What's new

new to dns over tls

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions.

  1. In the webui go to WAN / Internet Connection / WAN DNS Setting
  2. Set Connect to DNS Server automatically to No. (When using DoT this setting governs what happens in case your selected DoT DNS server doesn't load correctly. Setting it to Yes means that your router will start off with your ISP's DNS server before the router loads your selected DoT server. Setting it to No means that your router will start off with whatever fallback DNS server you select.)
  3. At DNS Server1, enter 1.1.1.1. (As most will recognize, this is for Cloudflare. I chose it because I personally choose to assiduously avoid using my ISP's DNS server for any purpose, even the time check at router startup.)
  4. At DNS Server2, enter 1.0.0.1. (This is Cloudflare's secondary address.)
  5. Set Forward local domain queries to upstream DNS to No. (Whether it's your ISP's DNS server, Cloudflare or whatever, the upstream DNS doesn't know your local network map.)
  6. Set Enable DNS Rebind protection to Yes. (Doing so helps to defend against possible cross-scripting attacks.)
  7. Set Enable DNSSEC support to Yes. (@RMerlin recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
  8. Set Validate unsigned DNSSEC replies to Yes. (@RMerlin also recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
  9. Set Prevent client auto DoH to Auto.
  10. At DNS Privacy Protocol, select DNS-over-TLS (DoT).
  11. At DNS-over-TLS Profile, select Strict.
  12. At Preset servers, select your preferred DNS service. I went with Quad9's 9.9.9.9 and 149.112.112.112 because I prefer Quad9 and like its filtering of malicious websites. (If you choose 2 different services, such as Quad9 and Cloudflare, the router will alternate between the two, rather than using one as primary and another as backup).
  13. Hit Apply.
Thanks to @themiron and @RMerlin for implementing DoT. Thanks to all for alpha and beta testing this feature and for your earlier comments on configuration options.

Once again, this is just what I've chosen based on my judgments of what I've read on this forum. Exercise your own judgment. Good luck!

[1/24/20 edit] Added thanks to @themiron, who developed DoT in Merlin almost entirely himself.

In step 3 & 4 you chose Cloudflare and in step 12 you chose Quad9. Why not Quad9 in step 3 & 4 also?
 
In step 3 & 4 you chose Cloudflare and in step 12 you chose Quad9. Why not Quad9 in step 3 & 4 also?
The cloudflare servers manually entered in WAN would only be used on router startup, Quad9 servers when DoT is up and working..
If a user checks https://www.dnsleaktest.com/ should only have quad9 servers in that test, But if something is wrong and the user also get cloudflare servers in this test..there is a DNS leak issue(cloudflare=not encrypted in this case).
DNS Privacy Protocol (DoT) gives very little info in router syslog.
So if quad9 is used for both WAN and DoT servers this would be harder to detect. TCP-Dump can be used to check traffic on port 53 or 853
(I have WAN DNS set to auto=isp DNS)
 
Last edited:
Good to know, but it can still be turned off if not desired, correct?
Yes, but be careful doing so.
  • Browse about:config
  • Accept the Risk and Continue
  • Search for network.trr.mode
  • Edit by clicking pencil
  • Change value to 5
  • Done
https://wiki.mozilla.org/Trusted_Recursive_Resolver

Edit: There might be a way in Settings to do the same

Edit: Ha! Scroll down in the article and there is a screen shot. Just unclick Enable DNS over HTTPS
Options -> Networks Settings -> Settings
 
Last edited:
Edit: There might be a way in Settings to do the same

Edit: Ha! Scroll down in the article and there is a screen shot. Just unclick Enable DNS over HTTPS
Options -> Networks Settings -> Settings
LOL, yes this was my point, it can be disabled and in Canada is disabled by default. So is the only change that in the US, it's now enabled by default or is it forced??
 
LOL, yes this was my point, it can be disabled and in Canada is disabled by default. So is the only change that in the US, it's now enabled by default or is it forced??
enabled by default
 
Yes, but be careful doing so.
  • Browse about:config
  • Accept the Risk and Continue
  • Search for network.trr.mode
  • Edit by clicking pencil
  • Change value to 5
  • Done
https://wiki.mozilla.org/Trusted_Recursive_Resolver

Edit: There might be a way in Settings to do the same

Edit: Ha! Scroll down in the article and there is a screen shot. Just unclick Enable DNS over HTTPS
Options -> Networks Settings -> Settings
On the road with Firefox Android. No settings to change in the menu but the above about:config change does work. Most times I surf through my home router over OpenVPN.
 
Yes will add the special canary domain to your DNS server regardless. Auto only adds it if you have DNS Privacy (DoT) or DNSFilter enabled, implying you want some control over your network's DNS.

But as is often mentioned regarding this feature, it only prevents the automatic enablement of Firefox DoH, not the explicit enablement by a user going into the Firefox settings.

I was trying to determine the difference for Set Prevent client auto DoH to Auto versus YES with DoT enabled and using cloudflare. What is a "special canary domain" please? I checked the online wiki for privacy and did not see anything about this.

Thank you.

Edward
 
How do you know its working?

Sent from my PH-1 using Tapatalk

I'd like to know this too. I can't find anywhere that DNS traffic is recorded. However -
From the GUI: General > Adaptive QoS > Classification tab
On the right-most column if you scroll down to Tracked Connections, you'll see HTTP and IMAP Protocol over TLS SSL...if HTTP and IMAP stuff is happening over TLS, can we assume it was built-in that DNS is happening that way as well?

A primer: https://en.wikipedia.org/wiki/Transport_Layer_Security
 
Did some experiment with DoT and IPv6 last night. My ISP only has IPv4 so I'm using he tunnelbroker for IPv6. In the WAN page, I entered 2 v4 + 2 v6 cloudflare's dns servers.

If I left the dns in IPv6 page empty then I couldn't access IPv6 domain at all.
If I entered cloudflare IPv6 dns in IPv6 page then cloudflare's test said no DoT.
If I entered ::1 either couldn't access IPv6 domain or no DoT (forgot which one).
The solution I found was enter router's public IPv6 address. I disabled IPv4 on my pc and iPhone then tried cloudflare's test to confirm this works.
It is possible that link local address of the router may work but I'm too lazy to test it.

If someone can confirm that this is the proper way of handling IPv6 and DoT then I'll try to add it to the github wiki.
 
There is no guide. The seemingly endless discussions did not converge on a recommended configuration or even an understanding.

If you happened to have chosen Cloudflare this link will confirm DNS over TLS function:
https://1.1.1.1/help
I found the using Firefox from Win10 does not give the correct info, it said No to everything. I used the Brave browser and that verified I was using DoT.

Update: I just tried Chromium-based Edge, and Google Chrome, and both reports No to everything including DoT.
 
Last edited:
I found the using Firefox from Win10 does not give the correct info, it said No to everything. I used the Brave browser and that verified I was using DoT.

Update: I just tried Chromium-based Edge, and Google Chrome, and both reports No to everything including DoT.
Firefox 74.0 on Windows 10 1909
Cloudflare_DNS_TLS.png
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top