DNS-over-TLS (DoT) - How do I know it's working?

[rugglebear]

Hello,

I used to use Stubby which I installed via Entware, but I believe that is now depreciated.

I now utilize the setting in Merlin within WAN > Internet Connection > DNS Privacy Protocol, set to 'DNS-over-TLS' (settings attached in a screenshot).

However, when I visit https://1.1.1.1/help it does not show DNS-over-TLS as active, whereas it used to with Stubby.
I also checked this page, which shows DoT as 'false', https://tenta.com/test/

Any assistance is appreciated. Thank you!

 

[Zastoff]

Try to disable DNSSec in gui and test again
The 1.1.1.1 test can not handle DNSSec
Some extra info: https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Privacy

 

[Kanji-San]

This shows you if it works: http://dnssec.vs.uni-due.de/
More here: https://www.internetsociety.org/resources/deploy360/2013/dnssec-test-sites/

 

[rugglebear]

Try to disable DNSSec in gui and test again
The 1.1.1.1 test can not handle DNSSec
Some extra info: https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Privacy

This shows you if it works: http://dnssec.vs.uni-due.de/
More here: https://www.internetsociety.org/resources/deploy360/2013/dnssec-test-sites/

Thanks, both!

If I were to disable DNSSec, would that leave me 'less secure' than having both DNSSec and DoT enabled?

I ran the test at the site listed, and got the 'thumbs up result'. Does this confirm DoT, or just DNSSec?
Additionally, when I tested sites labeled as "Sites With Bad DNSSEC Signatures", both sites failed to resolve. Is that the expected result?

Thanks again for the never-ending information.

 

[Zastoff]

Thanks, both!

If I were to disable DNSSec, would that leave me 'less secure' than having both DNSSec and DoT enabled?

I ran the test at the site listed, and got the 'thumbs up result'. Does this confirm DoT, or just DNSSec?
Additionally, when I tested sites labeled as "Sites With Bad DNSSEC Signatures", both sites failed to resolve. Is that the expected result?

Thanks again for the never-ending information.

From the wiki

NOTE: There is currently an issue with the popular DoT/DoH test site provided by Cloudflare where it will fail to use properly signed DNSSEC hostnames during the test, causing the test to fail to correctly detect that you are using DoT. This does not indicate that your setup doesn't work, and is something that will hopefully eventually be fixed by Cloudflare. You can avoid this by temporarily disabling validation of unsigned records, however it is recommended to re-enable that option afterward.

 

[Mutzli]

If you want to test it on your router you can watch what port your router connects through. A secure DoT connection should only use port 853. Type the following at your routers SSH console:

tcpdump -ni eth0 -p port 53 or port 853

 

[rugglebear]

From the wiki

Ahhh, that makes much more sense in the context of this conversation, now that I have a better understanding of the features I'm trying to test.
I had read the Wiki before, but the "temporarily disabling validation", in my mind, didn't equate to "disable DNSSec in gui", but now I understand what it's saying, thank you.

Ok, so here are my results:

DNSSec Disabled:
1.1.1.1/help says -
Connection to 1.1.1.1 - Yes
Using DNS over TLS (Dot) - Yes

DNSSec Enabled:
1.1.1.1/help says -
Connection to 1.1.1.1 - No
Using DNS over TLS (Dot) - No

So it seems like that Cloudflare site bug is the culprit.

If you want to test it on your router you can watch what port your router connects through. A secure DoT connection should only use port 853. Type the following at your routers SSH console:

tcpdump -ni eth0 -p port 53 or port 853

Thanks, I executed the command, but this is all I got back:

admin@RT-AC68U-0988:/tmp/home/root# tcpdump -ni eth0 -p port 53 or port 853
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

 

[ColinTaylor]

Thanks, I executed the command, but this is all I got back:

admin@RT-AC68U-0988:/tmp/home/root# tcpdump -ni eth0 -p port 53 or port 853
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

It's likely your WAN interface isn't eth0. Try using vlan2 or ppp0 instead.

 

[Mutzli]

Ahhh, that makes much more sense in the context of this conversation, now that I have a better understanding of the features I'm trying to test.
I had read the Wiki before, but the "temporarily disabling validation", in my mind, didn't equate to "disable DNSSec in gui", but now I understand what it's saying, thank you.

Ok, so here are my results:

DNSSec Disabled:
1.1.1.1/help says -
Connection to 1.1.1.1 - Yes
Using DNS over TLS (Dot) - Yes

DNSSec Enabled:
1.1.1.1/help says -
Connection to 1.1.1.1 - No
Using DNS over TLS (Dot) - No

So it seems like that Cloudflare site bug is the culprit.


Thanks, I executed the command, but this is all I got back:

admin@RT-AC68U-0988:/tmp/home/root# tcpdump -ni eth0 -p port 53 or port 853
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

You have to wait about 30sec for the output to start. It should look something like that:

Secure:
12:56:03.030994 IP 1.0.0.1.853 > Your.IP.Address.48008: Flags [.], ack 321, win 66, length 0
12:56:03.031895 IP 1.0.0.1.853 > Your.IP.Address.48008: Flags [.], seq 1:1461, ack 321, win 66, length 1460
12:56:03.031953 IP Your.IP.Address.48008 > 1.0.0.1.853: Flags [.], ack 1461, win 251, length 0
12:56:03.031971 IP 1.0.0.1.853 > IP Your.IP.Address.48008: Flags [P.], seq 1461:2725, ack 321, win 66, length 1264

Not Secure:
12:56:21.204150 Your.IP.Address.54571 > 1.1.1.1.53: 52137+ A? api.db-ip.com. (31)
12:56:21.204202 Your.IP.Address.54571 > 1.1.1.1.53: 54185+ AAAA? api.db-ip.com. (31)
12:56:21.214474 IP 1.1.1.1.53 > Your.IP.Address.54571: 52137 3/0/0 A 104.26.5.15, A 104.26.4.15, A 172.67.75.166 (92)
12:56:21.219212 IP 1.1.1.1.53 > Your.IP.Address.54571: 54185 0/1/0 (99)

 

[Mutzli]

It's likely your WAN interface isn't eth0. Try using vlan2 or ppp0 instead.

Use command ifconfig to show your WAN interface. inet addr: should show your WAN IP

 

[bluzfanmr1]

http://0skar.cz/dns/en/

Another test site.

 

[rugglebear]

It's likely your WAN interface isn't eth0. Try using vlan2 or ppp0 instead.

You have to wait about 30sec for the output to start. It should look something like that:

Secure:
12:56:03.030994 IP 1.0.0.1.853 > Your.IP.Address.48008: Flags [.], ack 321, win 66, length 0
12:56:03.031895 IP 1.0.0.1.853 > Your.IP.Address.48008: Flags [.], seq 1:1461, ack 321, win 66, length 1460
12:56:03.031953 IP Your.IP.Address.48008 > 1.0.0.1.853: Flags [.], ack 1461, win 251, length 0
12:56:03.031971 IP 1.0.0.1.853 > IP Your.IP.Address.48008: Flags [P.], seq 1461:2725, ack 321, win 66, length 1264

Not Secure:
12:56:21.204150 Your.IP.Address.54571 > 1.1.1.1.53: 52137+ A? api.db-ip.com. (31)
12:56:21.204202 Your.IP.Address.54571 > 1.1.1.1.53: 54185+ AAAA? api.db-ip.com. (31)
12:56:21.214474 IP 1.1.1.1.53 > Your.IP.Address.54571: 52137 3/0/0 A 104.26.5.15, A 104.26.4.15, A 172.67.75.166 (92)
12:56:21.219212 IP 1.1.1.1.53 > Your.IP.Address.54571: 54185 0/1/0 (99)

Thanks, looks like it was vlan2 for me.

So, the vast majority of the output is like .853

However, there are a few outliers, below.
Is this typical, or could there be a reason for it?

18.218.53: 8119+ [1au] A? dealer.spotify.com. (47)
18.218.53: 35017+ [1au] A? datarouter.ol.epicgames.com. (56)
18.218.53: 22695+ [1au] A? audio-fa.scdn.co. (45)
18.218.53: 63361+ [1au] A? www.amazon.com. (43)

Then others that go to livetile.microsoft, and other Microsoft ones.

 

[Mutzli]

Thanks, looks like it was vlan2 for me.

So, the vast majority of the output is like .853

However, there are a few outliers, below.
Is this typical, or could there be a reason for it?

18.218.53: 8119+ [1au] A? dealer.spotify.com. (47)
18.218.53: 35017+ [1au] A? datarouter.ol.epicgames.com. (56)
18.218.53: 22695+ [1au] A? audio-fa.scdn.co. (45)
18.218.53: 63361+ [1au] A? www.amazon.com. (43)

Then others that go to livetile.microsoft, and other Microsoft ones.

Do you still have the router configured to handle all DNS requests?

 

[rugglebear]

Do you still have the router configured to handle all DNS requests?

I believe so, I have DNS Filter 'ON' with Global Filter Mode = 'Router'

And I have my VPN Client "Accept DNS Configuration" set to 'Strict'

 

[Mutzli]

I believe so, I have DNS Filter 'ON' with Global Filter Mode = 'Router'

And I have my VPN Client "Accept DNS Configuration" set to 'Strict'

What is your local DNS server set to, should be No? Tools - Other Settings - Wan: Use local caching DNS server as system resolver (default: No) x No

 

[rugglebear]

What is your local DNS server set to, should be No? Tools - Other Settings - Wan: Use local caching DNS server as system resolver (default: No) x No

Correct, that setting is set to 'No'

 

[RAH-66]

clear the DNS Server1 and DNS Server2 fields, leave them blank

 

[rugglebear]

clear the DNS Server1 and DNS Server2 fields, leave them blank

Thanks for the reply, RAH. I guess my only question at that point would be "then how can I ensure I'm using Cloudflare as my DNS provider"?

 

[RAH-66]

how can I ensure I'm using Cloudflare as my DNS provider"?

opkg install tcpdump
tcpdump -ni eth0 -p port 53 or port 853

 

[SheikhSheikha]

http://conn.internet.nl/connection/
Give it a try.