Bell home internet users with Asus routers - does DoT work for you?

[FLA_NL]

An ISP who wants to block DoT can just as easily also block DoH.

Do you mean by IP blocking?

 

[RMerlin]

Do you mean by IP blocking?

Both. They just have to block a known list of IPs when accessed on port 443.

 

[Tech9]

They just have to block a known list of IPs

The way I do it on business networks. DoH servers are known and don't change often. I also block QUIC.

 

[sfx2000]

That won't last. Blocking DoH is just as trivial as blocking DoT. It's been on my ToDo list for over a year now (as part of DNS Director's blocking of outside DNS servers), and got sidelined by the large amount of work involved in the 3006 merge. An ISP who wants to block DoT can just as easily also block DoH.

As for adding DoH support, as I said, stubby/getdns does NOT support it, and their development seem to be dead at this point, so it's not going to happen anytime soon. The one alternative I found had a ton of external dependencies making it too much work and wasted flash space for it to be worth my time.

First off - in case folks missed my earlier comment - I'm not in favor of DoH...

Get the HTTPS DNS Proxy - code exists here...

GitHub - aarond10/https_dns_proxy: A lightweight DNS-over-HTTPS proxy.

A lightweight DNS-over-HTTPS proxy. Contribute to aarond10/https_dns_proxy development by creating an account on GitHub.

github.com

This uses DNSMasq, not unbound/stubby that is needed for DoT

Then the firewall rule for DNS intercept and redirect all DNS traffic back to the router/gateway...

To your point, this adds another layer of complexity around the DNS resolver implementation on AsusWRT, so there are bounds...

 

[sfx2000]

There's also the Browser issue - Chrome uses DoH by default, and it leverages their cloud - so to blackhole that, one would have to block their entire IP range...

Or use a policy on the browser itself...

To disable DoH on Chrome:

1. Open the Google Chrome browser.
2. Go to the Security settings. Complete these steps:
   
   1. In the address bar, enter <span data-testid="SyntaxHighlighter">chrome://settings/security/</span>.
   2. In the Advanced section, disable Use Secure DNS.

 

[RMerlin]

Get the HTTPS DNS Proxy - code exists here...

That's the alternative I mentionned. Has multiple dependencies. Needs c-ares, libev, nghttp2 (and I stopped looking at that point, so these might also have dependencies of their own).

 

[SkippyP]

UPDATE on this.

Tried again, and now, DoT configured on my in-laws’ router (Bell ISP) works fine. So, Bell can’t be blocking port 853. Perhaps they were at one point because this wasn’t working at all when I first tried a few months ago.

However, when using a DoT config profile on my iPhone, nothing works while connected to their home network (with or without DoT enabled on their router). Using a DoH profile is fine as I mentioned before. When my phone is connected to my home network (Rogers ISP) or my cellular network (also Rogers), the DoT profile works fine.

So it must be some incompatibility between the DoT profile (not DoT itself) and Bell. Very strange. Not sure how to troubleshoot further.