What's new

How to set up DNS over TLS 384.13?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The default is disabled so you must have been inspired in the past to change it. o_O Now you're a better netizen for disabling it. :D

I guess I'm from the inspired skool of, "...If OFF/DISABLED is good, then ON/ABLED is better!" which is a close relative to "...I wonder what happens when I press the pretty flashing red 'DO NOT TOUCH EXCEPT IN CASE OF ABSOLUTE EMERGENCY' button." (What could possibly go wrong?;))

Off Topic Note: Where do I find how to do all those faces? ...very amusing.
 
Last edited:
I guess I'm from the skool of, "...If OFF/DISABLED is good, then ON/ABLED is better!"

Off Topic Note: Where do I find how to do all those faces? ...very amusing.
upload_2019-10-2_15-20-52.png
 
sorry if this was discussed by now, but i figured this is a good thread to ask.

i just went from 384.8 to 384.13 on my ac3100 and noticed this dns over tsl.
so i follow everything on this thread, and do see that 1.1.1.1 is my dns in use
but i don't understand how i'm able to confirm that my dns is actually secure.

https://www.cloudflare.com/ssl/encrypted-sni/ shows not secure at all

"tcpdump -i eth0 port 853" does nothing from the putty command prompt.

i stopped using stubby back in june after the google dns cloudflare mess
whether i use cloudflare alone or with ibm, does not seem to matter :(

aJ7yu5V.jpg

 
sorry if this was discussed by now, but i figured this is a good thread to ask.

i just went from 384.8 to 384.13 on my ac3100 and noticed this dns over tsl.
so i follow everything on this thread, and do see that 1.1.1.1 is my dns in use
but i don't understand how i'm able to confirm that my dns is actually secure.

https://www.cloudflare.com/ssl/encrypted-sni/ shows not secure at all

"tcpdump -i eth0 port 853" does nothing from the putty command prompt.

i stopped using stubby back in june after the google dns cloudflare mess
whether i use cloudflare alone or with ibm, does not seem to matter :(

aJ7yu5V.jpg
Post #7 in this thread should help.
Code:
https://www.snbforums.com/threads/how-to-set-up-dns-over-tls-384-13.59461/#post-518590
 
sorry if this was discussed by now, but i figured this is a good thread to ask.

i just went from 384.8 to 384.13 on my ac3100 and noticed this dns over tsl.
so i follow everything on this thread, and do see that 1.1.1.1 is my dns in use
but i don't understand how i'm able to confirm that my dns is actually secure.

https://www.cloudflare.com/ssl/encrypted-sni/ shows not secure at all

"tcpdump -i eth0 port 853" does nothing from the putty command prompt.

i stopped using stubby back in june after the google dns cloudflare mess
whether i use cloudflare alone or with ibm, does not seem to matter :(

aJ7yu5V.jpg
Remove the DNS entries from the LAN DHCP server page and test again.
 
Remove the DNS entries from the LAN DHCP server page and test again.

thanks, i did, rebooted everything, dns still works,
now i see the cloudflare url test link results says;

(?) Secure DNS, You may not be using secure DNS.

so that's the proof, going from no to maybe? ;)

i also noticed DNSBench shows my router is my DNS
not 1.1.1.1 or 9.9.9.9 - i guess that means something o_O

i also noticed some new entry types in my router log like;
Oct 27 10:07:39 dnsmasq[1082]: possible DNS-rebind attack detected: net127.rebindtest.com
Oct 27 10:24:27 dnsmasq[1082]: Insecure DS reply received for us-west-1.elb.amazonaws.com, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
 
Last edited:
thanks, i did, rebooted everything, dns still works,
now i see the cloudflare url test link results says;

(?) Secure DNS, You may not be using secure DNS.

so that's the proof, going from no to maybe? ;)

i also noticed DNSBench shows my router is my DNS
not 1.1.1.1 or 9.9.9.9 - i guess that means something o_O

i also noticed some new entry types in my router log like;
Oct 27 10:07:39 dnsmasq[1082]: possible DNS-rebind attack detected: net127.rebindtest.com
Oct 27 10:10:09 dropbear[7461]: Login attempt for nonexistent user from 192.168.1.110:4410
Run the tcpdump while browsing a site you haven’t used in a while so the name is not cached already.

Cloudflare’s test site isn’t reliable especially when using DNSSEC.
 
Run the tcpdump while browsing a site you haven’t used in a while

thanks, but i have no idea how to do it... i used that command in
the router console and a win10 cmd line, and nothing happens.

anyway, the fact that i get a (?) and my router is my dns now
is enough of a change to indicate that something is working :D
 
Hi all......just for giggles, I went to Tenta.com and used their test to see how the DoT shook down.....it certainly picked up the fact that Cloudflare and Quad are my selected servers, but in their advanced areas, TLS enabled shows False for all servers and DNSSEC enabled only for Quad.....any idea why they would believe DoT isn't set?

I've had DoT set since .13 release and did verify (with help) that the tcpdump to 853 is proper.....
 
Hi all......just for giggles, I went to Tenta.com and used their test to see how the DoT shook down.....it certainly picked up the fact that Cloudflare and Quad are my selected servers, but in their advanced areas, TLS enabled shows False for all servers and DNSSEC enabled only for Quad.....any idea why they would believe DoT isn't set?

I've had DoT set since .13 release and did verify (with help) that the tcpdump to 853 is proper.....

Meanwhile when you use their dns servers, it's all green and enabled. Seems pretty biased.
 
Meanwhile when you use their dns servers, it's all green and enabled. Seems pretty biased.

Ya I wondered if that was the case....I'm not a Tenta customer so I was hoping someone could comment on that.....it's the same with ExpressVPN....if you're not using them (but someone else), apparently you fail all tests.....thanks!
 
Hello,

I've followed the instructions to enable DNS over TLS and still no go. The only difference from my configuration is that I'm using google dns instead.

Any suggestions?
 
Hello,

I've followed the instructions to enable DNS over TLS and still no go. The only difference from my configuration is that I'm using google dns instead.

Any suggestions?
How do you know it’s no-go? Post screenshots of WAN DNS, LAN DNSFilter, and LAN DHCP DNS pages. Also make sure time is set correctly on your router (check System Log page).
 
My setting are the same as the screenshots above. I can post some pictures a bit later. My time is correct swell. I did the test on cloud flare and Secure DNS isn't showing. I'm also seeing entires for port 53 on my connections table. For DNSFilter, I have it set to router with google dns

Looks like it's working now.
 
Last edited:
@RMerlin A minor point on Tools > Other Settings > Wan: Use local caching DNS server as system resolver (default: No)

By default this is set to "No", as is stated in the text of the option itself, however the tooltip - to my reading at least - suggests the exact opposite (see attached screenshot).

= assume this is a mistake with the tooltip text - while a great explanation of what's going on, it seems to have been written back in a day when the default was "Yes".. now the default is "No" it's somewhat confusing/misleading!
 

Attachments

  • Screenshot 2019-12-04 at 09.42.16.png
    Screenshot 2019-12-04 at 09.42.16.png
    56.3 KB · Views: 395
Last edited:
@RMerlin A minor point on Tools > Other Settings > Wan: Use local caching DNS server as system resolver (default: No)

By default this is set to "No", as is stated in the text of the option itself, however the tooltip - to my reading at least - suggests the exact opposite (see attached screenshot).

= assume this is a mistake with the tooltip text - while a great explanation of what's going on, it seems to have been written back in a day when the default was "Yes".. now the default is "No" it's somewhat confusing/misleading!

You're correct, the text wasn't amended after default behaviour was reversed. Thanks.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top