DNS Director / DoT over TLS

[outlaw78]

So I have been messing with with the DoT over TLS and DNS Director and trying to force all clients to use my DNS specified. I do believe I have everything set correctly for it to work but its not forcing my devices (at least windows devices) to the specified DNS set by the router. I can enter cloudflare DNS address into windows and when I do a DNS check after that, it pings cloudflare. If I remove the manual set DNS servers, the check now pings the one in the router again. I am using this website to check:
https://www.dnsleaktest.com/

I followed the steps in the article https://techcommunity.microsoft.com...ver-tls-available-to-windows-insiders/3565859 thinking maybe it was a windows things and it can bypass all the DNS security settings in the router. All I get when I make it to the second set of commands to enter, I get "The system cannot find the file specified.". I have a GT-AXE16000.

Edit: I do have IPV6 set, but removed it from view. Mainly dealing with IPV4 right now.

Below is how I have everything set:

 

[Tech9]

DNS-over-TLS (or DoT), not DoT over TLS. The settings are strange. You don't have to verify trusted encrypted upstream resolver with DNSSEC, your domain name is rather strange, this User defined DNS 1 to LAN IP is not necessary and you have one client not redirected to Google, but using WAN DNS servers... from Google. I believe we have >100 threads how DNS Director works...

 

[outlaw78]

DNS-over-TLS (or DoT), not DoT over TLS. The settings are strange. You don't have to verify trusted encrypted upstream resolver with DNSSEC, your domain name is rather strange, this User defined DNS 1 to LAN IP is not necessary and you have one client not redirected to Google, but using WAN DNS servers... from Google. I believe we have >100 threads how DNS Director works...

I'm sorry but your post is very confusing...

I don't have any clients "not directed to Google". That is a blank entry waiting for data. It says "ex: " right in the Mac address.

You mention the domain name. Is it even necessary? You didn't explain either way.

I read here in another thread that that is how you set the user defined IP in DNS director , and that you point it to the gateway IP. I can find the thread if you like. (EDIT: https://www.snbforums.com/threads/dns-director-does-not-work-properly.83265/) I know the thread discusses pihole but it made sense either way. But I have tried putting Google DNS IPV4 and 6 in those boxes, no change. I've left them blank, no change. I can still get windows to ping whatever DNS I manually program into windows. So how would you do it?

So from what I gather, I do not have settings right? As far as the >100 threads on how it works, I read many and many state the settings I have (minus the domain name of "router").

So by my understanding DNS director won't work in the way I describing?

What I am trying to achieve is that windows is forced to use the defined DNS servers in the router no matter what can be manually programed in the OS and at the same time, to make windows 11 acknowledge that my DNS is encrypted vs saying "(Unecrypted)" when I go the network properties.

 

[dave14305]

I do have IPV6 set, but removed it from view. Mainly dealing with IPV4 right now.

What do you mean? Did you disable it or just omit it from your post?
What’s in /tmp/resolv.dnsmasq

 

[outlaw78]

What do you mean? Did you disable it or just omit it from your post?
What’s in /tmp/resolv.dnsmasq

I just erased it from the picture. But at this point, I'm just going to disable DNS director. Probably won't benefit me much anyways. I just like to mess with things to see how they work.

 

[dave14305]

But at this point, I'm just going to disable DNS director.

I bet outlaw77 or outlaw79 wouldn’t just give up like that.

Your settings look fine, but IPv6 can leave surprises. Do you have Google IPv6 DNS servers on the IPv6 tab of the router?

 

[Tech9]

I can still get windows to ping whatever DNS I manually program into windows.

You can ping 1.1.1.1 (example), but if you do DNS query on port 53 to 1.1.1.1 it will be redirected to 8.8.8.8 without Windows knowing about this happening. About router's default DNS server - it's on the LAN IP. You don't have to specify it again. You have read Pi-hole setup threads and the things are a bit different there. Look at the instructions in the GUI right above Settings.

About WAN settings - DNSSEC authentication to Google using encrypted DNS doesn't make much sense, to me at least. Your DNS queries are encrypted to Google and they do DNSSEC authentication already. So why do it twice and to major trusted DNS provider?

 

[outlaw78]

You can ping 1.1.1.1 (example), but if you do DNS query on port 53 to 1.1.1.1 it will be redirected to 8.8.8.8 without Windows knowing about this happening. About router's default DNS server - it's on the LAN IP. You don't have to specify it again. You have read Pi-hole setup threads and the things are a bit different there. Look at the instructions in the GUI right above Settings.

This is above my basic knowledge of what you are explaining. I usually just ready the description of the setting in the router (if it has one) by hovering over the setting and go, "That sounds like it should be on". I guess my main concern with this was getting Windows to acknowledge that my DNS server supplied thru the DHCP was in-fact (Encrypted) and not (Unencrypted) when you go to the network properties page. But I think it has to do with some "file" or "address" is missing. That's why I was trying to globally enable DNS over TLS in windows 11.

DNS Director was a whole separate thing I was tinkering with. Guess I should have been more clear in my OP. But as of now, I have disabled it and will try again the future and continue my research on that front as it does not appear to work with the current settings I have, and maybe it is happening like you explained in your post and just not reflecting that in the dsnleaktest website I linked, idk. It sounds really awesome if it works like it says it should and I can figure it out.

About WAN settings - DNSSEC authentication to Google using encrypted DNS doesn't make much sense, to me at least. Your DNS queries are encrypted to Google and they do DNSSEC authentication already. So why do it twice and to major trusted DNS provider?

Ah..... So if don't need it to a DNS server like Google, so having it on in my router settings have any adverse effect, say like slowdowns of devices (IoT for example) or use more router compute and resources? So all the settings pertaining to DNSSEC could be toggled off if I use google, like:

Enable DNS Rebind protection	Yes No
Enable DNSSEC support	Yes No
Validate unsigned DNSSEC replies	Yes No

 

[outlaw78]

I bet outlaw77 or outlaw79 wouldn’t just give up like that.

Your settings look fine, but IPv6 can leave surprises. Do you have Google IPv6 DNS servers on the IPv6 tab of the router?

Its all good. I don't have any nefarious persons I need to worry about as my son is 17 now and if he wants to get somewhere on the internet that the DNS director is blocking, he'll just go to cellular data on his phone lol. I just like to tinker and be a dictator in my house with my internet lol.

 

[Tech9]

I was trying to globally enable DNS over TLS (in windows 11)

You can do this on the router side with some limitations. Clients with custom DNS-over-HTTPS will go around as well as everything using on-device VPN. Browsers with DNS privacy settings enabled doing DoH will go around as well. On the router side all you have to do is set DoT in WAN settings end enable DNS Director with global redirection to Router. Nothing else. You can set Prevent Client auto DOH to Yes/Auto, but this may mess up Apple clients using iCloud Private Relay. In case of upstream major DNS providers used I would leave Rebind protection and DNSSEC validation options at default No. If you don't have IPv6 enabled - you don't need IPv6 DNS servers. Even if you do have IPv6 enabled - still don't need IPv6 servers, IPv4 servers will resolve IPv6 addresses. If you do have IPv6 enabled - better have a good reason to do so, the default setting is Disabled.

 

[Tech9]

he'll just go to cellular data on his phone lol

In have my guest network set with content filtering. People come with kids, they can do whatever they want on a cellular network, but once on my network have to follow my rules. This is in my control and becomes my responsibility. They may have parental controls on their devices and all of a sudden find my network is unrestricted.

 

[outlaw78]

You can do this on the router side with some limitations. Clients with custom DNS-over-HTTPS will go around as well as everything using on-device VPN. Browsers with DNS privacy settings enabled doing DoH will go around as well. On the router side all you have to do is set DoT in WAN settings end enable DNS Director with global redirection to Router. Nothing else. You can set Prevent Client auto DOH to Yes/Auto, but this may mess up Apple clients using iCloud Private Relay. In case of upstream major DNS providers used I would leave Rebind protection and DNSSEC validation options at default No. If you don't have IPv6 enabled - you don't need IPv6 DNS servers. Even if you do have IPv6 enabled - still don't need IPv6 servers, IPv4 servers will resolve IPv6 addresses. If you do have IPv6 enabled - better have a good reason to do so, the default setting is Disabled.

So using a major provider such as google, rebind protection and DNSSEC can be toggled off (especially rebind protection) with no threat. Got it, I will turn these off then. You say that IPv6 should only be enabled if I have a good reason to do so... My reasoning is that is steadily becoming the standard. I have always had it enabled since my ISP turned it on, including i have both UPnP settings toggled on because my Xbox X1 will not connect to gaming services without it enabled. You have any good reasons for leaving IPv6 disabled?

 

[outlaw78]

In have my guest network set with content filtering. People come with kids, they can do whatever they want on a cellular network, but once on my network have to follow my rules. This is in my control and becomes my responsibility. They may have parental controls on their devices and all of a sudden find my network is unrestricted.

This is actually a good point. I use a guest network for all my IoT devices and make it so they can't see the intranet.

 

[Tech9]

rebind protection and DNSSEC

You can leave rebind protection Yes, but when used with blocking DNS service it will generate warning messages in system log. Google is (almost) unfiltered DNS, should be fine. DNSSEC - you have encrypted queries to Google, you can leave it Yes if you really want to, but no point doing it.

You have any good reasons for leaving IPv6 disabled?

Yes, we have public IPv4 addresses available and I don't need to open another door to my networks. Not a gamer, but I have an Xbox somewhere around and it worked just fine, it doesn't require IPv6 as per Microsoft. I also found Asus firmware is not 100% compatible with dual-stack and it may produce unexpected results. If you use custom scripts - check which ones are IPv4 only. If you use on-router VPN - careful with common IPv6 leaks. You perhaps noticed most on-device VPN clients disable IPv6. It is an overengineered standard solving specific problem, when/where the problem exists.

 

[SkippyP]

You can leave rebind protection Yes, but when used with blocking DNS service it will generate warning messages in system log.

To be clear, you’re saying that if using an upstream DNS resolver that blocks malware, for example, keeping rebind protection enabled will generate warnings in the log? Any downsides to that? Also, are there security risks when disabling rebind protection?