What's new

Why DNS over TLS is so important, and if you are not using it you should be

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi, @JWoo!

Did you still manually set up the WAN DNS settings to cloudfare's/Quad9's DNS when you activated the DNS-over-TLS settings? Or you left it at 'Auto'?

Thanks!
Manual. Do not use auto settings.
 
Ahh, that was the trick - I'm using Firefox which has DOH enabled by default, so that's why I was getting a DOH result.

If I switch to Chrome, I only see DOT enabled, as expected.

Good catch!

Manual. Do not use auto settings.
It really does not matter what you set in WAN/DNS Server 1 and 2, or as it is in the 386.7 alpha just DNS Server, as those are used only when the router boots up to set the time clock. Once the router is up with DoT enabled dnsmasq will pass the DNS queries to Stubby/Get DNS to encrypt and send to the upstream resolvers. With that said I do set my DNS Servers to Cloudflare Secure (1.1.1.2 and 1.0.0.2)
 
It really does not matter what you set in WAN/DNS Server 1 and 2, or as it is in the 386.7 alpha just DNS Server, as those are used only when the router boots up to set the time clock. Once the router is up with DoT enabled dnsmasq will pass the DNS queries to Stubby/Get DNS to encrypt and send to the upstream resolvers. With that said I do set my DNS Servers to Cloudflare Secure (1.1.1.2 and 1.0.0.2)
Yea but you still want to have "something" there for the routers clock.
 
Yea but you still want to have "something" there for the routers clock.
Yes and I omitted the need for valid upstream resolver addresses in the WAN/DNS Server area. Some put the address of a Pi-Hole on the LAN in that area and it does not work.
 
Back to Earth, it appears that Comcast is hijacking DNS queries and redirecting them to their own DNS servers. I know they do that when you have their Comcast gateway, but I am using my own cable modem and router. Really maddening and it is hard to believe this is legal. @RMerlin a shout out for you including Stubby! You are an IT guy, are you seeing other ISPs doing this too?

Use this to see what DNS servers you are using...

 
I would recommend DNSCrypt over DoT or DoH. DNSCrypt's FAQ lists reasons they believe their solution is better if you scroll down a bit.


I run it with Quad9 as my resolver and it works great for me. It has built in caching for speed, and has DNSSEC built in as well.
 
So, does using DOT or DOH get the same priority in the router software as port 53? I use QUAD9 on port 53 because I have for a long time.
 
I would recommend DNSCrypt over DoT or DoH. DNSCrypt's FAQ lists reasons they believe their solution is better if you scroll down a bit.


I run it with Quad9 as my resolver and it works great for me. It has built in caching for speed, and has DNSSEC built in as well.
How are you running this, @rexbinary? Is it running through some other tool (like unbound?), running your own server instance? AMTM? Or some other way? Perhaps this? https://www.snbforums.com/threads/dnscrypt-proxy-installer-for-asuswrt-merlin-nov.67435/
 
Last edited:
How are you running this, @rexbinary? Is it running through some other tool (like unbound?), running your own server instance? AMTM? Or some other way? Perhaps this? https://www.snbforums.com/threads/dnscrypt-proxy-installer-for-asuswrt-merlin-nov.67435/

There is no GUI for it, but it's relativity easy if you don't mind a little command line.
 
Last edited:
I would recommend DNSCrypt over DoT or DoH. DNSCrypt's FAQ lists reasons they believe their solution is better if you scroll down a bit.

I don't recommend DNSCrypt over DoH or DoT - since DNSCrypt is it's own protocol, it can be detected and identified, and subsequently blocked, forcing DNS to fallback to unencrypted DNS lookups.

If I had a choice, it would be DNS over TLS, as it's just as secure as any of the others, and unlike DNSCrypt, it has been battle tested and implementations opened up for peer review - being an ITEF request for comments, that's another plus in the DoT (and DoH) columns that DNSCrypt cannot claim (there is no RFC activity for DNSCrypt, not even an internet draft which is at least informative if not binding)

Also note that DNSCrypt, like DoH and DoT, doesn't offer much for privacy as the destination server can still log and process packets as they see fit.

Much like commercial VPN services - folks are being sold a bill of goods that has zero value, and causes more harm than good.
 
I don't recommend DNSCrypt over DoH or DoT - since DNSCrypt is it's own protocol, it can be detected and identified, and subsequently blocked, forcing DNS to fallback to unencrypted DNS lookups.

If I had a choice, it would be DNS over TLS, as it's just as secure as any of the others, and unlike DNSCrypt, it has been battle tested and implementations opened up for peer review - being an ITEF request for comments, that's another plus in the DoT (and DoH) columns that DNSCrypt cannot claim (there is no RFC activity for DNSCrypt, not even an internet draft which is at least informative if not binding)

Also note that DNSCrypt, like DoH and DoT, doesn't offer much for privacy as the destination server can still log and process packets as they see fit.

Much like commercial VPN services - folks are being sold a bill of goods that has zero value, and causes more harm than good.
Dnscrypt-proxy 2 can not fall back to unencrypted dns and for any dns protocol it comes down to what server providers to trust.. Think it is way easier to block most DoT servers since most use port 853 some of them can be used on port 443..
Dnscrypt-proxy 2 in asuswrt-merlin use the regular dns port 53(can be forced to use tcp on 443 if needed), sure the entire dnscrypt-proxy server list can be blocked but same as any other dns server or protocol used.
I use this:https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS#anonymized-dnscrypt
With dnscrypt ephemeral keys to help prevent fingerprinting devices..
Relays works nice with quad9's dnscrypt servers btw.
I have tried DoT and it works really well and i recommend it also, But prefer the servers/relays (dnscrypt protocol)and options i get in dnscrypt-proxy 2, DoH i avoid..maybe when it fully support https 3, use oblivious DoH together with anonymized-dnscrypt servers sometimes and load balancing set to random.
ITEF is good for companies that want to add these protocols in their software (DoT & DoH), As a user I am not so sure with all information gathering going on. I am not trying to be completely anonymous..just add confusion to the dns swamp for devices on my network.
 
Last edited:
Relays works nice with quad9's dnscrypt servers btw.

Do you trust the person that runs the relay not to keep logs?

Like I said, there's no valid reason to run DNSCrypt when DoT is present.

If one is going down the dark web, it's a good way to get attention, and like I mentioned, even with a proxy, DNSCrypt is easily detected and defeated. Same goes with Tor...
 
DoT also gives you a larger list of available servers to use than DNSCrypt, thanks to it being an official open standard.
 
Would it be better to use DoT or Unbound??
 
Do you trust the person that runs the relay not to keep logs?

Like I said, there's no valid reason to run DNSCrypt when DoT is present.
The recommendation i did was to use dnscrypt installer in AMTM over the entware guide that was linked..

Also wrote that i do recommend DoT.

The Question on relays logging:
The relay do not have the key for the encrypted packets, it only blindly forwards and my ip is removed for the DNS server.
Guess any network and it's admins can keep logs maybe even store all and try to decrypt later on.

I am still waiting for some actual tests and evidence that one of the dns protocols is better the other..
Add confusion is my current focus, load balancing set to random and randomized multiple relays used.

Still amazed by all the knowledge people sit on without anything to backup their claims.

@sfx2000
How do you get dnscrypt-proxy 2 to use regular dns i wonder?
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top