DNS-OVER-TLS AND VPN — 3.0.0.4.386.45956

JTnola

New Around Here
Now that asuswrt-official [RT-AC86U] supports DNS-over-TLS …. well, actually, do we care?

What I mean to say is: If I already use a VPN (PIA)—currently only on individual clients since I’m using the ASUS stock firmware again—whereby DNS lookups are encrypted, (by the VPN—to the VPN DNS), … (1) is there any reason to enable DNS-over-TLS on the router? (2) And wouldn’t enabling DNS-over-TLS on the router potentially invite DNS leak issues?
 

eibgrad

Part of the Furniture
Depends on your definition of a DNS leak. If you define a DNS leak as any access of DNS over the WAN, even if encrypted, then yes. But *I* don't consider encrypted DNS over the WAN a DNS leak since the ISP can't see what domains I'm accessing, nor mess w/ my DNS queries. And if the only reason you're using a VPN is for DNS protection, you could save yourself some money and eliminate the VPN in favor of DoT.
 

JTnola

New Around Here
Depends on your definition of a DNS leak. If you define a DNS leak as any access of DNS over the WAN, even if encrypted, then yes. But *I* don't consider encrypted DNS over the WAN a DNS leak since the ISP can't see what domains I'm accessing, nor mess w/ my DNS queries. And if the only reason you're using a VPN is for DNS protection, you could save yourself some money and eliminate the VPN in favor of DoT.
All I wanna know: is there any reason that I’d want to enable DoT on the router if I already use a (PIA) VPN on my climbers (…and that VPN provides DNS as part of its service)?

THANKS
1638075774679.png
 

Tech9

Part of the Furniture
But *I* don't consider encrypted DNS over the WAN a DNS leak since the ISP can't see what domains I'm accessing

They don't need to see your DNS queries. They see what IP's you are connecting to. Your browsing history can be reversed easily. I had a project in this direction and found what we came up with is a fraction of what ISP's can do. It's not even resources hungry process. DoT/DoH is good MITM prevention, but unrelated to what ISP's can see or log. In some countries ISP's are required to keep browsing history and they do.

I already use a VPN (PIA)

PIA is a company registered in USA, one of Five Eyes countries. You can rely on best effort protection only. You can enable whatever you want, but if you commit something considered a crime online in USA, a court order is usually enough. If you encrypt your DNS queries only, no matter how, your ISP has your browsing history. If your entire traffic goes through PIA - they have your browsing history. Read the first sentence again.
 

bbunge

Part of the Furniture
All I wanna know: is there any reason that I’d want to enable DoT on the router if I already use a (PIA) VPN on my climbers (…and that VPN provides DNS as part of its service)?

THANKS View attachment 37532
No. But VPN providers do not always use filtered DNS. So you may be at greater risk of malware and phishing.
 

JTnola

New Around Here
PIA is a company registered in USA, one of Five Eyes countries. You can rely on best effort protection only. You can enable whatever you want, but if you commit something considered a crime online in USA, a court order is usually enough. If you encrypt your DNS queries only, no matter how, your ISP has your browsing history. If your entire traffic goes through PIA - they have your browsing history. Read the first sentence again.

No tin foil hat here. And am under no illusion about privacy — nor do I care about “my privacy.” I let alllll hang out. If you can’t own your actions, then you shouldn’t be doin’ ‘em.

My question is purely about BEST PRACTICES for settings on my router, with an eye on maintaining a secure network and protecting devices attached to it. This may include privacy in terms of—my passwords are private, various users’ medical records are private, etc. But that’s all.

*note — I removed my own snarky commentary that i originally had used in ending this reply*
 
Last edited:

Tech9

Part of the Furniture
My question is purely about BEST PRACTICES for settings on my router, with an eye on maintaining a secure network and protecting devices attached to it. This may include privacy in terms of—my passwords are private, various users’ medical records are private, etc. But that’s all.

Your VPN is unrelated. Many folks use DoT to trusted public DNS services to prevent eventual MITM attacks or ISP re-directed lookups, if that's an issue. There are many to choose from, with or without filtering. Cloudflare, Quad9, CleanBrowsing, AdGuard, OpenDNS (no DoT for now) are popular choices. Not sure if on-router VPN bypasses router's AiProtection. On-device VPN goes straight through. You may have less protection when using VPN.
 

JTnola

New Around Here
Your VPN is unrelated. Many folks use DoT to trusted public DNS services to prevent eventual MITM attacks or ISP re-directed lookups, if that's an issue. There are many to choose from, with or without filtering. Cloudflare, Quad9, CleanBrowsing, AdGuard, OpenDNS (no DoT for now) are popular choices. Not sure if on-router VPN bypasses router's AiProtection. On-device VPN goes straight through. You may have less protection when using VPN.
Thank you!!
That was legit VERY HELPFUL and much appreciated!! Thank you!!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top