What's new

DoT

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

umrico

Occasional Visitor
I would like to use DoT with Cloudflare for Families. Are these settings correct?
Screenshot_20210215-210310_Chrome.jpg
 
With above settings you'll have devices that will ignore the routers DNS settings, but you can force them to use the routers DNS.
Use these setting:
1613446233665.png


Next set your DNSFilter in the LAN settings to router:
1613446298957.png


Now all of your traffic should go through 1.0.0.2. You can check this by tracking the outgoing traffic. Connect to the router by SSH console and enter the following command:

Code:
tcpdump -ni eth0 -p port 53 or port 853

When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.
 
With above settings you'll have devices that will ignore the routers DNS settings, but you can force them to use the routers DNS.
Use these setting:
View attachment 30808

Next set your DNSFilter in the LAN settings to router:
View attachment 30809

Now all of you traffic should go through 1.0.0.2. You can check this by tracking the outgoing traffic. Connect to the router by SSH console and enter the following command:

Code:
tcpdump -ni eth0 -p port 53 or port 853

When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.
Thank you so much!!!!!!
 
When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.
check it yourself and see the difference
 
for only use DoT - TLS port 853, those fields use port 53
Those DNS servers on port 53 are only in use at boot up, when the router doesn't yet start the DNSSEC service. So instead of using your ISP's DNS service it would use the DNS servers defined here.
I checked my connection and it does what it supposed to do and route everything through port 853. 0 requests on port 53.
 
The Cloudflare team never announced it, but I believe they have DoT over 1.1.1.2 as well as 1.1.1.3. However, it was my understanding that the TLS hostname is now security.cloudflare-dns.com due to the standard hostname being cumbersome (e.g. 1dot1dot1dot1.cloudflare-dns.com). Maybe someone can confirm?
 
The Cloudflare team never announced it, but I believe they have DoT over 1.1.1.2 as well as 1.1.1.3. However, it was my understanding that the TLS hostname is now security.cloudflare-dns.com due to the standard hostname being cumbersome (e.g. 1dot1dot1dot1.cloudflare-dns.com). Maybe someone can confirm?
They are DoT ready, at least for the last 3-4 months.
 
Using DNS Rebind Protection with a filtering service like Cloudflare for Families changes the response you receive. Instead of 0.0.0.0, you get an empty response due to the rebind protection, and you get a syslog message about the potential rebind attack.
Code:
Feb 15 22:47:02 dnsmasq[7522]: possible DNS-rebind attack detected: playboy.com
Ultimately, the domain is still prevented from being resolved, but not in the way the service intended.
 
Using DNS Rebind Protection with a filtering service like Cloudflare for Families changes the response you receive. Instead of 0.0.0.0, you get an empty response due to the rebind protection, and you get a syslog message about the potential rebind attack.
Code:
Feb 15 22:47:02 dnsmasq[7522]: possible DNS-rebind attack detected: playboy.com
Ultimately, the domain is still prevented from being resolved, but not in the way the service intended.
What's the use case for rebind protection if it's not necessary when using a filtering service?
 
Those DNS servers on port 53 are only in use at boot up, when the router doesn't yet start the DNSSEC service. So instead of using your ISP's DNS service it would use the DNS servers defined here.
I checked my connection and it does what it supposed to do and route everything through port 853. 0 requests on port 53.
a logical question - why fill in these fields if they are ignored?
 
The Cloudflare team never announced it, but I believe they have DoT over 1.1.1.2 as well as 1.1.1.3. However, it was my understanding that the TLS hostname is now security.cloudflare-dns.com due to the standard hostname being cumbersome (e.g. 1dot1dot1dot1.cloudflare-dns.com). Maybe someone can confirm?

security.cloudflare-dns.com -> 1.1.1.2, 1.0.0.2, 2606:4700:4700::1112, 2606:4700:4700::1002

family.cloudflare-dns.com -> 1.1.1.3, 1.0.0.3, 2606:4700:4700::1113, 2606:4700:4700::1003

source here
 
In case DNSSec fails.
And if you want routing to fail if DNSSec and DoT fails? Leave them blank? That is my intent. Or does it simply just send the DNS to my ISP if it fails? I don't want that to happen.

I am entirely trying to resolve DNS through DoT and do not want my ISP to ever see my queries.
 
for only use DoT - TLS port 853, those fields use port 53
Your router needs to talk to an NTP server to set its clock before encryption can be used. So, no DoT without a working regular DNS to set that clock first.
 
Similar threads

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top