Why DNS over TLS is so important, and if you are not using it you should be

[Ubimo]

I found an interesting statement:

01/27/22, 10:13 AM, Cloudflare reports that the domain cloudflare-dns.com is only used for certificate validation. Only the domains 1dot1dot1dot1.cloudflare-dns.com and one.one.one.one are intended for resolution via DNS-over-TLS.

Source: https://www.heise.de/news/DNS-Diens...tzboxen-reagieren-mit-Schluckauf-6332992.html

But when you choose a server preset, the default TLS-Hostname is cloudflare-dns.com instead of 1dot1dot1dot1.cloudflare-dns.com or one.one.one.one.
How can we correct this false default? I guess this is hardcoded in the Asus-firmware?

 

[RMerlin]

I found an interesting statement:

Source: https://www.heise.de/news/DNS-Diens...tzboxen-reagieren-mit-Schluckauf-6332992.html

But when you choose a server preset, the default TLS-Hostname is cloudflare-dns.com instead of 1dot1dot1dot1.cloudflare-dns.com or one.one.one.one.
How can we correct this false default? I guess this is hardcoded in the Asus-firmware?

View attachment 41990

The firmware is correct, there is nothing to correct. The TLS-Hostname field is for certificate validation.

 

[bennor]

For what reason? This is from the Unbound thread:

It seems that having unbound configured with DoT negates the value of using unbound.

And there is this, take it for what it's worth, from a mod over on the Pi-Hole.net discourse site in response to someone asking about a How-To for Pi-Hole, Unbound and DoT / DOH.

unbound (nor any other DNS server) won't be able to run as recursive DNS server using DNS over TLS as long as all authoritative DNS servers do not support DoT. Currently, not even the root servers do.

You can either encrypt DNS or run a recursive resolver.

Consider unbound if privacy is of concern for you:
DNS queries are resolved recursively starting with the root servers, so no single DNS server will ever have your full DNS history.

DoT or DoH would secure just your connections to your DNS provider.
While preventing your DNS traffic from third-party eaves-dropping, it does little in terms of privacy: Your chosen DNS provider still has your full DNS history.

 

[New2This]

Has anyone tired dns over QUIC?
Any benefits ?

 

[Elmer]

Sophisticated router attacks - possibly stopped by DoT? I hope.

Arstechnica Article

 

[jsbeddow]

Sophisticated router attacks - possibly stopped by DoT? I hope.

Arstechnica Article

As reported in other threads on SNB, this only affects MIPS routers, so by definition none of the currently supported AsusWRT-Merlin routers. If you are still using an older MIPS based Asus router as your primary, internet facing router, it's probably time to move on to something newer for many reasons.

 

[Tech9]

none of the currently supported AsusWRT-Merlin routers

RT-N16, RT-N66U, RT-AC66U - still supported by John's Asuswrt-Merlin fork. I don't know if they are at risk. Some people still use them.

 

[MarkyMarkMark]

I have a simple set up and I recently did a firmware upgrade from 386.5 to 386.7 and then back because of wifi disconnects.
After a bunch of changes I did a reset and reconfig. And thought all was well but then turned on DNS over TLS strict and added the primary and secondary cloudflare ip addr. as well as the 2 google addr.

Then I couldn't get internet access. It said the clients were connected but on the client side it said connected with no internet access.
Does IPV6 need to be enable for this to work? I did disable that as I've been reading it can be a source of privacy leak when using a vpn.

I don't have a VPN service but have been thinking about it and playing around with TOR as I dabble in crypto trading. The Client routed through TOR was able to reach the internet.
I know I'm all over the place but really is DoT dependent on anything else like IPV6? Like I said I don't have an elaborate setup. Mostly default. AiProtection, DDNS, Instant Guard, Tor on 1 mac address. No UPnP, No Port forwards or triggers, assign specific IP to xbox, DCHP pool of 30 ip reserved for lan.

 

[MarkyMarkMark]

I have a simple set up and I recently did a firmware upgrade from 386.5 to 386.7 and then back because of wifi disconnects.
After a bunch of changes I did a reset and reconfig. And thought all was well but then turned on DNS over TLS strict and added the primary and secondary cloudflare ip addr. as well as the 2 google addr.

Then I couldn't get internet access. It said the clients were connected but on the client side it said connected with no internet access.
Does IPV6 need to be enable for this to work? I did disable that as I've been reading it can be a source of privacy leak when using a vpn.

I don't have a VPN service but have been thinking about it and playing around with TOR as I dabble in crypto trading. The Client routed through TOR was able to reach the internet.
I know I'm all over the place but really is DoT dependent on anything else like IPV6? Like I said I don't have an elaborate setup. Mostly default. AiProtection, DDNS, Instant Guard, Tor on 1 mac address. No UPnP, No Port forwards or triggers, assign specific IP to xbox, DCHP pool of 30 ip reserved for lan.

Okay I think I screwed up and I only added IPV6 DNS servers to my DoT list instead of IPV4. Then I turned off IPV6 support because of security concerns.