What's new

DNS Support - Secure DNS and Encrypted SNI

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bitmonster

Senior Member
Running Cloudflare DNS via WAN settings. Seems to be working fine except the Cloudflare DNS checker tool shows DNSSEC and certificate TLS works, however Secure DNS and Encrypted SNI is not.

Does anyone know if this is supported in the firmware and if possible how to get it working?

It's a simple significant piece of the privacy puzzle. Thanks..

Merlin 384.15b1 / rt-ac86u
 
The web browser has to support Esni firefox is the only one that supports it and the web site that you visit also has to haveEsni build in as well
 
I do not want Encrypted SNI. It requires DNS over HTTPS which will circumvent Diversion and Skynet. I see this as less secure.

The Cloudflare Secure DNS test works for me because I am using Cloudflare DNS over TLS.

SecureDNS.JPG
 
ESNI is only supported with firefox, But can be used with DNSCrypt-proxy v2 wiki and it would work fine with Diversion & Skynet i think, Even not a requirement to use cloudflare as dns server, Works with other DoH servers/DNSCrypt/Anonymized DNSCrypt setup aswell.
While this may eventually be a significant privacy improvement, it current has some caveats to be aware of:

  • ESNI is a very early a work-in-progress design and has not yet seen significant (or really any) security analysis.
  • It hasn't been deployed anywhere, besides an early prototype implemented in Firefox and on Cloudflare servers. Even when using Firefox, ESNI will never be used except when connecting to some websites from Cloudflare customers.
  • What has been deployed is still missing an important part to protect against censorship (GREASE)
  • Enabling ESNI will trigger an extra DNS query for every single new hostname, even for hosts that don't support ESNI. Every time a query for a host that doesn't support is made, an error will be returned (NXDOMAIN).
  • Enabling ESNI in Firefox breaks some websites ("Secure connection failed - SSL_ERROR_NO_CYPHER_OVERLAP" or "SSL_ERROR_MISSING_ESNI_EXTENSION").
  • Keep in mind that ESNI doesn't exist yet. What is available is only an experiment run by two companies.
 
How about this setup (for the time being, workaround): The VPN connects overseas, as close as possible to the locations of the DNS resolvers. Is that a viable option?

upload_2020-2-21_7-31-11.png

upload_2020-2-21_7-31-41.png
 
Your destination IPs should not be /24. They should be /32 or not specified with a class at all. Also, your second Google DNS entry is incorrect: use 8.8.4.4.
Thanks for the Google IP correction.

The /24 is fine.

Sent from my SM-T805 using Asus RT-AC86U & Merlin 384.13
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top