Why DNS over TLS is so important, and if you are not using it you should be

[ColinTaylor]

I took a better screenshot showing it's UDP traffic, but still a burst of 2-3 DNS-retransmissions within milliseconds. Strange...

Thanks for the clarification. That is indeed strange. As it's UDP that would suggest that it's specifically the client's behaviour rather than the server or the transport.

 

[JWoo]

Hi, @JWoo!

Did you still manually set up the WAN DNS settings to cloudfare's/Quad9's DNS when you activated the DNS-over-TLS settings? Or you left it at 'Auto'?

Thanks!

Manual. Do not use auto settings.

 

[bbunge]

Ahh, that was the trick - I'm using Firefox which has DOH enabled by default, so that's why I was getting a DOH result.

If I switch to Chrome, I only see DOT enabled, as expected.

Good catch!

Manual. Do not use auto settings.

It really does not matter what you set in WAN/DNS Server 1 and 2, or as it is in the 386.7 alpha just DNS Server, as those are used only when the router boots up to set the time clock. Once the router is up with DoT enabled dnsmasq will pass the DNS queries to Stubby/Get DNS to encrypt and send to the upstream resolvers. With that said I do set my DNS Servers to Cloudflare Secure (1.1.1.2 and 1.0.0.2)

 

[SomeWhereOverTheRainBow]

It really does not matter what you set in WAN/DNS Server 1 and 2, or as it is in the 386.7 alpha just DNS Server, as those are used only when the router boots up to set the time clock. Once the router is up with DoT enabled dnsmasq will pass the DNS queries to Stubby/Get DNS to encrypt and send to the upstream resolvers. With that said I do set my DNS Servers to Cloudflare Secure (1.1.1.2 and 1.0.0.2)

Yea but you still want to have "something" there for the routers clock.

 

[bbunge]

Yea but you still want to have "something" there for the routers clock.

Yes and I omitted the need for valid upstream resolver addresses in the WAN/DNS Server area. Some put the address of a Pi-Hole on the LAN in that area and it does not work.

 

[sfx2000]

Back to Earth, it appears that Comcast is hijacking DNS queries and redirecting them to their own DNS servers. I know they do that when you have their Comcast gateway, but I am using my own cable modem and router. Really maddening and it is hard to believe this is legal. @RMerlin a shout out for you including Stubby! You are an IT guy, are you seeing other ISPs doing this too?

Use this to see what DNS servers you are using...

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

dnscheck.tools

 

[rexbinary]

I would recommend DNSCrypt over DoT or DoH. DNSCrypt's FAQ lists reasons they believe their solution is better if you scroll down a bit.

DNSCrypt - FAQ - DNSCrypt vs DoH

DNSCrypt vs DoH - A comparison of options for secure DNS.

dnscrypt.info

I run it with Quad9 as my resolver and it works great for me. It has built in caching for speed, and has DNSSEC built in as well.

 

[coxhaus]

So, does using DOT or DOH get the same priority in the router software as port 53? I use QUAD9 on port 53 because I have for a long time.

 

[Viktor Jaep]

I would recommend DNSCrypt over DoT or DoH. DNSCrypt's FAQ lists reasons they believe their solution is better if you scroll down a bit.

DNSCrypt - FAQ - DNSCrypt vs DoH

DNSCrypt vs DoH - A comparison of options for secure DNS.

dnscrypt.info

I run it with Quad9 as my resolver and it works great for me. It has built in caching for speed, and has DNSSEC built in as well.

How are you running this, @rexbinary? Is it running through some other tool (like unbound?), running your own server instance? AMTM? Or some other way? Perhaps this? https://www.snbforums.com/threads/dnscrypt-proxy-installer-for-asuswrt-merlin-nov.67435/

 

[rexbinary]

How are you running this, @rexbinary? Is it running through some other tool (like unbound?), running your own server instance? AMTM? Or some other way? Perhaps this? https://www.snbforums.com/threads/dnscrypt-proxy-installer-for-asuswrt-merlin-nov.67435/

Secure DNS queries using DNSCrypt

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

There is no GUI for it, but it's relativity easy if you don't mind a little command line.

 

[Viktor Jaep]

Secure DNS queries using DNSCrypt

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

There is no GUI for it, but it's relativity easy if you don't mind a little command line.

Got it up and running as we speak... Thanks for mentioning this!

 

[Zastoff]

Got it up and running as we speak... Thanks for mentioning this!

Would recommend DNSCrypt installer in AMTM, It has some really nice install/configuration options and it has built in checks and works nice with dns-filter.

GitHub - thuantran/dnscrypt-asuswrt-installer: dnscrypt installer for Asus router with merlin firmware

dnscrypt installer for Asus router with merlin firmware - thuantran/dnscrypt-asuswrt-installer

github.com

 

[Viktor Jaep]

Would recommend DNSCrypt installer in AMTM, It has some really nice install/configuration options and it has built in checks and works nice with dns-filter.

GitHub - thuantran/dnscrypt-asuswrt-installer: dnscrypt installer for Asus router with merlin firmware

dnscrypt installer for Asus router with merlin firmware - thuantran/dnscrypt-asuswrt-installer

github.com

Thanks... that's the one I used.

 

[sfx2000]

I would recommend DNSCrypt over DoT or DoH. DNSCrypt's FAQ lists reasons they believe their solution is better if you scroll down a bit.

I don't recommend DNSCrypt over DoH or DoT - since DNSCrypt is it's own protocol, it can be detected and identified, and subsequently blocked, forcing DNS to fallback to unencrypted DNS lookups.

If I had a choice, it would be DNS over TLS, as it's just as secure as any of the others, and unlike DNSCrypt, it has been battle tested and implementations opened up for peer review - being an ITEF request for comments, that's another plus in the DoT (and DoH) columns that DNSCrypt cannot claim (there is no RFC activity for DNSCrypt, not even an internet draft which is at least informative if not binding)

Also note that DNSCrypt, like DoH and DoT, doesn't offer much for privacy as the destination server can still log and process packets as they see fit.

Much like commercial VPN services - folks are being sold a bill of goods that has zero value, and causes more harm than good.

 

[Zastoff]

I don't recommend DNSCrypt over DoH or DoT - since DNSCrypt is it's own protocol, it can be detected and identified, and subsequently blocked, forcing DNS to fallback to unencrypted DNS lookups.

If I had a choice, it would be DNS over TLS, as it's just as secure as any of the others, and unlike DNSCrypt, it has been battle tested and implementations opened up for peer review - being an ITEF request for comments, that's another plus in the DoT (and DoH) columns that DNSCrypt cannot claim (there is no RFC activity for DNSCrypt, not even an internet draft which is at least informative if not binding)

Also note that DNSCrypt, like DoH and DoT, doesn't offer much for privacy as the destination server can still log and process packets as they see fit.

Much like commercial VPN services - folks are being sold a bill of goods that has zero value, and causes more harm than good.

Dnscrypt-proxy 2 can not fall back to unencrypted dns and for any dns protocol it comes down to what server providers to trust.. Think it is way easier to block most DoT servers since most use port 853 some of them can be used on port 443..
Dnscrypt-proxy 2 in asuswrt-merlin use the regular dns port 53(can be forced to use tcp on 443 if needed), sure the entire dnscrypt-proxy server list can be blocked but same as any other dns server or protocol used.
I use this:https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS#anonymized-dnscrypt
With dnscrypt ephemeral keys to help prevent fingerprinting devices..
Relays works nice with quad9's dnscrypt servers btw.
I have tried DoT and it works really well and i recommend it also, But prefer the servers/relays (dnscrypt protocol)and options i get in dnscrypt-proxy 2, DoH i avoid..maybe when it fully support https 3, use oblivious DoH together with anonymized-dnscrypt servers sometimes and load balancing set to random.
ITEF is good for companies that want to add these protocols in their software (DoT & DoH), As a user I am not so sure with all information gathering going on. I am not trying to be completely anonymous..just add confusion to the dns swamp for devices on my network.

 

[sfx2000]

Relays works nice with quad9's dnscrypt servers btw.

Do you trust the person that runs the relay not to keep logs?

Like I said, there's no valid reason to run DNSCrypt when DoT is present.

If one is going down the dark web, it's a good way to get attention, and like I mentioned, even with a proxy, DNSCrypt is easily detected and defeated. Same goes with Tor...

 

[RMerlin]

DoT also gives you a larger list of available servers to use than DNSCrypt, thanks to it being an official open standard.

 

[New2This]

Would it be better to use DoT or Unbound??

 

[ColinTaylor]

Would it be better to use DoT or Unbound??

DoT is a network protocol. Unbound is DNS resolver.

 

[Zastoff]

Do you trust the person that runs the relay not to keep logs?

Like I said, there's no valid reason to run DNSCrypt when DoT is present.

The recommendation i did was to use dnscrypt installer in AMTM over the entware guide that was linked..

Also wrote that i do recommend DoT.

The Question on relays logging:
The relay do not have the key for the encrypted packets, it only blindly forwards and my ip is removed for the DNS server.
Guess any network and it's admins can keep logs maybe even store all and try to decrypt later on.

I am still waiting for some actual tests and evidence that one of the dns protocols is better the other..
Add confusion is my current focus, load balancing set to random and randomized multiple relays used.

Still amazed by all the knowledge people sit on without anything to backup their claims.

@sfx2000
How do you get dnscrypt-proxy 2 to use regular dns i wonder?