ColinTaylor
Part of the Furniture
Thanks for the clarification. That is indeed strange. As it's UDP that would suggest that it's specifically the client's behaviour rather than the server or the transport.
Why DNS over TLS is so important, and if you are not using it you should be
- Thread starter JWoo
- Start date
Manual. Do not use auto settings.
bbunge
Part of the Furniture
It really does not matter what you set in WAN/DNS Server 1 and 2, or as it is in the 386.7 alpha just DNS Server, as those are used only when the router boots up to set the time clock. Once the router is up with DoT enabled dnsmasq will pass the DNS queries to Stubby/Get DNS to encrypt and send to the upstream resolvers. With that said I do set my DNS Servers to Cloudflare Secure (1.1.1.2 and 1.0.0.2)
SomeWhereOverTheRainBow
Part of the Furniture
Yea but you still want to have "something" there for the routers clock.
bbunge
Part of the Furniture
Yes and I omitted the need for valid upstream resolver addresses in the WAN/DNS Server area. Some put the address of a Pi-Hole on the LAN in that area and it does not work.
sfx2000
Part of the Furniture
Use this to see what DNS servers you are using...
dnscheck.tools - check your dns resolvers
A tool to test for DNS leaks, DNSSEC validation, and more
dnscheck.tools
rexbinary
Occasional Visitor
I would recommend DNSCrypt over DoT or DoH. DNSCrypt's FAQ lists reasons they believe their solution is better if you scroll down a bit.
I run it with Quad9 as my resolver and it works great for me. It has built in caching for speed, and has DNSSEC built in as well.
DNSCrypt - FAQ - DNSCrypt vs DoH
DNSCrypt vs DoH - A comparison of options for secure DNS.
dnscrypt.info
I run it with Quad9 as my resolver and it works great for me. It has built in caching for speed, and has DNSSEC built in as well.
Viktor Jaep
Part of the Furniture
How are you running this, @rexbinary? Is it running through some other tool (like unbound?), running your own server instance? AMTM? Or some other way? Perhaps this? https://www.snbforums.com/threads/dnscrypt-proxy-installer-for-asuswrt-merlin-nov.67435/
Last edited:
rexbinary
Occasional Visitor
Secure DNS queries using DNSCrypt
Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng
github.com
There is no GUI for it, but it's relativity easy if you don't mind a little command line.
Viktor Jaep
Part of the Furniture
Got it up and running as we speak... Thanks for mentioning this!
Secure DNS queries using DNSCrypt
Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng
There is no GUI for it, but it's relativity easy if you don't mind a little command line.
Zastoff
Very Senior Member
Would recommend DNSCrypt installer in AMTM, It has some really nice install/configuration options and it has built in checks and works nice with dns-filter.Got it up and running as we speak... Thanks for mentioning this!
GitHub - thuantran/dnscrypt-asuswrt-installer: dnscrypt installer for Asus router with merlin firmware
dnscrypt installer for Asus router with merlin firmware - thuantran/dnscrypt-asuswrt-installer
github.com
Last edited:
Viktor Jaep
Part of the Furniture
Thanks... that's the one I used.Would recommend DNSCrypt installer in AMTM, It has some really nice install/configuration options and it has built in checks and works nice with dns-filter.
GitHub - thuantran/dnscrypt-asuswrt-installer: dnscrypt installer for Asus router with merlin firmware
dnscrypt installer for Asus router with merlin firmware - thuantran/dnscrypt-asuswrt-installer
sfx2000
Part of the Furniture
I don't recommend DNSCrypt over DoH or DoT - since DNSCrypt is it's own protocol, it can be detected and identified, and subsequently blocked, forcing DNS to fallback to unencrypted DNS lookups.
If I had a choice, it would be DNS over TLS, as it's just as secure as any of the others, and unlike DNSCrypt, it has been battle tested and implementations opened up for peer review - being an ITEF request for comments, that's another plus in the DoT (and DoH) columns that DNSCrypt cannot claim (there is no RFC activity for DNSCrypt, not even an internet draft which is at least informative if not binding)
Also note that DNSCrypt, like DoH and DoT, doesn't offer much for privacy as the destination server can still log and process packets as they see fit.
Much like commercial VPN services - folks are being sold a bill of goods that has zero value, and causes more harm than good.
Zastoff
Very Senior Member
Dnscrypt-proxy 2 can not fall back to unencrypted dns and for any dns protocol it comes down to what server providers to trust.. Think it is way easier to block most DoT servers since most use port 853 some of them can be used on port 443..
Dnscrypt-proxy 2 in asuswrt-merlin use the regular dns port 53(can be forced to use tcp on 443 if needed), sure the entire dnscrypt-proxy server list can be blocked but same as any other dns server or protocol used.
I use this:https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS#anonymized-dnscrypt
With dnscrypt ephemeral keys to help prevent fingerprinting devices..
Relays works nice with quad9's dnscrypt servers btw.
I have tried DoT and it works really well and i recommend it also, But prefer the servers/relays (dnscrypt protocol)and options i get in dnscrypt-proxy 2, DoH i avoid..maybe when it fully support https 3, use oblivious DoH together with anonymized-dnscrypt servers sometimes and load balancing set to random.
ITEF is good for companies that want to add these protocols in their software (DoT & DoH), As a user I am not so sure with all information gathering going on. I am not trying to be completely anonymous..just add confusion to the dns swamp for devices on my network.
Last edited:
sfx2000
Part of the Furniture
Do you trust the person that runs the relay not to keep logs?
Like I said, there's no valid reason to run DNSCrypt when DoT is present.
If one is going down the dark web, it's a good way to get attention, and like I mentioned, even with a proxy, DNSCrypt is easily detected and defeated. Same goes with Tor...
ColinTaylor
Part of the Furniture
DoT is a network protocol. Unbound is DNS resolver.
Zastoff
Very Senior Member
The recommendation i did was to use dnscrypt installer in AMTM over the entware guide that was linked..
Also wrote that i do recommend DoT.
The Question on relays logging:
The relay do not have the key for the encrypted packets, it only blindly forwards and my ip is removed for the DNS server.
Guess any network and it's admins can keep logs maybe even store all and try to decrypt later on.
I am still waiting for some actual tests and evidence that one of the dns protocols is better the other..
Add confusion is my current focus, load balancing set to random and randomized multiple relays used.
Still amazed by all the knowledge people sit on without anything to backup their claims.
@sfx2000
How do you get dnscrypt-proxy 2 to use regular dns i wonder?
Last edited:
Similar threads
Similar threads
Similar threads
-
isp block dns over tls and poison any unencrypted dns resolution
- Started by chris13
- Replies: 14
-
-
-
-
Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf
- Started by stilltravelling
- Replies: 1
-
-
-
DNS-rebind attack detected: farm.plista.com. etc...??
- Started by Howard_inGA
- Replies: 3
-
-