Menu
What's new
By:
Filters Better Search

Why DNS over TLS is so important, and if you are not using it you should be

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Interesting stuff

I'm guessing CIRA does not have DNS over TLS?

www.cira.ca

Free DNS Servers | CIRA

Canadian Shield is a free DNS firewall service provided by CIRA that protects your devices from malware, phishing, and other cyber threats. Learn how Canadian Shield can help keep you safe online and get started today.
www.cira.ca

DNSSEC: Securing the domain name system – CIRA

Learn more about DNNSEC, what it does, and how CIRA is securing the domain name system.
www.cira.ca
 
anotherengineer said:
Interesting stuff

I'm guessing CIRA does not have DNS over TLS?

www.cira.ca

Free DNS Servers | CIRA

Canadian Shield is a free DNS firewall service provided by CIRA that protects your devices from malware, phishing, and other cyber threats. Learn how Canadian Shield can help keep you safe online and get started today.
www.cira.ca

DNSSEC: Securing the domain name system – CIRA

Learn more about DNNSEC, what it does, and how CIRA is securing the domain name system.
www.cira.ca
Click to expand...
It certainly does.
 
What's the word for when you're so worried about a fairly insignificant thing but completely ignoring the much bigger threats?
 
bbunge said:
My stubby.postconf to change roundrobin and enable DNSSEC in Stubby:
Code: 
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Note: if you enable DNSSEC this way in Stubby do not enable it in the GUI.
Click to expand...
Correct, If you do enable dnssec in the GUI and in stubby, do not enable validate unsigned replies because this will create a DNS problem where dnsmasq tries to validate the already validated replies. DNSmasq will create a query loop where it will keep tripping on the same request refusing to resolve any other request until the loop is broken. If you want DNSMASQ to cache the validated replies all you need to do is enable dnssec, but leave validate unsigned replies unchecked!. Another method is to use proxy-dnssec using dnsmasq.conf.add or dnsmasq.postconf. however this type of response will not be cached like using dnssec with validate unsigned replies unchecked!.
 
Treadler said:
I hear you.
I will experiment, Quad9 DoT, only selecting one server. Round robin out of the equation then?
Click to expand...
No improvement seen, just specifying one resolver with Quad9.
Reverted to DoT using Cleanbrowsing Security. All good now…..
 
drinkingbird said:
What's the word for when you're so worried about a fairly insignificant thing but completely ignoring the much bigger threats?
Click to expand...
It's a phrase: "...being overly concerned about the ambience of the deck chair layout in 1st Class, whilst ignoring the Iceberg, that's dead ahead..." Titanic 15/4/1912
 
Treadler said:
No improvement seen, just specifying one resolver with Quad9.
Reverted to DoT using Cleanbrowsing Security. All good now…..
Click to expand...
My problems with Quad9 were caused by my ISP. Via anycast they routed Quad9 to servers 1000 miles away while Cloudflare servers are 100 miles away. And Quad9 also has servers in the same center as Cloudflare!
For now I am using Cloudflare Security over DoT with DNSSEC.
 
Viktor Jaep said:
This is *exactly* why you would want to configure a whole-home VPN and route all your local traffic through it... using Quad9 or whatever DoH/DoT services you need to, to keep your queries safe from prying ISP eyes. Keep whatever is going over your WAN traffic to an absolute minimum. Ever since the FCC changed the rules here in the US, I have done my part in preventing our ISPs from intercepting our traffic for their particular purposes. Shameless plug for VPNMON-R2, which even takes it a step beyond and keeps them guessing through massive randomization of endpoints within your country or multiple countries. You've definitely hit my hot button with this one. ;)
Click to expand...
I'm liking what @ZebMcKayhan is doing with WireGuard and @Martineau has done by bringing us unbound.
unbound just inside WireGuard and in front of NPT (I would LOOOOOVE to see NPT replace NAT) would be my ideal, or closest to it
scanning the QR code to connect to wifi also launches the WG connection between your device and the "home server" of your router...
it's coming...and the people around here who code may beat the Asus team to the punch (and show them the way)
 
P
drinkingbird said:
What's the word for when you're so worried about a fairly insignificant thing but completely ignoring the much bigger threats?
Click to expand...
Paranoia or tunnel vision? Lol

i personally don’t have any add ons. Stock merlin and stock settings and basic open dns in the wan.

always trying to learn more and get the best bang for effort though as I am not an expert in routers or cyber security.
 
heysoundude said:
unbound just inside WireGuard and in front of NPT (I would LOOOOOVE to see NPT replace NAT) would be my ideal, or closest to it
Click to expand...
While NPT is a really brilliant thing it does not provide any privacy. Besides it is not compatible with conntrack, would you trade your stateful firewall for NPT?

But its a shame and I agree that I would want NPT as well but we will have to settle for NETMAP (if/when it gets included in firmware), which is not quite as lean and neat but much easier to use.

Most Wireguard providers are still handing out single ips though so one could only hope in a distant future maybe.
 
Last edited:
Viktor Jaep said:
Sorry to hear that, @Morris... it's just that in the years I've been using DoT, I haven't had a single issue. It's only as stable as the DoT servers you select.
Click to expand...
And that's probably the issue. In my case it AdGuard DNS. The servers stayed up yet would stop answering my DNS queries when using DoT. Very strange as they would answer from another device.
 
ZebMcKayhan said:
While NPT is a really brilliant thing it does not provide any privacy. Besides it is not compatible with conntrack, would you trade your stateful firewall for NPT?

But its a shame and I agree that I would want NPT as well but we will have to settle for NETMAP (if/when it gets included in firmware), which is not quite as lean and neat but much easier to use.

Most Wireguard providers are still handing out single ips though so one could only hope in a distant future maybe.
Click to expand...
I wish they could just go crazy and upgrade all kernels and run nftables.
 
DoT on Asus routers has not been reliable for me. I use the NextDNS client and it works great.
 
Smokey613 said:
DoT on Asus routers has not been reliable for me. I use the NextDNS client and it works great.
Click to expand...
Nothing against nextdns because they are providing a great service for those with limited means to do such, but I have yet to find a reason to switch to something I can do myself for free (with troubleshooting not required). However, I think they are doing a great job with how far they have come for the subset they service.
 
Smokey613 said:
DoT on Asus routers has not been reliable for me. I use the NextDNS client and it works great.
Click to expand...
Thank you for coming forward. I'm not alone. Do you recall the DNS servers you were using when you had the issues?
 
Morris said:
Thank you for coming forward. I'm not alone. Do you recall the DNS servers you were using when you had the issues?
Click to expand...
IIRC he was trying to use NextDNS on the routers DoT platform. However, He soon discovered a brick wall. i.e. Nextdns secondary DNS servers are not friendly to round robin queries done by Stubby. You have to completely disable round robin queries with stubby in order to use NextDNS, otherwise queries to the secondary DNS servers will quickly reach ratelimits. NextDNS developers designed NextDNS to "promote" the DoH concept which is what their client uses. however they do provide subpar DoT servers.
 
You must log in or register to reply here.

Similar threads

B
DNS over Tls is it right?
Replies
2
Views
5K
Yo_2T
Y
P
Solved DNS-over-TLS and chroot (NextDNS DOT issue)
Replies
3
Views
2K
papypaprika
P
L
Is It Possible To Exclude IPv6 Data For Certain LAN IP's Using VPN Director Rules?
Replies
12
Views
3K
learning_curve
L
Viktor Jaep
VPNMON [BETA] VPNMON-R2 BETA is CLOSED. Thank you all for your help!!
3 4 5
Replies
88
Views
16K
Viktor Jaep
Viktor Jaep
M
DoH using NextDNS CLI and OpenVPN (ProtonVPN) with PBR - Can it be done?
Replies
1
Views
2K
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
C isp block dns over tls and poison any unencrypted dns resolution Asuswrt-Merlin 14
V Opera DNS-over tls Asuswrt-Merlin 0
V DNS server vs DNS-over TLS server list Asuswrt-Merlin 3
A DNS/TLS IPv6. Asuswrt-Merlin 18
S Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf Asuswrt-Merlin 1
T Wireguard Client VPN not using DNS Asuswrt-Merlin 14
Preskitt.man DNS Issue?? AX5800 Pro Issue?? Asuswrt-Merlin 2
H DNS-rebind attack detected: farm.plista.com. etc...?? Asuswrt-Merlin 3
plapic DNS Director Asuswrt-Merlin 7
P DNS Director - Proprietary? Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 834 (members: 36, guests: 798)
Top