How to set up DNS over TLS 384.13?

[eastavin]

Thought I had this figured out in 384.11 but the changes I see in the change log for .12 and 13 and the discussion board have my head spinning.

Could someone be so kind as to please itemize the changes needed to the settings in 384.13 so that DNS-over-TLS is enabled properly in 384.13. Assume we are starting from scratch with the router just having been freshly factory reset. I was going to use cloudflare preset.

Many thanks.

Edward

 

[heysoundude]

Hello neighbour! you used to use stubby, I would guess. Thank you for upgrading. Which posts/topics here have you confuzzled?

point your browser at https://www.cloudflare.com/ssl/encrypted-sni/

what does it tell you?

Thought I had this figured out in 384.11 but the changes I see in the change log for .12 and 13 and the discussion board have my head spinning.

Could someone be so kind as to please itemize the changes needed to the settings in 384.13 so that DNS-over-TLS is enabled properly in 384.13. Assume we are starting from scratch with the router just having been freshly factory reset. I was going to use cloudflare preset.

Many thanks.

Edward

 

[dave14305]

So is this a Canadian side or American side fraternity? "Neighbour" is a dead giveaway for @heysoundude.

 

[heysoundude]

I’ve said the same thing to you. We should start a Merlin Meetup that border hops across the Rainbow Bridge.


Sent from my iPhone using Tapatalk

 

[dave14305]

I’ve said the same thing to you. We should start a Merlin Meetup that border hops across the Rainbow Bridge.


Sent from my iPhone using Tapatalk

Niagara Falls, NY...it's a great place to be FROM. Got tired of watching all that growth and prosperity on the Canadian side.

Back to @eastavin's question...

 

[eastavin]

Thanks for the link. As I have factory reset it currently one orange followed by three reds. Maybe we could try this another way? Are these all the steps needed to make sure all traffic is going over cloudflare dns over tls?

1) go to LAN page>DNS filter> set ROUTER mode
2) go to WAN page>WAN DNS Setting> set CONNECT to DNS Server automatically to NO.
3)set DNSSEC support in same section to YES
4) go to WAN page>DNS Privacy protocol> set to DNS over TLS
5) go to WAN page> Preset servers> and select both CLOUDFLARE entries and ADD
6) APPLY

a) Do I have to go to TOOLS>Other settings and set Wan: Use local caching DNS server as system resolver (default: No) to YES?

b) I am leaving WAN Page> DNS over TLS profile set to STRICT. Cant find anything on the WIKI to explain what this setting does or OPPORTUNISTIC. Could someone explain the difference please?

That would help. Many thanks.
​

 

[dave14305]

Are these all the steps needed to make sure all traffic is going over cloudflare dns over tls?

1) go to LAN page>DNS filter> set ROUTER mode

Yes, but confirm that LAN DHCP Server DNS entries are blank.

2) go to WAN page>WAN DNS Setting> set CONNECT to DNS Server automatically to NO.

Yes, if you want all DNS traffic going to Cloudflare, enter those IPs here as well. These are only used until DoT is running and for the router's own initiated DNS lookups.

3)set DNSSEC support in same section to YES

Sure, for extra security but it will break the Cloudflare Help page that many people use for verification of DoT.

4) go to WAN page>DNS Privacy protocol> set to DNS over TLS
5) go to WAN page> Preset servers> and select both CLOUDFLARE entries and ADD
6) APPLY

This is the money shot here.

a) Do I have to go to TOOLS>Other settings and set Wan: Use local caching DNS server as system resolver (default: No) to YES?

You do not have to, and I wouldn't personally. If you set it to Yes, people have had issues during boot where the router can't sync with the NTP server and that breaks a lot of things in the boot process. But it means that some of your router's own queries will not go over DoT, but they will still go to Cloudflare as your WAN DNS server (Step 2 above).

b) I am leaving WAN Page> DNS over TLS profile set to STRICT. Cant find anything on the WIKI to explain what this setting does or OPPORTUNISTIC. Could someone explain the difference please?

Stubby (the underlying daemon) can run in non-TLS mode if set to Opportunistic. Strict requires the TLS tunnel be established. At least that's my understanding of it.

 

[eastavin]

2) go to WAN page>WAN DNS Setting> set CONNECT to DNS Server automatically to NO.
Yes, if you want all DNS traffic going to Cloudflare, enter those IPs here as well. These are only used until DoT is running and for the router's own initiated DNS lookups.
.

Many thanks for the reply.

Q1. Once DoT is running... if the router has to do a DNS lookup will it bypass DOT and use the manual DNS1 and DNS2 entries? Just wanted to clarify I read this correctly.

-I did not know that DNSSEC YES breaks the cloudflare testing page. Thank you.

Q2. Now I get the first 3 tests heysoundude referred me to coming up green with Chrome and Firefox browsers, and only the first two with EDGE. With regards to Encrypted SNI I guess this is not a router deliverable from what I read but is browser dependent. From what I read only Firefox Nightly supports that feature. Do you know of any others?

 

[dave14305]

Q1. Once DoT is running... if the router has to do a DNS lookup will it bypass DOT and use the manual DNS1 and DNS2 entries? Just wanted to clarify I read this correctly.

Yes, assuming you do not change the default value of the "Wan: Use local caching DNS server as system resolver" parameter.

No help on the SNI here. I run Firefox stable release, but don't use Cloudflare.

 

[eastavin]

Yes, assuming you do not change the default value of the "Wan: Use local caching DNS server as system resolver" parameter.

No help on the SNI here. I run Firefox stable release, but don't use Cloudflare.

Thank you . So what would happen if I did enable the local caching DNS server to YES?

Also I found an article on encrypted SNI and firefox…. but I think it involves making the browser use DNS over HTTPS along with its encrypted SNI feature. .. so probably not going to work our router offering but still interesting reading. https://miketabor.com/enable-dns-over-https-and-encrypted-sni-in-firefox/

 

[dave14305]

Thank you . So what would happen if I did enable the local caching DNS server to YES?

If you set it to yes when DoT is already running, the router will happily route its own queries through dnsmasq and Stubby (DoT). The rub comes the next time you reboot. The router boots without valid time, and must be able to sync with the selected NTP server (usually a hostname) before any of the secure services can start (DoT, DNSSEC) since they rely on accurate time to verify TLS certificates' validity.

IN THEORY it should work, because DNSSEC and DoT will not enter their respective "strict" modes until NTP is synced, but there have been too many unexplained mishaps, likely due to a user customization, and issues with the Network Monitoring function that relies on DNS queries by the router.

You can try it out, but the real test will come after a reboot.

 

[heysoundude]

Also I found an article on encrypted SNI and firefox…. but I think it involves making the browser use DNS over HTTPS along with its encrypted SNI feature. ..

My read of the cloudflare explanation of ESNI is that the website or server you browse to has to support it, regardless of DoT or DoH. I’m likely mistaken, but if it’s a thing on the other end, I can’t change how they do things, so I shouldn’t fret about the ESNI box being unchecked (right?). It’s the first of those four boxes on the link I posted that is the most important. Now you’ve got that sorted, thanks to @dave14305.




Sent from my iPhone using Tapatalk

 

[RMerlin]

ESNI need to be supported both by the browser and the web server. It's tied to the HTTP protocol, unrelated to DNS.

 

[eastavin]

If you set it to yes ..The rub comes the next time you reboot. The router boots without valid time, and must be able to sync with the selected NTP server (usually a hostname) before any of the secure services can start (DoT, DNSSEC) since they rely on accurate time to verify TLS certificates' validity...

You can try it out, but the real test will come after a reboot.

Thanks I finally understand why I have been having trouble with DoT since updating to .13 I was also having side issues with an old Linux NAS that would not finish boot properly. Since unchecking it my problems seen to have subsided.

 

[Wallace_n_Gromit]

Yes, if you want all DNS traffic going to Cloudflare, enter those IPs here as well. These are only used until DoT is running and for the router's own initiated DNS lookups.

What happens if you:
2) go to WAN page>WAN DNS Setting> set CONNECT to DNS Server automatically to YES?

I use dns.quad9.net

When I changed my setting from YES (been that way for 2 months) to NO per the above suggested settings and did the "tcpdump -i eth0 port 853" at the command prompt of the router I got no results.

Changing it back to my prior setting of YES and entering "tcpdump -i eth0 port 853" after a few minutes got all sorts of traffic.

EDIT: I tried changing the setting to NO again, typed "tcpdump -i eth0 port 853" at the command prompt and (after a long wait) got all sorts of traffic info.

Sooooooo.... I still don't understand what the difference between the two switches are. Is this just a matter of preference, or will it somehow impact the nature of DNS over TLS?

BTW, I left it at the prior suggested NO setting.

 

[dave14305]

What happens if you:
2) go to WAN page>WAN DNS Setting> set CONNECT to DNS Server automatically to YES?

Then the router will use your ISP DNS servers for its own lookups. It's really only necessary to override these if you just can't stand the idea of sending DNS queries to your ISP DNS server. What were you putting in there? 9.9.9.9 and 149.112.112.112?

When I changed my setting from YES to NO per the above suggested settings and did the "tcpdump -i eth0 port 853" at the command prompt of the router I got no results.

You also have to make sure when you're testing again in quick succession that you pick a hostname you haven't used in a while (at least an hour) to ensure your browser or PC or dnsmasq isn't caching the result and not needing to forward to Stubby.

Stubby will use /etc/resolv.conf (which will be your WAN DNS servers if you haven't changed the Tools - Other settings setting) to resolve names needed to bootstrap and fetch DNSSEC root trust anchors, etc. But otherwise it's not relying on WAN DNS servers once it's up and running.

 

[Wallace_n_Gromit]

Then the router will use your ISP DNS servers for its own lookups. It's really only necessary to override these if you just can't stand the idea of sending DNS queries to your ISP DNS server. What were you putting in there? 9.9.9.9 and 149.112.112.112?

I didn't realize that by having the setting at YES (had it that way for last 2 months), that my ISP DNS would be used. I now have the setting at NO. When the setting is YES, the GUI doesn't ask for manually entered DNS, so I thought that the DNS over TLS dns's would be used. Maybe on a future update @RMerlin might want to offer that "yellow" note when setting is YES?

 

[ColinTaylor]

@Wallace_n_Gromit Why are you forwarding local domain queries to the upstream DNS server?

 

[Wallace_n_Gromit]

@Wallace_n_Gromit Why are you forwarding local domain queries to the upstream DNS server?

OMG!! I didn't know any better! Didn't know that was a No-No. No one ever told me different. Will stop forwarding local domain queries to the upstream DNS server.

EDIT: Actually don't know what forwarding local domain queries to the upstream DNS server means, and why/why not one would did it. Can you explain?

 

[dave14305]

View attachment 19470
OMG!! I didn't know any better! Didn't know that was a No-No. No one ever told me different. Will stop forwarding local domain queries to the upstream DNS server.

EDIT: Actually don't know what forwarding local domain queries to the upstream DNS server means, and why/why not one would did it. Can you explain?

If you set your router LAN domain to be home.lan for example, the public DNS servers on the internet have no knowledge of that domain and would not be able to give an answer. Only your router's local DNSMASQ would know how to resolve the names from the DHCP lease information. Enabling the forwarding tells dnsmasq to forward queries such as mypc1.home.lan to your WAN DNS servers or DoT servers, which is really just spam to them and they reply with errors.

It also prevents unqualified hostnames from being forwarded to your WAN DNS servers (e.g. mypc1 without home.lan).

The default is disabled so you must have been inspired in the past to change it. Now you're a better netizen for disabling it.