DNS Support - Secure DNS and Encrypted SNI

[bitmonster]

Running Cloudflare DNS via WAN settings. Seems to be working fine except the Cloudflare DNS checker tool shows DNSSEC and certificate TLS works, however Secure DNS and Encrypted SNI is not.

Does anyone know if this is supported in the firmware and if possible how to get it working?

It's a simple significant piece of the privacy puzzle. Thanks..

Merlin 384.15b1 / rt-ac86u

 

[Zastoff]

https://www.snbforums.com/threads/how-activate-encrypted-sni-asus-rt-ax88u.61375/#post-543430

 

[Mutzli]

Try another test like this one: https://dnssec.vs.uni-due.de
Cloudflare's is not working right.

 

[bitmonster]

Try another test like this one: https://dnssec.vs.uni-due.de
Cloudflare's is not working right.

Thanks, that validates DNSEC works but not the rest? I would really like to fully encrypt my DNS queries completely, although the router itself would keep a log I guess.

Sent from my SM-G977B using Tapatalk

 

[bitmonster]

https://www.snbforums.com/threads/how-activate-encrypted-sni-asus-rt-ax88u.61375/#post-543430

Thanks I'll use that thread

Sent from my SM-G977B using Tapatalk

 

[Frankflash]

The web browser has to support Esni firefox is the only one that supports it and the web site that you visit also has to haveEsni build in as well

 

[EmeraldDeer]

I do not want Encrypted SNI. It requires DNS over HTTPS which will circumvent Diversion and Skynet. I see this as less secure.

The Cloudflare Secure DNS test works for me because I am using Cloudflare DNS over TLS.

 

[Zastoff]

ESNI is only supported with firefox, But can be used with DNSCrypt-proxy v2 wiki and it would work fine with Diversion & Skynet i think, Even not a requirement to use cloudflare as dns server, Works with other DoH servers/DNSCrypt/Anonymized DNSCrypt setup aswell.

Spoiler: But please read..

While this may eventually be a significant privacy improvement, it current has some caveats to be aware of:

• ESNI is a very early a work-in-progress design and has not yet seen significant (or really any) security analysis.
• It hasn't been deployed anywhere, besides an early prototype implemented in Firefox and on Cloudflare servers. Even when using Firefox, ESNI will never be used except when connecting to some websites from Cloudflare customers.
• What has been deployed is still missing an important part to protect against censorship (GREASE)
• Enabling ESNI will trigger an extra DNS query for every single new hostname, even for hosts that don't support ESNI. Every time a query for a host that doesn't support is made, an error will be returned (NXDOMAIN).
• Enabling ESNI in Firefox breaks some websites ("Secure connection failed - SSL_ERROR_NO_CYPHER_OVERLAP" or "SSL_ERROR_MISSING_ESNI_EXTENSION").
• Keep in mind that ESNI doesn't exist yet. What is available is only an experiment run by two companies.

 

[Pak Kriss]

How about this setup (for the time being, workaround): The VPN connects overseas, as close as possible to the locations of the DNS resolvers. Is that a viable option?

 

[dave14305]

How about this setup (for the time being, workaround): The VPN connects overseas, as close as possible to the locations of the DNS resolvers. Is that a viable option?

View attachment 21521

Your destination IPs should not be /24. They should be /32 or not specified with a class at all. Also, your second Google DNS entry is incorrect: use 8.8.4.4.

 

[Pak Kriss]

Your destination IPs should not be /24. They should be /32 or not specified with a class at all. Also, your second Google DNS entry is incorrect: use 8.8.4.4.

Thanks for the Google IP correction.

The /24 is fine.

Sent from my SM-T805 using Asus RT-AC86U & Merlin 384.13