How-to enable DoH (DNS over HTTPS)?

[Antioch]

Hello! I'm got an RT-AC66U running Asuswrt-Merlin 386.7 and I can't seem to get DoH working. DoT with Cloudflare checks out ok, but not DoH.

Spoiler: https://1.1.1.1/help

According to this github issue it looks like DoH support exists since early 2022, and from the screenshots posted by a user it seems that there are no specific DoH settings that need to be enabled (there are for DoT, however).

Spoiler: My WAN>Internet Connection settings

Spoiler: LAN>DNSFilter

How can I get DoH working? Thank you!

 

[cptnoblivious]

What's wrong with DoT?

And, at least on my router, I don't even see DoH as an option...

 

[Antioch]

Nothing. I want it all enabled.

 

[Tech9]

Asuswrt-Merlin 386.7 and I can't seem to get DoH working

There is no DoH support in Asuswrt-Merlin. More advanced users usually block DoH, actually.

 

[RMerlin]

Nothing. I want it all enabled.

DoH is not supported by the firmware.

 

[DocUmibozu]

Hello! I'm got an RT-AC66U running Asuswrt-Merlin 386.7 and I can't seem to get DoH working. DoT with Cloudflare checks out ok, but not DoH.

Spoiler: https://1.1.1.1/help

View attachment 43540

According to this github issue it looks like DoH support exists since early 2022, and from the screenshots posted by a user it seems that there are no specific DoH settings that need to be enabled (there are for DoT, however).

Spoiler: My WAN>Internet Connection settings

View attachment 43541

Spoiler: LAN>DNSFilter

View attachment 43542

How can I get DoH working? Thank you!

You have to install the dnscrypt addon.
Search in addons section of this forum.

 

[Antioch]

Thank you all for the replies, I appreciate it.

DoH is not supported by the firmware.

Hello! I must have misunderstood, but the way the issue I linked is written implied to me that there is DoH support. What is that issue actually about? (https://github.com/gnuton/asuswrt-merlin.ng/issues/152)

More advanced users usually block DoH, actually.

Interesting! Why is that?

You have to install the dnscrypt addon.
Search in addons section of this forum.

Thank you for the information.

 

[DocUmibozu]

Interesting! Why is that?
.

Doh makes dns filtering difficult and increases the possibility of tampering by big actors (google, apple).
There is also a problem of standards.
Anyway, and unfortunatly dot is slowly losing the battle.

 

[RMerlin]

Hello! I must have misunderstood, but the way the issue I linked is written implied to me that there is DoH support. What is that issue actually about?

It's about DoT, not DoH. Just a misunderstanding from the person who opened the original issue.

 

[Yota]

DoH and DoT provide the same level of privacy protection, but DoT will introduce less overhead.
Routers are good for DoT, and browsers are good for DoH.

Why is that?

Because network administrators don't like to see other people using encrypted DNS, encrypted DNS makes identifying traffic more difficult, leaving them at a loss against threats, especially for small companies. It is very expensive to deploy firewalls that can identify visiting websites through TLS handshakes .

The same goes for families, imagine your boys are bypassing your carefully blocked adult website via encrypted DNS.

Even so, everyone deserves end-to-end privacy, which is what encrypted dns is for, and administrators should keep up and change the way they manage dns-based.

 

[RMerlin]

DoH also messes up with traffic management, resulting in a poorer user experience. If I were to manage traffic on a network, I would put port 443 traffic as "bulk", so a large file download wouldn't impact responsiveness for other users using SSH, VoIP, etc... Having DNS queries dropped to bulk priority (since it shares the same port) means it will negatively impact performance, while DoT using a separate port can be kept in a higher priority class.

DoH is a case of "Use it only if you have a very specific need for it, and understand the downside of it". Which is why I hate it when a client (like a web browser) will automatically switch to using it.

 

[whatsmydns]

Hi folks. Thanks for making this discussion. I have always found DoH and DoT extremely confusing. I always assumed DoT was worse because it could be easily blocked (by simply blocking the port it uses).
That said, I now understand the difference (thanks to you guys) that DoT is preferable when considering traffic in your home network.

I have a few questions, as I attempt to troubleshoot some long-standing issues I have regarding DNS and web performance on my network.
I have an Asus RT-AX88U running Merlin-wrt 386.8 which as of this writing is the latest version.
I've probably incorrectly had my DNS set up for a few months now, as I didn't realise until writing this thread that Merlin-wrt doesn't even support DoH.

On the LAN > DHCP Server page I used to have my DNS servers listed here (was using Adguard DNS). I often forget this setting even exists in the router.

Then on WAN > Internet Connection page I had DNS Server below assigned to AdGuard DNS
but then I also had DoT enabled and Cloudfare set as my DoT provider.

I also realised after the latest update that there was now a warning saying that because I used to have an external IP set (in the first image) for the DNS servers. DNS security would not work properly.

With this seemingly incorrect setup I described I was having all hosts of issues. Sites were resolving pretty slowly and even local IP addresses with HTTPS certificates like my router's IP and home server IP were not properly working. I was also getting issues going to a website as it seemed to redirect twice to HTTPS and I got HTTPS errors for almost all sites I went to, even though they have HTTP configured properly.

I have since changed my settings to the screenshots above. So those images are now what I currently have.

Nothing on the LAN > DHCP Server tab > DNS Server 1 & 2 boxes
Nothing on the WAN > Internet Connection tab > DNS Server (set to get IP from ISP automatically)
DNS-over-TLS (DoT) selected with a single IP for Mullvad's Adblock DNS, which they say DoT is the same hostname/IP as DoH for them.

I hope this is correct.

dnsleaktest.net shows it seems to be working:

 

[egc]

As you are your own network administrator you want clients on your network to use plain DNS:53 and not DoH so that you can block/redirect traffic on your home network

The router however can/should use a secure DNS like DoT or DoH (or DNSCrypt and there are newer implementations coming e.g. DoQ and DoH3), however DoT can be blocked and if you do not want that than using DoH on the router is not a bad idea, unfortunately this is not supported.

What is DNS over TLS (DoT), DNS over Quic (DoQ) and DNS over HTTPS (DoH & DoH3)?

DNS is an old protocol lacking all forms of security. Yet, it is one of the most fundamental protocols of the Internet. DoT and DoH are improvements to add transport security to the DNS protocol by…

help.nextdns.io

 

[whatsmydns]

It seems that above was not working either.

So instead I set it up like this:

1. Nothing on the LAN > DHCP Server tab > DNS Server 1 & 2 boxes (blank)

2. Nothing on the WAN > Internet Connection tab > DNS Server (set to get IP from ISP automatically)

3. LAN > DNSFilter > Router (with all fields blank)

4. WAN > Internet Connection > DNS Privacy Protocol > DoT
4a. Prevent client auto DoH > Auto
4b. DNS-over-TLS Profile > Strict
4c. 1.1.1.1 853 cloudfare-dns.com & 1.0.0.1 853 cloudfare-dns.com

This seems to work fine.

No DNS leaks and Cloudfare test page shows I am protected for everything except SNI which it seems nothing is secure for yet.

Furthermore all of my self-hosted sites now work again and I am not getting any more HTTPS errors or multiple redirects. Plus all clients on my home network are forced to use this setting and are prevented from DoH overwrites.

I realise that there is a good reason to have so many settings in the router for different configurations but it really is super confusing. Most people I think just want a third-party secure DNS