DNS over TLS

[Diamond67]

After updating fw version to 384.11_0, I have configured DNS over TLS using Cloudflare servers and it seems to work OK.

I also have installed PIA (Private Internet Access) VPN Client Applications to my computers. Should I tweak the DNS Settings of PIA applications as well? There are three DNS options: PIA DNS, Use Existing DNS and Set Custom DNS (See the picture below):



Which option should I choose?

 

[L&LD]

After updating fw version to 384.11_0, I have configured DNS over TLS using Cloudflare servers and it seems to work OK.

I also have installed PIA (Private Internet Access) VPN Client Applications to my computers. Should I tweak the DNS Settings of PIA applications as well? There are three DNS options: PIA DNS, Use Existing DNS and Set Custom DNS (See the picture below):

View attachment 17520

Which option should I choose?

Those options depend of course on your needs.

What do you use PIA for? That will mostly answer the option you should choose.

 

[Diamond67]

Those options depend of course on your needs.

What do you use PIA for? That will mostly answer the option you should choose.

I don't use PIA for anything special, it is pretty much activated all the time while surfing the net. What I tried to ask is if PIA and PIA DNS is active, does it bypass or affect the DoT of my router? How do you use DoT and VPN at the same time in general? I am not an expert and I'm a bit confused.

 

[L&LD]

I don't use PIA for anything special, it is pretty much activated all the time while surfing the net. What I tried to ask is if PIA and PIA DNS is active, does it bypass or affect the DoT of my router. How do you use DoT and VPN at the same time in general? I am not an expert and I'm a bit confused.

In your case, it seems like DoT and your VPN may do effectively the same thing then?

I'm not an expert at paid for VPN's either. Others should be able to answer your specific question better.

 

[Diamond67]

In your case, it seems like DoT and your VPN may do effectively the same thing then?

Somebody said:

Some folks have asked us that if DNS over TLS encrypts your DNS requests, do you still need a VPN? The short answer is yes. DNS over TLS is one part of the solution in protecting against data leaks, but for truly private browsing you still need to establish a VPN connection to encrypt all the data and traffic you send when browsing.

So, I think I need them both. But this DoT thingy is so new feature to me that I don't know how to use it properly with VPN.

 

[L&LD]

Somebody said:


So, I think I need them both. But this DoT thingy is so new feature to me that I don't know how to use it properly with VPN.

My take on a paid for VPN? Money that I'll never see again for no tangible reason or benefit.

Unless you have full control/ownership of the VPN tunnel, there is no 'protection' at all against the claims they make. Given a large enough player, (governments, countries, etc.), what you do online is never invisible unless you unplug from the internet 100%.

And that is true even if we're assuming you can trust them 100% to not store/keep/forward your data to anyone with the highest bid (or stick).

 

[Diamond67]

I just activated DoT yesterday (Cloudflare servers). So I haven't got a long time experience of using it. But I have had tiny connection problems at least twice since. For example, just a couple of minutes ago I opened a new browser window (it should open Google) with Firefox but there was a lag and a eventually a window opened showing that I have a good connection to my ISP and Cloudflare but the connection is lost between Cloudflare and Google.

This situation lasted for about a minute or two. Refreshing the page didn't help. Some other sites from Firefox tabs refreshed nicely with F5, but some didn't. Fore example www.snbforums looked like down (although it probably wasn't). Then all the connections came back by oneself and I couldn't investigate more.

I was just wondering if this was caused by the DoT?

And this time I was not using PIA.

 

[Kingp1n]

After using DoT...I woke up this morning and my devices could not connect to the internet. After a restart all is working. I'm not using DoT at the moment and went back to my old setup.

 

[skeal]

out of curiousity, mind posting the output of

brctl show

Result as follows:

 brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.0c9d92019b20       yes             eth1
                                                        eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth6
                                                        eth7
                                                        wl0.1
                                                        wl1.1
br1             8000.0c9d92019b20       yes             eth0.v0

 

[Swistheater]

Result as follows:

 brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.0c9d92019b20       yes             eth1
                                                        eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth6
                                                        eth7
                                                        wl0.1
                                                        wl1.1
br1             8000.0c9d92019b20       yes             eth0.v0

in a normal condition your interface would say vlan1

 

[skeal]

in a normal condition your interface would say vlan1

Is there anything wrong here or...? Does STP have to be on or is it a waste of resources?

 

[sinshiva]

it's fine, just a semi odd way of doing things. maybe they do that for future advanced configurations like a dedicated iptv ssid or some such.

 

[skeal]

it's fine, just a semi odd way of doing things. maybe they do that for future advanced configurations like a dedicated iptv ssid or some such.

What's weird is that before the 384.11 release, (so while I was on the beta) the interface listed by Skynet was "br0" after the upgrade to 384.11 stable it changed to "br1". I wonder why?

 

[Swistheater]

conflicts between code possibly.

 

[Swistheater]

conflicts between code possibly.

Could have easily happened between Mergers of code for example master v.s. Mainline. Or if code conflicts happen between gpl. Or they simply modified the interface namings.

 

[DAVID LONG]

My take on a paid for VPN? Money that I'll never see again for no tangible reason or benefit.

Unless you have full control/ownership of the VPN tunnel, there is no 'protection' at all against the claims they make. Given a large enough player, (governments, countries, etc.), what you do online is never invisible unless you unplug from the internet 100%.

And that is true even if we're assuming you can trust them 100% to not store/keep/forward your data to anyone with the highest bid (or stick).

Agree 100%

There have been several instances where well know VPN companies have turned over user data when requested by law enforcement.

Maybe ok for keeping your ISP from snooping, but I wouldn't trust them if you were doing something less than honorable.

You can read about it here, https://restoreprivacy.com/vpn-logs-lies/ if you believe the source.

 

[Diamond67]

There have been several instances where well know VPN companies have turned over user data when requested by law enforcement.

Maybe the reliability or privacy aspects of different VPN service providers is a bit out of scope here. I mean, you can compare VPN services and choose which one seems to suit best for your purposes. Or you can choose not to use them.

But if you use VPN and DoT together, I would like to know how to do it properly.

 

[davidlee93]

Yes

It redirects DNS requests to the router's dnsmasq. No need for custom DNS servers because I want all LAN client DNS traffic cached by the router and filtered by Diversion.

Hi,
Do you replace the custom dns with the router's ip?

 

[Swistheater]

Maybe the reliability or privacy aspects of different VPN service providers is a bit out of scope here. I mean, you can compare VPN services and choose which one seems to suit best for your purposes. Or you can choose not to use them.

But if you use VPN and DoT together, I would like to know how to do it properly.

Well let's examine the possibilities.
-VPN - could support DoT built-in that means VPN traffics the "encrypted lookups"
-One could do VPN DNS mixed with router DoT. - which means look ups are handled in a crazy manner.
-One could do VPN -with routers DoT(potential isp leak)

 

[Swistheater]

Hi,
Do you replace the custom dns with the router's ip?

No it is not needed. those are if you choose to predefined a server for a specific client using the clients list.