DNS Filter (DNS over TLS, port 853)

[Intrepid2007]

Hello,

When DNSFilter is enabled in Merlin, will only DNS requests over port 53 be re-directed if necessary?

What about port 853 (DNS over TLS)?

I am reading this post in Discord, it's coming from a channel of a VPN provider:

The poster in this articles states that both 'normal' DNS requests (53) and 'DNS over TLS' requests (853) should be re-directed to a predefined DNS server for this particular use-case (Netflix). In this case it's the DNS server of the VPN provider.

I am not sure if this could work.

I know you can connect to the Asus router with a terminal program, but I am not sure with which parameters I need to specify the ' iptables' command for a specific VPN client. I am curious to test it, anyone knows how to specify the 'iptables' command for port 853 ?

 

[L&LD]

Home · RMerl/asuswrt-merlin.ng Wiki · GitHub

 

[dave14305]

I don’t see how you can redirect a TLS connection and expect the certificate handshake to succeed.

But to answer your question about DNSFilter, it will block DoT over port 853 unless the chosen filter mode is known to support DoT.

 

[JTnola]

I don’t see how you can redirect a TLS connection and expect the certificate handshake to succeed.

But to answer your question about DNSFilter, it will block DoT over port 853 unless the chosen filter mode is known to support DoT.

So if you enable DNSfilter and choose Quad9, those queries will still be dns-over-tls? [Right now I have DNSfilter disabled as I mistakenly(?) believed that DNSfilter didn’t allow for dns-over-tls…] #DNSoverMyHead

 

[Yo_2T]

So if you enable DNSfilter and choose Quad9, those queries will still be dns-over-tls? [Right now I have DNSfilter disabled as I mistakenly(?) believed that DNSfilter didn’t allow for dns-over-tls…] #DNSoverMyHead

DNS Filter redirects your DNS requests from devices on your LAN to particular exit points, so to speak. So if you have DNS Filter on and set Global Filtering Mode to Router, it forces all DNS requests to go to your host, then if DoT is enabled then your router will make the actual request to the server specified on your DoT settings.

If you point a particular device to Quad9 under DNS Filter, then that device will use Quad9 over regular plaintext, bypassing your DoT settings altogether.

 

[Chuckles67]

You might find this useful: How to Monitor DNS traffic in real-time

 

[DroidST]

I don’t see how you can redirect a TLS connection and expect the certificate handshake to succeed.

But to answer your question about DNSFilter, it will block DoT over port 853 unless the chosen filter mode is known to support DoT.

Noted for future