your router will start off with your ISP's DNS server before the router loads your selected DoT server. Setting it to No means that your router will start off with whatever fallback DNS server you select.)
3. At DNS Server1, enter 1.1.1.1. (As most will recognize, this is for Cloudflare. I chose it because I personally choose to assiduously avoid using my ISP's DNS server for any purpose, even the time check at router startup.)
4. At DNS Server2, enter 1.0.0.1. (This is Cloudflare's secondary address.)
5. Set Forward local domain queries to upstream DNS to No. (Whether it's your ISP's DNS server, Cloudflare or whatever, the upstream DNS doesn't know your local network map.)
6. Set Enable DNS Rebind protection to Yes. (Doing so helps to defend against possible cross-scripting attacks.)
7. Set Enable DNSSEC support to Yes. (@RMerlin recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
8. Set Validate unsigned DNSSEC replies to Yes. (@RMerlin also recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
9. Set Prevent client auto DoH to Auto.
10. At DNS Privacy Protocol, select DNS-over-TLS (DoT).
11. At DNS-over-TLS Profile, select Strict.
12. At Preset servers, select your preferred DNS service. I went with Quad9's 9.9.9.9 and 149.112.112.112 because I prefer Quad9 and like its filtering of malicious websites. (If you choose 2 different services, such as Quad9 and Cloudflare, the router will alternate between the two, rather than using one as primary and another as backup).
13. Hit Apply.

Thanks to @RMerlin for implementing DoT. Thanks to all for alpha and beta testing this feature and for your earlier comments on configuration options.

Once again, this is just what I've chosen based on my judgments of what I've read on this forum. Exercise your own judgment. Good luck!

Good job here! Only recommendation is for those using dual stack IPV4/IPV6 to add the IPV6 resolvers (step 12). Some IPV4 resolvers will resolve IPV6 addresses, some won't. One solution is to alternate IPV4 resolver with IPV6 resolver. Do the primary and alternate of each. The built in Stubby is set to round_robin on and will alternate between the resolvers you have entered. Seems to work well for me.

 

[ajh]

Good job here! Only recommendation is for those using dual stack IPV4/IPV6 to add the IPV6 resolvers (step 12).

Thanks. I'm disabling IPv6 for now but am filing away your tip for future reference if and when I enable IPv6.

 

[admiral2145]

Thanks. I'm disabling IPv6 for now but am filing away your tip for future reference if and when I enable IPv6.

Thx for this guide.. About to run your setup now.

Sent from my PH-1 using Tapatalk

 

[ShelaMonster]

Good job here! Only recommendation is for those using dual stack IPV4/IPV6 to add the IPV6 resolvers (step 12). Some IPV4 resolvers will resolve IPV6 addresses, some won't. One solution is to alternate IPV4 resolver with IPV6 resolver. Do the primary and alternate of each. The built in Stubby is set to round_robin on and will alternate between the resolvers you have entered. Seems to work well for me.

I seem to remember there was a need to order them in a certain way so that IPv6 would resolve first over IPv4, or am I incorrect?
I'm running a similar setup with NextDNS via DoT, but using their web interface indicates that IPv4 is being used primarily, even though IPv6 test sites show the browser is preferring v6 over v4.

 

[martinr]

Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions.

1. In the webui go to WAN / Internet Connection / WAN DNS Setting
2. Set Connect to DNS Server automatically to No. (When using DoT this setting governs what happens in case your selected DoT DNS server doesn't load correctly. Setting it to Yes means that your router will start off with your ISP's DNS server before the router loads your selected DoT server. Setting it to No means that your router will start off with whatever fallback DNS server you select.)
3. At DNS Server1, enter 1.1.1.1. (As most will recognize, this is for Cloudflare. I chose it because I personally choose to assiduously avoid using my ISP's DNS server for any purpose, even the time check at router startup.)
4. At DNS Server2, enter 1.0.0.1. (This is Cloudflare's secondary address.)
5. Set Forward local domain queries to upstream DNS to No. (Whether it's your ISP's DNS server, Cloudflare or whatever, the upstream DNS doesn't know your local network map.)
6. Set Enable DNS Rebind protection to Yes. (Doing so helps to defend against possible cross-scripting attacks.)
7. Set Enable DNSSEC support to Yes. (@RMerlin recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
8. Set Validate unsigned DNSSEC replies to Yes. (@RMerlin also recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
9. Set Prevent client auto DoH to Auto.
10. At DNS Privacy Protocol, select DNS-over-TLS (DoT).
11. At DNS-over-TLS Profile, select Strict.
12. At Preset servers, select your preferred DNS service. I went with Quad9's 9.9.9.9 and 149.112.112.112 because I prefer Quad9 and like its filtering of malicious websites. (If you choose 2 different services, such as Quad9 and Cloudflare, the router will alternate between the two, rather than using one as primary and another as backup).
13. Hit Apply.

Thanks to @RMerlin for implementing DoT. Thanks to all for alpha and beta testing this feature and for your earlier comments on configuration options.

Once again, this is just what I've chosen based on my judgments of what I've read on this forum. Exercise your own judgment. Good luck!

Many thanks for this guide, now bookmarked; I especially appreciate the explanations in brackets. As to Step 9, Prevent Client auto DoH, what’s the advantage to setting this to Auto rather than to Yes?

 

[MatrixGeeker]

Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions.

1. In the webui go to WAN / Internet Connection / WAN DNS Setting
2. Set Connect to DNS Server automatically to No. (When using DoT this setting governs what happens in case your selected DoT DNS server doesn't load correctly. Setting it to Yes means that your router will start off with your ISP's DNS server before the router loads your selected DoT server. Setting it to No means that your router will start off with whatever fallback DNS server you select.)
3. At DNS Server1, enter 1.1.1.1. (As most will recognize, this is for Cloudflare. I chose it because I personally choose to assiduously avoid using my ISP's DNS server for any purpose, even the time check at router startup.)
4. At DNS Server2, enter 1.0.0.1. (This is Cloudflare's secondary address.)
5. Set Forward local domain queries to upstream DNS to No. (Whether it's your ISP's DNS server, Cloudflare or whatever, the upstream DNS doesn't know your local network map.)
6. Set Enable DNS Rebind protection to Yes. (Doing so helps to defend against possible cross-scripting attacks.)
7. Set Enable DNSSEC support to Yes. (@RMerlin recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
8. Set Validate unsigned DNSSEC replies to Yes. (@RMerlin also recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
9. Set Prevent client auto DoH to Auto.
10. At DNS Privacy Protocol, select DNS-over-TLS (DoT).
11. At DNS-over-TLS Profile, select Strict.
12. At Preset servers, select your preferred DNS service. I went with Quad9's 9.9.9.9 and 149.112.112.112 because I prefer Quad9 and like its filtering of malicious websites. (If you choose 2 different services, such as Quad9 and Cloudflare, the router will alternate between the two, rather than using one as primary and another as backup).
13. Hit Apply.

Thanks to @RMerlin for implementing DoT. Thanks to all for alpha and beta testing this feature and for your earlier comments on configuration options.

Once again, this is just what I've chosen based on my judgments of what I've read on this forum. Exercise your own judgment. Good luck!

Awesome write up and explanation. Appreciate it

 

[ajh]

As to Step 9, Prevent Client auto DoH, what’s the advantage to setting this to Auto rather than to Yes?

This gets into the whole DoT/DoH debate.

On the one hand, @RMerlin prefers DoT and dislikes DoH. See, e.g.,

• Disabling Firefox's automatic switch to DoH
  
• https://twitter.com/RMerlinDev/status/1170550850722381825

On the other hand, Firefox is adopting DoH, Chrome is experimenting with it, Microsoft is working on supporting it and my fav VPN solution, Algo, implements it.

Personally I don't have the technical chops to assess which DNS encryption scheme is better and even if I did, the debate is going to shake out over time.

When it comes to configuring my shiny new RT-AX88U, my concern is simply to implement one or the other form of DNS encryption and to reduce the chance that my choice screws up something else.

@RMerlin has chosen DoT. Since I'm implicitly trusting him when I install his Merlin fw, I'll trust him when he chooses DoT too.

All that plays into setting Prevent Client auto DoH to Auto. I'm trusting that @RMerlin, together with @themiron, has written Merlin so that the default value of Auto implements his preferred approach.

Frankly I'm not sure what, if anything, Yes might do above and beyond Auto so I'm taking a more conservative approach for now.

 

[martinr]

......
On the one hand, @RMerlin prefers DoT and dislikes DoH.

@RMerlin has chosen DoT. Since I'm implicitly trusting him when I install his Merlin fw, I'll trust him when he chooses DoT too.......

That’s always been my approach: it’s good enough for Merlin, I don’t need to know anything else.

But I really appreciate the work you’ve put into this.

 

[dave14305]

Frankly I'm not sure what, if anything, Yes might do above and beyond Auto so I'm taking a more conservative approach for now.

Yes will add the special canary domain to your DNS server regardless. Auto only adds it if you have DNS Privacy (DoT) or DNSFilter enabled, implying you want some control over your network's DNS.

But as is often mentioned regarding this feature, it only prevents the automatic enablement of Firefox DoH, not the explicit enablement by a user going into the Firefox settings.

 

[RMerlin]

On the other hand, Firefox is adopting DoH, Chrome is experimenting with it, Microsoft is working on supporting it and my fav VPN solution, Algo, implements it.

One huge difference there: Firefox will hijack whatever network configuration you have, meaning they will break your OpenDNS/CleanBrowsing/Quad9/etc... filtering setup, putting your network at risks by silently bypassing any security feature provided by these DNS. Others like Google, will just upgrade to the DoH protocol if the configured server uses it. So, if Cleanbrowsing were to support DoH, Chrome would switch to using DoH instead of a non-encrypted connection - but it would still be using the same server, providing the same filtering features as before.

I'm still not a fan of DoH as a protocol, however Google's approach to supporting it is acceptable for me. Mozilla's isn't.

 

[SomeWhereOverTheRainBow]

One huge difference there: Firefox will hijack whatever network configuration you have, meaning they will break your OpenDNS/CleanBrowsing/Quad9/etc... filtering setup, putting your network at risks by silently bypassing any security feature provided by these DNS. Others like Google, will just upgrade to the DoH protocol if the configured server uses it. So, if Cleanbrowsing were to support DoH, Chrome would switch to using DoH instead of a non-encrypted connection - but it would still be using the same server, providing the same filtering features as before.

I'm still not a fan of DoH as a protocol, however Google's approach to supporting it is acceptable for me. Mozilla's isn't.

DoT by far, is a great solution, but my only skepticism is that it does not seem to be getting as much momentum as it should to be considered a long term solution. (I.E. platforms implementing it v.s. DoH).

 

[RMerlin]

DoT by far, is a great solution, but my only skepticism is that it does not seem to be getting as much momentum as it should to be considered a long term solution. (I.E. platforms implementing it v.s. DoH).

DoT is developed as a system-level resolver. DoH is developed as an application-level resolver, which requires an actual http software stack. Hence it mostly gets implemented within web browsers.

DoT, to be properly done, has to be done as the OS level, or through a proxy like Stubby. So, it's not as straightforward to implement, which is why it doesn't get as much publicity. But DoT has been implemented in Android long before DoH got added in Firefox and Mozilla started bragging with much fanfare about it...

 

[kinghat]

i have do turn off Validate unsigned DNSSEC to get DoT working properly.

 

[Gar]

i have do turn off Validate unsigned DNSSEC to get DoT working properly.

I can't get it to work at all with my new fiber ISP, everything else is fine. No DoT was faster look-ups when I was on cable so I guess I can live with it.

Edit: Does this mean the ISP messes with port 853 or could something else be going on? It's the same with both routers.

 

[Treadler]

i have do turn off Validate unsigned DNSSEC to get DoT working properly.

Shouldn’t be the case.

You may have to turn it off to get Cloudflare’s test site to properly report what you’re doing though.
A Cloudflare fault, not yours.

 

[kinghat]

Shouldn’t be the case.

You may have to turn it off to get Cloudflare’s test site to properly report what you’re doing though.
A Cloudflare fault, not yours.

ya that was my case, it was saying i wasnt using DoT with it enabled. is there a better way to test these types of settings?