No, imho.Is this any better?
That’s not a good idea, and I don’t think the UI lets you do that. Why do you suggest that?leave the DNS server1 and DNS server2 fields blank
for only use DoT - TLS port 853, those fields use port 53That’s not a good idea, and I don’t think the UI lets you do that. Why do you suggest that?
tcpdump -ni eth0 -p port 53 or port 853
Thank you so much!!!!!!With above settings you'll have devices that will ignore the routers DNS settings, but you can force them to use the routers DNS.
Use these setting:
View attachment 30808
Next set your DNSFilter in the LAN settings to router:
View attachment 30809
Now all of you traffic should go through 1.0.0.2. You can check this by tracking the outgoing traffic. Connect to the router by SSH console and enter the following command:
Code:tcpdump -ni eth0 -p port 53 or port 853
When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.
check it yourself and see the differenceWhen you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.
Those DNS servers on port 53 are only in use at boot up, when the router doesn't yet start the DNSSEC service. So instead of using your ISP's DNS service it would use the DNS servers defined here.for only use DoT - TLS port 853, those fields use port 53
They are DoT ready, at least for the last 3-4 months.The Cloudflare team never announced it, but I believe they have DoT over 1.1.1.2 as well as 1.1.1.3. However, it was my understanding that the TLS hostname is now security.cloudflare-dns.com due to the standard hostname being cumbersome (e.g. 1dot1dot1dot1.cloudflare-dns.com). Maybe someone can confirm?
Feb 15 22:47:02 dnsmasq[7522]: possible DNS-rebind attack detected: playboy.com
What's the use case for rebind protection if it's not necessary when using a filtering service?Using DNS Rebind Protection with a filtering service like Cloudflare for Families changes the response you receive. Instead of 0.0.0.0, you get an empty response due to the rebind protection, and you get a syslog message about the potential rebind attack.
Ultimately, the domain is still prevented from being resolved, but not in the way the service intended.Code:Feb 15 22:47:02 dnsmasq[7522]: possible DNS-rebind attack detected: playboy.com
a logical question - why fill in these fields if they are ignored?Those DNS servers on port 53 are only in use at boot up, when the router doesn't yet start the DNSSEC service. So instead of using your ISP's DNS service it would use the DNS servers defined here.
I checked my connection and it does what it supposed to do and route everything through port 853. 0 requests on port 53.
The Cloudflare team never announced it, but I believe they have DoT over 1.1.1.2 as well as 1.1.1.3. However, it was my understanding that the TLS hostname is now security.cloudflare-dns.com due to the standard hostname being cumbersome (e.g. 1dot1dot1dot1.cloudflare-dns.com). Maybe someone can confirm?
In case DNSSec fails.a logical question - why fill in these fields if they are ignored?
And if you want routing to fail if DNSSec and DoT fails? Leave them blank? That is my intent. Or does it simply just send the DNS to my ISP if it fails? I don't want that to happen.In case DNSSec fails.
Your router needs to talk to an NTP server to set its clock before encryption can be used. So, no DoT without a working regular DNS to set that clock first.for only use DoT - TLS port 853, those fields use port 53
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
C | DOT & IoT Devices | Asuswrt-Merlin | 3 | |
L | Suggestion: DNS Director, add optional compatibility with DOT | Asuswrt-Merlin | 2 | |
T | Using DOT DNS breaks ECS | Asuswrt-Merlin | 9 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!