What's new

DNS-OVER-TLS AND VPN — 3.0.0.4.386.45956

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JTnola

Regular Contributor
Now that asuswrt-official [RT-AC86U] supports DNS-over-TLS …. well, actually, do we care?

What I mean to say is: If I already use a VPN (PIA)—currently only on individual clients since I’m using the ASUS stock firmware again—whereby DNS lookups are encrypted, (by the VPN—to the VPN DNS), … (1) is there any reason to enable DNS-over-TLS on the router? (2) And wouldn’t enabling DNS-over-TLS on the router potentially invite DNS leak issues?
 
Depends on your definition of a DNS leak. If you define a DNS leak as any access of DNS over the WAN, even if encrypted, then yes. But *I* don't consider encrypted DNS over the WAN a DNS leak since the ISP can't see what domains I'm accessing, nor mess w/ my DNS queries. And if the only reason you're using a VPN is for DNS protection, you could save yourself some money and eliminate the VPN in favor of DoT.
 
Depends on your definition of a DNS leak. If you define a DNS leak as any access of DNS over the WAN, even if encrypted, then yes. But *I* don't consider encrypted DNS over the WAN a DNS leak since the ISP can't see what domains I'm accessing, nor mess w/ my DNS queries. And if the only reason you're using a VPN is for DNS protection, you could save yourself some money and eliminate the VPN in favor of DoT.
All I wanna know: is there any reason that I’d want to enable DoT on the router if I already use a (PIA) VPN on my climbers (…and that VPN provides DNS as part of its service)?

THANKS
1638075774679.png
 
But *I* don't consider encrypted DNS over the WAN a DNS leak since the ISP can't see what domains I'm accessing

They don't need to see your DNS queries. They see what IP's you are connecting to. Your browsing history can be reversed easily. I had a project in this direction and found what we came up with is a fraction of what ISP's can do. It's not even resources hungry process. DoT/DoH is good MITM prevention, but unrelated to what ISP's can see or log. In some countries ISP's are required to keep browsing history and they do.

I already use a VPN (PIA)

PIA is a company registered in USA, one of Five Eyes countries. You can rely on best effort protection only. You can enable whatever you want, but if you commit something considered a crime online in USA, a court order is usually enough. If you encrypt your DNS queries only, no matter how, your ISP has your browsing history. If your entire traffic goes through PIA - they have your browsing history. Read the first sentence again.
 
All I wanna know: is there any reason that I’d want to enable DoT on the router if I already use a (PIA) VPN on my climbers (…and that VPN provides DNS as part of its service)?

THANKS View attachment 37532
No. But VPN providers do not always use filtered DNS. So you may be at greater risk of malware and phishing.
 
PIA is a company registered in USA, one of Five Eyes countries. You can rely on best effort protection only. You can enable whatever you want, but if you commit something considered a crime online in USA, a court order is usually enough. If you encrypt your DNS queries only, no matter how, your ISP has your browsing history. If your entire traffic goes through PIA - they have your browsing history. Read the first sentence again.

No tin foil hat here. And am under no illusion about privacy — nor do I care about “my privacy.” I let alllll hang out. If you can’t own your actions, then you shouldn’t be doin’ ‘em.

My question is purely about BEST PRACTICES for settings on my router, with an eye on maintaining a secure network and protecting devices attached to it. This may include privacy in terms of—my passwords are private, various users’ medical records are private, etc. But that’s all.

*note — I removed my own snarky commentary that i originally had used in ending this reply*
 
Last edited:
My question is purely about BEST PRACTICES for settings on my router, with an eye on maintaining a secure network and protecting devices attached to it. This may include privacy in terms of—my passwords are private, various users’ medical records are private, etc. But that’s all.

Your VPN is unrelated. Many folks use DoT to trusted public DNS services to prevent eventual MITM attacks or ISP re-directed lookups, if that's an issue. There are many to choose from, with or without filtering. Cloudflare, Quad9, CleanBrowsing, AdGuard, OpenDNS (no DoT for now) are popular choices. Not sure if on-router VPN bypasses router's AiProtection. On-device VPN goes straight through. You may have less protection when using VPN.
 
Your VPN is unrelated. Many folks use DoT to trusted public DNS services to prevent eventual MITM attacks or ISP re-directed lookups, if that's an issue. There are many to choose from, with or without filtering. Cloudflare, Quad9, CleanBrowsing, AdGuard, OpenDNS (no DoT for now) are popular choices. Not sure if on-router VPN bypasses router's AiProtection. On-device VPN goes straight through. You may have less protection when using VPN.
Thank you!!
That was legit VERY HELPFUL and much appreciated!! Thank you!!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top