DNS over TLS

[Diamond67]

Well let's examine the possibilities.
-VPN - could support DoT built-in that means VPN traffics the "encrypted lookups"
-One could do VPN DNS mixed with router DoT. - which means look ups are handled in a crazy manner.
-One could do VPN -with routers DoT(potential isp leak)

Found some discussion:
https://forum.netgate.com/topic/139...r-nordvpn-and-or-dns-over-tls-which-way-to-go

I'm just too busy atm to read it or google more.

 

[Swistheater]

Hi,
Do you replace the custom dns with the router's ip?

This is a correct example.

 

[Swistheater]

Found some discussion:
https://forum.netgate.com/topic/139...r-nordvpn-and-or-dns-over-tls-which-way-to-go

I'm just too busy atm to read it or google more.

i would think if the VPN server has DNSoverTLS built in - then it would be better to let the VPN deal with it- especially if you are worried about staying hidden from ISP.

But hey i do not use vpn's and the only reason i use DoT is protection from attacks, not to hide.

 

[Swistheater]

This is a correct example.
View attachment 17541

What I want to know is can I list more than one address for custom 1 or is it limited to the one address i put in?

 

[EmeraldDeer]

Hi,
Do you replace the custom dns with the router's ip?

My understanding of DNSFilter Global Filter Mode set to "Router"

• The Custom fields are ignored
• Clear them to avoid confusion

 

[Swistheater]

My understanding of DNSFilter Global Filter Mode set to "Router"

• The Custom fields are ignored
• Clear them to avoid confusion

Custom fields are only for if you want define a specific server to be used for a specific client- when the dns filter is set to router mode.- that is the only way the custom fields can be used in router mode.

For example you want all devices on network to use DoT,
but you have one specific android device that must - use google-
DNS filter can be used for you to specify a custom address to google so that every one else Gets forced to use ROUTER - while the android device gets specified to one of the custom addresses via mac address on the client list. this allows for the android device to use google and the rest of the devices to use DoT

 

[EmeraldDeer]

Custom fields are only for if you want define a specific server to be used for a specific client- when the dns filter is set to router mode.- that is the only way the custom fields can be used in router mode.

For example you want all devices on network to use DoT,
but you have one specific android device that must - use google-
DNS filter can be used for you to specify a custom address to google so that every one else Gets forced to use ROUTER - while the android device gets specified to one of the custom addresses via mac address on the client list. this allows for the android device to use google and the rest of the devices to use DoT

• The Custom fields are ignored
• I did not comment on the Client List

 

[Swistheater]

Yea I was just clearing things up on the proper use of them - if one has router mode enabled- otherwise they should stay blank like you said if they are not intending to use them via client list additions.

 

[NoelS]

My take on a paid for VPN? Money that I'll never see again for no tangible reason or benefit.

Unless you have full control/ownership of the VPN tunnel, there is no 'protection' at all against the claims they make. Given a large enough player, (governments, countries, etc.), what you do online is never invisible unless you unplug from the internet 100%.

And that is true even if we're assuming you can trust them 100% to not store/keep/forward your data to anyone with the highest bid (or stick).

I respectfully disagree. While everything you say should be taken into consideration, it's similar to saying that an expert thief can defeat any lock that you install on your house, and that anyway, the locksmith might keep a copy of your keys, so don't install any locks.

 

[RejZoR]

Ok, I might be a bit dense, but I want to be sure, so in order to use DoT I need to have:
- DNSFilter "ENABLED"
- DNSFilter Global Filter mode in "ROUTER"
- DNS Privacy Protocol "DoT"
- Applied DNS address with DoT support on the DoT Server List

Is specification of port necessary since it's not applied using presets? Anything else?

 

[Swistheater]

DNSFilter is not required -- it is only important if you want to "FORCE" DoT on all devices.

 

[RejZoR]

DNSFilter is not required -- it is only important if you want to "FORCE" DoT on all devices.

I do want to force it on all devices connected to this router.

 

[Swistheater]

Ok, I might be a bit dense, but I want to be sure, so in order to use DoT I need to have:
- DNSFilter "ENABLED"
- DNSFilter Global Filter mode in "ROUTER"
- DNS Privacy Protocol "DoT"
- Applied DNS address with DoT support on the DoT Server List

Is specification of port necessary since it's not applied using presets? Anything else?

Ports are already setup via routers built in setup
-*optional*DNSFilter can be used to FORCE via "ROUTER" all devices to use Stubby and Also to specify a device to use a different DNS server( Forcing DoT on all clients allows for no device on the network to modify their dns address from that device, it also overrided devices that have a hardcoded DNS that will avoid DoT--- this will prevent data leaks)
- *optional*DNSFilter can also be turned on selecting the "NO-Filter mode" as the main feature this will allow the DoT DNS to pass to devices without forcing it -- and also users can still specify specific DNS to devices- that will bypass DoT (for example a childs device that you want to use OpenDNS parental filters on)

Both options can be used Above along side DoT--- if any one wants to use a different DNS than DoT on a specific device then you would use the client list to specify that to that device--

-The only thing that needs to be done to officially turn on DoT is to enable DoT-- and specify servers you want to use on the server list. The DNSFilter features are *optional* choices one could make.

 

[L&LD]

I respectfully disagree. While everything you say should be taken into consideration, it's similar to saying that an expert thief can defeat any lock that you install on your house, and that anyway, the locksmith might keep a copy of your keys, so don't install any locks.

I don't know what you're disagreeing with?

The example you have given is not the same thing as what is being discussed here.

To make it slightly more applicable, it would be more like a lock company saying that for 'xx' dollars a year more, we 'guarantee' we won't keep a copy of your keys (here, 'keys' meaning privacy).

The issue is not whether we install a lock or not, we all do (with our routers), but rather whether what can be learned about us once we pass beyond the router and go into the www.

Our routers can and do keep our internal networks safe and private. But there is no VPN (that we don't own both ends of), that can offer that kind of privacy/protection once we leave our internal network, ever. Believing otherwise is just wishful thinking.

 

[Swistheater]

I don't know what you're disagreeing with?

The example you have given is not the same thing as what is being discussed here.

To make it slightly more applicable, it would be more like a lock company saying that for 'xx' dollars a year more, we 'guarantee' we won't keep a copy of your keys (here, 'keys' meaning privacy).

The issue is not whether we install a lock or not, we all do (with our routers), but rather whether what can be learned about us once we pass beyond the router and go into the www.

Our routers can and do keep our internal networks safe and private. But there is no VPN (that we don't own both ends of), that can offer that kind of privacy/protection once we leave our internal network, ever. Believing otherwise is just wishful thinking.

I think what you are trying to say in simple terms. All you are doing is reducing risk v.s. not reducing risk, but despite that the risk still exist.

 

[Swistheater]

I can see where you are coming from--- your concern is there is more risk leaning on the side of the VPN provider, versus the WWW. On the WWW you are just a target among billions of targets, whereas on a VPN you are telling them hey I am yours if you protect me.

 

[Treadler]

Ok, I might be a bit dense, but I want to be sure, so in order to use DoT I need to have:
- DNSFilter "ENABLED"
- DNSFilter Global Filter mode in "ROUTER"
- DNS Privacy Protocol "DoT"
- Applied DNS address with DoT support on the DoT Server List

Is specification of port necessary since it's not applied using presets? Anything else?

That’s what I’ve done.
Port spec not required.

 

[skeal]

br1 should not be a WAN interface, unless you have a rather weird configuration (br = bridge).

This is the part I don't understand. I used these settings a long time ago on my AC68U. Back then in QIS (quick internet setup) you would go through configuring your internet connection, and it had at one time, asked if your ISP had any special requirements, if you clicked it, it took you to the IPTV vlan setup page asking for vlan id and prio. This seems to be have been removed from the QIS now, and the only way to access these settings is by accessing the IPTV tab directly. Like before this works like a charm but worked way differently a little while back by starting with the WAN interface, (makes sense as it is required for the connection). Asus has likely changed things, but to say the settings are weird is just not very well informed. Strange to you maybe, but not to some of us here. Sorry if I sound snarky, it's not my intention. Keep up the great work.

 

[Diamond67]

After updating fw version to 384.11_0, I have configured DNS over TLS using Cloudflare servers and it seems to work OK.

I also have installed PIA (Private Internet Access) VPN Client Applications to my computers. Should I tweak the DNS Settings of PIA applications as well? There are three DNS options: PIA DNS, Use Existing DNS and Set Custom DNS (See the picture below):

View attachment 17520

Which option should I choose?

BTW, I tested quickly all PIA Client Application DNS options and they seem to work as expected with DoT (Cloudflare 1.1.1.1/1.0.0.1).

Results (Tested with https://ipleak.net):

1. DNS option (Default) "PIA DNS":
DNS Addresses - 1 server
IP Address : PIA IP (IP Owner: CachedNet LLC)

2. DNS option "Use Existing DNS"
DNS Addresses - 4 servers
IP Addresses (using https://showip.net etc.): Cloudflare IP (Owner: Cloudflare, Inc)

3. DNS option "Set Custom DNS...", Resulting Name Servers 1.1.1.1/1.0.0.1
DNS Addresses - 31 servers
IP Addresses: IP Owner: Cloudflare Inc.


So, "PIA DNS"-setting gives PIA DNS IPs, and other two options Cloudflare.

And

tcpdump -i eth0 port 53

shows no traffic no matter which option (off all these three) you use .

 

[NoelS]

I don't know what you're disagreeing with?

The example you have given is not the same thing as what is being discussed here.

To make it slightly more applicable, it would be more like a lock company saying that for 'xx' dollars a year more, we 'guarantee' we won't keep a copy of your keys (here, 'keys' meaning privacy).

The issue is not whether we install a lock or not, we all do (with our routers), but rather whether what can be learned about us once we pass beyond the router and go into the www.

Our routers can and do keep our internal networks safe and private. But there is no VPN (that we don't own both ends of), that can offer that kind of privacy/protection once we leave our internal network, ever. Believing otherwise is just wishful thinking.

Depends whether you desire privacy, anonymity, both, or neither. And yes, I am well versed that there is never any "absolute" privacy or anonymity on the internet. Like all things, it is a matter of degree. If you don't run any VPN, then you have neither. If you desire privacy, then yes, a "personal" VPN can be a good solution, but ONLY for those that are technical enough to create one without leaving (usually very large) holes. If you desire anonymity, then a "public" VPN is pretty much is required. Trust is something you need to evaluate in many things. When I go out to eat at restaurant, I "trust" they won't poison and rob me. Most us us "trust" that ASUS builds us a good router.