Why DNS over TLS is so important, and if you are not using it you should be

[Jon555]

I am using DNS leak test https://www.dnsleaktest.com/ to test this. I was also surprised.

What’s interesting about this is I have Cloudflare and Google DNS set up for both IPv4 and IPv6 (with Cloudflare being listed first). However, running this test from this site kept showing Google as being listed. Does the order in which you add DNS servers not actually correlate to which your router will try to use first? I wanted it to use Cloudflare primarily and Google as a backup.

For reference, have a GT-AX6000 running Merlin 386.6

 

[JWoo]

What’s interesting about this is I have Cloudflare and Google DNS set up for both IPv4 and IPv6 (with Cloudflare being listed first). However, running this test from this site kept showing Google as being listed. Does the order in which you add DNS servers not actually correlate to which your router will try to use first? I wanted it to use Cloudflare primarily and Google as a backup.

For reference, have a GT-AX6000 running Merlin 386.6

Sometimes that is because of the response time of the DNS server.

 

[ColinTaylor]

Does the order in which you add DNS servers not actually correlate to which your router will try to use first? I wanted it to use Cloudflare primarily and Google as a backup.

dnsmasq starts off using the secondary (or last) nameserver. In theory its meant to favour the fastest server and periodically checks to see which that is. I've just tested this behaviour again. A server has to be significantly faster than the current one for it to switch servers.

 

[Paliv]

Comcast actually stopped showing their customized error pages/search results because it broke DNSSEC. I checked this morning, I even use a Comcast gateway as a bridge, and I can use any DNS on port 53. I even checked 3 different leak sites and they all showed Quad9.

 

[JWoo]

I’ve been with Comcast for long time and I use Quad9 over regular 53/udp. I’ve never seen it hijacked. YMMV.

For me, port 53 gets hijacked and port 853 does not.

 

[Jon555]

dnsmasq starts off using the secondary (or last) nameserver. In theory its meant to favour the fastest server and periodically checks to see which that is. I've just tested this behaviour again. A server has to be significantly faster than the current one for it to switch servers.

Huh, I'll have to test that out. Thanks for the heads up

 

[Matthew Patrick]

I'm in Indonesia and most home ISP and Mobile Provider have implemented DNS Poisoning to hijack our custom DNS servers and redirect it to their DNS which is usually unstable and blocks so much things. Even reddit.com . Yeah.. you read that right. DoT/H usually works fine. But the mobile providers have been trying out new DPI things to block the websites in addition of DNS poisoning. Only way to bypass that is VPN lol.

 

[Paliv]

For me, port 53 gets hijacked and port 853 does not.

Did you try resetting the router? I’ve found DNS to be a bit fickle if you mess with it a lot.

 

[RMerlin]

For me, port 53 gets hijacked and port 853 does not.

That's one of the benefits of DOT. Because it uses TLS, you cannot hijack it - the public certificate won't match the private key on the server. The best they could do is block port 853.

 

[Elmer]

Thanks for bringing this up. ATT was highjacking me - thought I had it secured. I battened down the hatches, and now it shows we're good. On another subject, what is the IPV6 DNS block on the LAN page? No matter what I put in the block, it ignores (does not even allow it to populate).

 

[Matthew Patrick]

Thanks for bringing this up. ATT was highjacking me - thought I had it secured. I battened down the hatches, and now it shows we're good. On another subject, what is the IPV6 DNS block on the LAN page? No matter what I put in the block, it ignores (does not even allow it to populate).

On the DoT list on WAN. just add ipv6 DNS servers. It should work fine too

 

[Morris]

I got tired of DNS over TLS hanging and went back to unencrypted. Reliability is much more important to me. This was a while ago, possibly it's improved yet it's gone now. Also, I block DNS over HTTPS on my network allowing me to point hosts on this network to servers that I sent them to and thus block dangerous sights. We hosted a party the other day. Quite a few of my guests were blocked from reaching dangerous sights. My family and I are all protected and that's part of our multi teared security policy. Yes, I could send the traffic to the same servers using DNS over TLS yet a denial of service is a serious security issue.

And for those of you that want to scream, if you assign IP via DHCP, your hosts are venerable to one of the oldest exploits in the book, a second and very fast DHCP server on your network that is part of a man in the middle attack.

Have a wonderful day

Morris

​

 

[Viktor Jaep]

Thanks for your post. Totally agree that monetization of things that we don't pay for is gonna happen. The only point I was making about data collection is that players like Google Quad9 and Cloudfare are very specific about how long they keep DNS logs and what they do with it. Cloudfare is definitely one of the better players at the moment: "Our 1.1.1.1 resolver service does not log personal information, and the bulk of the limited non-personally identifiable query data is only stored for 25 hours." Google replaces your IP address with a location or region to anonymize it and sell it; raw DNS queries are kept for 24 - 48 hours with Google. Quad9 claims not to store any identifiable data. Comcast has a lengthy DNS policy stating they do not use DNS data for marketing, but they oddly hijack port 53 anyway? This is my last post on this topic. Appreciate all the perspectives.

This is *exactly* why you would want to configure a whole-home VPN and route all your local traffic through it... using Quad9 or whatever DoH/DoT services you need to, to keep your queries safe from prying ISP eyes. Keep whatever is going over your WAN traffic to an absolute minimum. Ever since the FCC changed the rules here in the US, I have done my part in preventing our ISPs from intercepting our traffic for their particular purposes. Shameless plug for VPNMON-R2, which even takes it a step beyond and keeps them guessing through massive randomization of endpoints within your country or multiple countries. You've definitely hit my hot button with this one.

 

[Morris]

This is *exactly* why you would want to configure a whole-home VPN and route all your local traffic through it... using Quad9 or whatever DoH/DoT services you need to, to keep your queries safe from prying ISP eyes. Keep whatever is going over your WAN traffic to an absolute minimum. Ever since the FCC changed the rules here in the US, I have done my part in preventing our ISPs from intercepting our traffic for their particular purposes. Shameless plug for VPNMON-R2, which even takes it a step beyond and keeps them guessing through massive randomization of endpoints within your country or multiple countries. You've definitely hit my hot button with this one.

Slow...

You have to hope the VPN vendor dose on enjoy your traffic

 

[Viktor Jaep]

I got tired of DNS over TLS hanging and went back to unencrypted. Reliability is much more important to me. This was a while ago, possibly it's improved yet it's gone now. Also, I block DNS over HTTPS on my network allowing me to point hosts on this network to servers that I sent them to and thus block dangerous sights. We hosted a party the other day. Quite a few of my guests were blocked from reaching dangerous sights. My family and I are all protected and that's part of our multi teared security policy. Yes, I could send the traffic to the same servers using DNS over TLS yet a denial of service is a serious security issue.

And for those of you that want to scream, if you assign IP via DHCP, your hosts are venerable to one of the oldest exploits in the book, a second and very fast DHCP server on your network that is part of a man in the middle attack.

Have a wonderful day

Morris

​

I've never seen DoT hang... Sounds like either config issues, WAN issues or possibly ISP interference...

 

[Viktor Jaep]

Slow...

You have to hope the VPN vendor dose on enjoy your traffic

200+Mbps ain't too bad. Always a risk, but try to stick with the right VPN vendor that might not be doing no harm or no logging.

 

[Morris]

I've never seen DoT hang... Sounds like either config issues, WAN issues or possibly ISP interference...

Intermittent, about every month or two. Now you have heard of it. By hang, I mean fail to respond.

 

[JWoo]

I've never seen DoT hang... Sounds like either config issues, WAN issues or possibly ISP interference...

Agree. Been running DoT for maybe 3 years. Started out running on Tomato. Now on Asus Merlin. Config is important as you want to select DNS providers with a presence near you.

 

[Viktor Jaep]

Intermittent, about every month or two. Now you have heard of it. By hang, I mean fail to respond.

Sorry to hear that, @Morris... it's just that in the years I've been using DoT, I haven't had a single issue. It's only as stable as the DoT servers you select.

 

[Matthew Patrick]

I've never seen DoT hang... Sounds like either config issues, WAN issues or possibly ISP interference...

Agree. Been running DoT for maybe 3 years. Started out running on Tomato. Now on Asus Merlin. Config is important as you want to select DNS providers with a presence near you.

Sorry to hear that, @Morris... it's just that in the years I've been using DoT, I haven't had a single issue. It's only as stable as the DoT servers you select.

Same here. Been running DoT since the first time it arrived on Merlin FW. Never fail to respond to queries. Make sure the servers are good since i tried a few back then and sometimes it times out and when I checked on stubby it seems like some servers sometimes just stops working for a few and then works again for some reason.

Edit : for info, my solid DoT servers are Google's and Cloudflare's . Since i trust them and I just want to bypass my ISP's prying eyes and blocking. Also using both Google and CF DNS improves reliability compared to using the ISP's DNS

Also using DoT/H on my devices 24/7 and it always works