DNS Filtering parameters w/ DoT ?

[JT Strickland]

RT-AC86U 384.16, RT-AC68U Aimesh node w/ 384.16, Diversion, UiDivstats, Skynet, AiProtection, Scribe, UiScribe, Conmon, SpdMerlin, scMerlin, Nsrum, OpenVPN.

Can someone verify if I have this set correctly? I tried following a cook book recipe, but may have been reading the wrong page. I've had DoT enabled for a while, but enabled DNS filtering yesterday, and now I have a different message on that router CUI page. Should the DNS filtering switch even be on? Thanks in advance.

 

[immi803]

RT-AC86U 384.16, RT-AC68U Aimesh node w/ 384.16, Diversion, UiDivstats, Skynet, AiProtection, Scribe, UiScribe, Conmon, SpdMerlin, scMerlin, Nsrum, OpenVPN.

Can someone verify if I have this set correctly? I tried following a cook book recipe, but may have been reading the wrong page. I've had DoT enabled for a while, but enabled DNS filtering yesterday, and now I have a different message on that router CUI page. Should the DNS filtering switch even be on? Thanks in advance.

View attachment 22732 View attachment 22733

If you want UNbound recursive to be installed than you need to toggle on dns filter to router, otherwise if no unbound, no need for dns filter
Second, your primary dns is wrong, check quad 9 dns public servers ip correctly and you're good to go for dns over Dot, stubby is by default part of Merlin, so nothing to worry for

 

[dave14305]

It looks right if you want to force all DNS traffic to be encrypted to Quad9. Since you have chosen Quad9 EDNS-enabled 9.9.9.11 for WAN DNS, why not use the same for DoT? Instead of choosing Quad9 from the dropdown, add the IPs and dns.quad9.net manually in the DoT Server List.

 

[JT Strickland]

It looks right if you want to force all DNS traffic to be encrypted to Quad9. Since you have chosen Quad9 EDNS-enabled 9.9.9.11 for WAN DNS, why not use the same for DoT? Instead of choosing Quad9 from the dropdown, add the IPs and dns.quad9.net manually in the DoT Server List.

Sounds good to me. I was just trying to follow instructions, hence the EDNS servers. Should I use the same ones for DoT servers also or the plain jane 9999? Should I be forcing all DNS traffic through quad 9 EDNS servers? I am green here, just playing follow the leader, and that's sometimes difficult to determine. I love this stuff, though, it is interesting. I'll follow your lead.
edit: It's done. I'm kinda dense but sometimes I figure it out. Thanks for the help, guys.

 

[JT Strickland]

If you want UNbound recursive to be installed than you need to toggle on dns filter to router, otherwise if no unbound, no need for dns filter
Second, your primary dns is wrong, check quad 9 dns public servers ip correctly and you're good to go for dns over Dot, stubby is by default part of Merlin, so nothing to worry for

Thanks, I've been itching to try unbound, but I have resisted so far because I don't know enough about it. I understand the base concept of DNS, but there is a lot more there than that, and I've got a whole lot to learn about it.

 

[SomeWhereOverTheRainBow]

Thanks, I've been itching to try unbound, but I have resisted so far because I don't know enough about it. I understand the base concept of DNS, but there is a lot more there than that, and I've got a whole lot to learn about it.

Just to be clear, DNSfilter is not a feature exclusive to unbound, it is for forcing clients to strictly use a specific DNS. In your case, you set it to globally force clients to use DoT. If unbound is installed and pointed at the router, you would be telling all clients to use unbound

 

[JT Strickland]

Just to be clear, DNSfilter is not a feature exclusive to unbound, it is for forcing clients to strictly use a specific DNS. In your case, you set it to globally force clients to use DoT. If unbound is installed and pointed at the router, you would be telling all clients to use unbound

Are there any adverse affects to force all clients to use DoT with Quad9? I may not need to have DNSfilter turned on. I was trying to follow proper procedure.
Thanks,
jts

 

[SomeWhereOverTheRainBow]

No.

 

[netware5]

Are there any adverse affects to force all clients to use DoT with Quad9? I may not need to have DNSfilter turned on. I was trying to follow proper procedure.
Thanks,
jts

Quad9 (9.9.9.9) is filtering "malicous domains" by default. But their criteria is unclear and result in a lot of false positive blockings. I've used Quad9 for just few days and decided to switch to Unbound. The alternatives to Quad9 are Cloudflare (1.1.1.1) and Google (8.8.8.8). Both do not filter, but Cloudflare has some performance problems during last 10 days while Google is well known "Big Brother"

 

[dave14305]

Are there any adverse affects to force all clients to use DoT with Quad9? I may not need to have DNSfilter turned on. I was trying to follow proper procedure.
Thanks,
jts

Despite how I worded my earlier reply, you are not really forcing all clients to use DoT with Quad9. You are forcing all clients to use the router for DNS, and the router happens to be using DoT with Quad9 at this time. If you don't want users on your LAN to have a choice in DNS, then DNSFilter is the best solution (although browser-based DoH can circumvent DNSFilter). If you want to merely suggest LAN clients benefit from DoT with Quad9, you can disable DNSFilter, and DoT with Quad9 will be the default for every client that doesn't want to override their DNS settings locally.

 

[JT Strickland]

Despite how I worded my earlier reply, you are not really forcing all clients to use DoT with Quad9. You are forcing all clients to use the router for DNS, and the router happens to be using DoT with Quad9 at this time. If you don't want users on your LAN to have a choice in DNS, then DNSFilter is the best solution (although browser-based DoH can circumvent DNSFilter). If you want to merely suggest LAN clients benefit from DoT with Quad9, you can disable DNSFilter, and DoT with Quad9 will be the default for every client that doesn't want to override their DNS settings locally.

I think that may be the best then. I have my firestick, android box, and wife's fire tv going through OpenVPN at the router level, and it might cause conflicts with that.
In light of that I will turn DNSfilter back off. I may switch to Unbound in the near future also. I don't know who to trust anymore with my little bit of internet. Google is out for sure. Don't sound like any of them are winning any awards at the DNS level. Thanks again, jts

 

[maxbraketorque]

I would like to have DoT applied both to the servers on the WAN page as well as to the servers specified in the DNSFilter page for specific devices, but my impression is that DoT is not used for device-specific DNS server settings on the DNSFilter page. Is this correct, and if yes, doesn't this seem like an either-or-situation in the the context of having secure DNS or attempting to control content that my kids see?

 

[maxbraketorque]

I would like to have DoT applied both to the servers on the WAN page as well as to the servers specified in the DNSFilter page for specific devices, but my impression is that DoT is not used for device-specific DNS server settings on the DNSFilter page. Is this correct, and if yes, doesn't this seem like an either-or-situation in the the context of having secure DNS or attempting to control content that my kids see?

Anyone have any knowledge on whether the DoT setup is applied to per-device DNS servers setup in the DNSFilter settings?

 

[dave14305]

Anyone have any knowledge on whether the DoT setup is applied to per-device DNS servers setup in the DNSFilter settings?

It is not. DoT is only used by the router. If the chosen DNSFilter service also supports DoT, the firewall allows DoT requests from the client to be sent to the DoT-equivalent destination, but would require a DoT client on the client device.

 

[bbunge]

It is not. DoT is only used by the router. If the chosen DNSFilter service also supports DoT, the firewall allows DoT requests from the client to be sent to the DoT-equivalent destination, but would require a DoT client on the client device.

Not exactly true.
With DNSFilter set to router any DNS queries from clients on port 53 (standard DNS port) will be "captured" by the router and sent to DNSMASQ to resolve. If DoT is enabled on the router DNSMASQ will route the queries to Stubby and thus encrypted to the upstream resolver. Clients set to anything other than No Filtering in DNSFilter will bypass the router DNS resolver (DNSMASQ).
If clients use onboard DoH (port 443) or DoT (port 853) the DNS queries will flow through the router without being filtered. This is one area of concern for browsing security in a family or corporate environment. It is almost impossible to enforce family or malware filtering when users use DoH or onboard DoT. I.M.H.O there should be an IP based filtering available for home routers but would likely be too much for most router processors to cope with.

 

[bbunge]

I would like to have DoT applied both to the servers on the WAN page as well as to the servers specified in the DNSFilter page for specific devices, but my impression is that DoT is not used for device-specific DNS server settings on the DNSFilter page. Is this correct, and if yes, doesn't this seem like an either-or-situation in the the context of having secure DNS or attempting to control content that my kids see?

One way to accomplish filtering for your kids while leaving other devices on your LAN to use the router settings is to set up Pi-Hole. A Raspberry Pi 3B+ is relatively inexpensive and can run Pi-Hole combined with Stubby to get what you want. I use Cloudflare 1.1.1.2 & 1.0.0.2 on Stubby to do malware filtering but you could use any resolver to do family filtering. Then in Asus, LAN/DHCP Server/Manually Assigned IP around the DHCP list assign the kids devices an IP address and a DNS server which would be the Pi-Hole. Then assign the Pi-Hole to the kids devices in DNSFilter just in case they figure out how to change their DNS Server, which they will figure out! I have plenty of stories about kids and other people at our church surfing to inappropriate sites. Even had a pastor who was fixing up a Mercury Cougar and went surfing for "cougar" and got blocked by our filtering firewall (there is another meaning for cougar and it is not a large feline).

 

[maxbraketorque]

Thanks. Kind of a bummer that when DoT is enabled, it is not used for all aspects of DNS handling by the router. Bit of a Catch-22. I'll consider the Pi-Hole option, but I'm curious if there is any impediment besides coding effort to get the router to use DoT for DNSFilter-based DNS server assignments.

 

[Lynx]

Sorry to resurrect this, but I too am curious about whether there might be a case for developing an option for DNS Filter such that DoT can be selected for Global Filtering Mode and/or specific client filters?
For those who do not use a VPN, this at least would offer filtering without losing the capability to encrypt all DNS notwithstanding the various DNS permutations.
For those who do use a VPN, the benefit is perhaps less clear since if like me you have everything at the router go through the VPN using: 'Force internet traffic through tunnel: Yes', then all DNS queries are presumably already encrypted anyway.

 

[RMerlin]

Sorry to resurrect this, but I too am curious about whether there might be a case for developing an option for DNS Filter such that DoT can be selected for Global Filtering Mode and/or specific client filters?

That's not possible. DNSFilter works by hijacking a DNS connection and redirecting it to a different server. DoT is specifically designed to avoid that kind of hijacking, by using TLS. Redirecting DNS queries from a regular DNS to a TLS-based server would fail to connect.

 

[SomeWhereOverTheRainBow]

Thanks. Kind of a bummer that when DoT is enabled, it is not used for all aspects of DNS handling by the router. Bit of a Catch-22. I'll consider the Pi-Hole option, but I'm curious if there is any impediment besides coding effort to get the router to use DoT for DNSFilter-based DNS server assignments.

dns filter will work as global but you have to have DoT set up as your router, and global set to router on dns filter. This only works for One DoT instance. All devices will get forced to use your router address as global solution so lan dhcp must point to your router.