How to set up DNS over TLS 384.13?

[Wallace_n_Gromit]

The default is disabled so you must have been inspired in the past to change it. Now you're a better netizen for disabling it.

I guess I'm from the inspired skool of, "...If OFF/DISABLED is good, then ON/ABLED is better!" which is a close relative to "...I wonder what happens when I press the pretty flashing red 'DO NOT TOUCH EXCEPT IN CASE OF ABSOLUTE EMERGENCY' button." (What could possibly go wrong?)

Off Topic Note: Where do I find how to do all those faces? ...very amusing.

 

[dave14305]

I guess I'm from the skool of, "...If OFF/DISABLED is good, then ON/ABLED is better!"

Off Topic Note: Where do I find how to do all those faces? ...very amusing.

 

[consorts]

sorry if this was discussed by now, but i figured this is a good thread to ask.

i just went from 384.8 to 384.13 on my ac3100 and noticed this dns over tsl.
so i follow everything on this thread, and do see that 1.1.1.1 is my dns in use
but i don't understand how i'm able to confirm that my dns is actually secure.

https://www.cloudflare.com/ssl/encrypted-sni/ shows not secure at all

"tcpdump -i eth0 port 853" does nothing from the putty command prompt.

i stopped using stubby back in june after the google dns cloudflare mess
whether i use cloudflare alone or with ibm, does not seem to matter

 

[QuikSilver]

sorry if this was discussed by now, but i figured this is a good thread to ask.

i just went from 384.8 to 384.13 on my ac3100 and noticed this dns over tsl.
so i follow everything on this thread, and do see that 1.1.1.1 is my dns in use
but i don't understand how i'm able to confirm that my dns is actually secure.

https://www.cloudflare.com/ssl/encrypted-sni/ shows not secure at all

"tcpdump -i eth0 port 853" does nothing from the putty command prompt.

i stopped using stubby back in june after the google dns cloudflare mess
whether i use cloudflare alone or with ibm, does not seem to matter

Post #7 in this thread should help.

https://www.snbforums.com/threads/how-to-set-up-dns-over-tls-384-13.59461/#post-518590

 

[dave14305]

sorry if this was discussed by now, but i figured this is a good thread to ask.

i just went from 384.8 to 384.13 on my ac3100 and noticed this dns over tsl.
so i follow everything on this thread, and do see that 1.1.1.1 is my dns in use
but i don't understand how i'm able to confirm that my dns is actually secure.

https://www.cloudflare.com/ssl/encrypted-sni/ shows not secure at all

"tcpdump -i eth0 port 853" does nothing from the putty command prompt.

i stopped using stubby back in june after the google dns cloudflare mess
whether i use cloudflare alone or with ibm, does not seem to matter

Remove the DNS entries from the LAN DHCP server page and test again.

 

[consorts]

Remove the DNS entries from the LAN DHCP server page and test again.

thanks, i did, rebooted everything, dns still works,
now i see the cloudflare url test link results says;

(?) Secure DNS, You may not be using secure DNS.

so that's the proof, going from no to maybe?

i also noticed DNSBench shows my router is my DNS
not 1.1.1.1 or 9.9.9.9 - i guess that means something

i also noticed some new entry types in my router log like;
Oct 27 10:07:39 dnsmasq[1082]: possible DNS-rebind attack detected: net127.rebindtest.com
Oct 27 10:24:27 dnsmasq[1082]: Insecure DS reply received for us-west-1.elb.amazonaws.com, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers

 

[dave14305]

thanks, i did, rebooted everything, dns still works,
now i see the cloudflare url test link results says;

(?) Secure DNS, You may not be using secure DNS.

so that's the proof, going from no to maybe?

i also noticed DNSBench shows my router is my DNS
not 1.1.1.1 or 9.9.9.9 - i guess that means something

i also noticed some new entry types in my router log like;
Oct 27 10:07:39 dnsmasq[1082]: possible DNS-rebind attack detected: net127.rebindtest.com
Oct 27 10:10:09 dropbear[7461]: Login attempt for nonexistent user from 192.168.1.110:4410

Run the tcpdump while browsing a site you haven’t used in a while so the name is not cached already.

Cloudflare’s test site isn’t reliable especially when using DNSSEC.

 

[consorts]

Run the tcpdump while browsing a site you haven’t used in a while

thanks, but i have no idea how to do it... i used that command in
the router console and a win10 cmd line, and nothing happens.

anyway, the fact that i get a (?) and my router is my dns now
is enough of a change to indicate that something is working

 

[dave14305]

Oct 27 10:10:09 dropbear[7461]: Login attempt for nonexistent user from 192.168.1.110:4410

What is the device at .110 and why would it be trying to ssh or scp to your router?

 

[consorts]

What is the device at .110

oh, that was just a local win10 pc (.110) login mistype
while using putty to try that tcpdump command

 

[SuperDuke]

Hi all......just for giggles, I went to Tenta.com and used their test to see how the DoT shook down.....it certainly picked up the fact that Cloudflare and Quad are my selected servers, but in their advanced areas, TLS enabled shows False for all servers and DNSSEC enabled only for Quad.....any idea why they would believe DoT isn't set?

I've had DoT set since .13 release and did verify (with help) that the tcpdump to 853 is proper.....

 

[krgck]

Hi all......just for giggles, I went to Tenta.com and used their test to see how the DoT shook down.....it certainly picked up the fact that Cloudflare and Quad are my selected servers, but in their advanced areas, TLS enabled shows False for all servers and DNSSEC enabled only for Quad.....any idea why they would believe DoT isn't set?

I've had DoT set since .13 release and did verify (with help) that the tcpdump to 853 is proper.....

Meanwhile when you use their dns servers, it's all green and enabled. Seems pretty biased.

 

[SuperDuke]

Meanwhile when you use their dns servers, it's all green and enabled. Seems pretty biased.

Ya I wondered if that was the case....I'm not a Tenta customer so I was hoping someone could comment on that.....it's the same with ExpressVPN....if you're not using them (but someone else), apparently you fail all tests.....thanks!

 

[Icelvlan]

Hello,

I've followed the instructions to enable DNS over TLS and still no go. The only difference from my configuration is that I'm using google dns instead.

Any suggestions?

 

[dave14305]

Hello,

I've followed the instructions to enable DNS over TLS and still no go. The only difference from my configuration is that I'm using google dns instead.

Any suggestions?

How do you know it’s no-go? Post screenshots of WAN DNS, LAN DNSFilter, and LAN DHCP DNS pages. Also make sure time is set correctly on your router (check System Log page).

 

[Icelvlan]

My setting are the same as the screenshots above. I can post some pictures a bit later. My time is correct swell. I did the test on cloud flare and Secure DNS isn't showing. I'm also seeing entires for port 53 on my connections table. For DNSFilter, I have it set to router with google dns

Looks like it's working now.

 

[Simon W]

@RMerlin A minor point on Tools > Other Settings > Wan: Use local caching DNS server as system resolver (default: No)

By default this is set to "No", as is stated in the text of the option itself, however the tooltip - to my reading at least - suggests the exact opposite (see attached screenshot).

= assume this is a mistake with the tooltip text - while a great explanation of what's going on, it seems to have been written back in a day when the default was "Yes".. now the default is "No" it's somewhat confusing/misleading!

 

[RMerlin]

@RMerlin A minor point on Tools > Other Settings > Wan: Use local caching DNS server as system resolver (default: No)

By default this is set to "No", as is stated in the text of the option itself, however the tooltip - to my reading at least - suggests the exact opposite (see attached screenshot).

= assume this is a mistake with the tooltip text - while a great explanation of what's going on, it seems to have been written back in a day when the default was "Yes".. now the default is "No" it's somewhat confusing/misleading!

You're correct, the text wasn't amended after default behaviour was reversed. Thanks.