DNS over TLS

[L&LD]

Depends whether you desire privacy, anonymity, both, or neither. And yes, I am well versed that there is never any "absolute" privacy or anonymity on the internet. Like all things, it is a matter of degree. If you don't run any VPN, then you have neither. If you desire privacy, then yes, a "personal" VPN can be a good solution, but ONLY for those that are technical enough to create one without leaving (usually very large) holes. If you desire anonymity, then a "public" VPN is pretty much is required. Trust is something you need to evaluate in many things. When I go out to eat at restaurant, I "trust" they won't poison and rob me. Most us us "trust" that ASUS builds us a good router.

That is my point; a public VPN cannot provide that anonymity for anyone willing and persistent enough to know what you are doing. Going to the restaurant to eat and hoping they don't poison me is not a good example, again. You can't eat food prepared from or by someone else and stay incognito, if they don't want you to.


https://www.snbforums.com/threads/openvpn-client-security-enhancement.56328/#post-489449

https://www.snbforums.com/threads/openvpn-client-security-enhancement.56328/#post-489515

 

[NoelS]

...a public VPN cannot provide that anonymity for anyone willing and persistent enough to know what you are doing

In the restaurant example, I was only speaking of trust, not anonymity. I assume you eat out occasionally, and have trust in those that prepare your food.

WITHOUT a public VPN, you are 100% exposed/cannot be anonymous. WITH a properly chosen/evaluated public VPN you can have a high level of confidence of being anonymous (unless the CIA/etc. is looking for you). If your opsec is done properly , and you get on the public VPN anonymously (register with gift card bought in a store without cameras, etc), it adds additional difficulty for even a government organization to identify you, unless they are highly motivated. In any case, close to 100% of the people in this forum are NOT hiding from government agencies such as the CIA, but some want a reasonable assurance of anonymity for more benign reasons. For them, a carefully chosen/obtained public VPN can achieve that goal at reasonable cost.

 

[L&LD]

In the restaurant example, I was only speaking of trust, not anonymity. I assume you eat out occasionally, and have trust in those that prepare your food.

WITHOUT a public VPN, you are 100% exposed/cannot be anonymous. WITH a properly chosen/evaluated public VPN you can have a high level of confidence of being anonymous (unless the CIA/etc. is looking for you). If your opsec is done properly , and you get on the public VPN anonymously (register with gift card bought in a store without cameras, etc), it adds additional difficulty for even a government organization to identify you, unless they are highly motivated. In any case, close to 100% of the people in this forum are NOT hiding from government agencies such as the CIA, but some want a reasonable assurance of anonymity for more benign reasons. For them, a carefully chosen/obtained public VPN can achieve that goal at reasonable cost.

I can agree with most of what you say. But you are making a lot of assumptions too.

If someone is targeting a specific person, it doesn't matter if they use a public VPN or not. We seem to both agree on that.

The issue for me is your next assumption though. What is a properly chosen public VPN? The only way for me for the 'evaluation' to be complete is after I stop using it at some future time, without having been ever exposed (and not just not told I wasn't, either).

There are many examples of this 'trust' that gets broken many times per year, by many companies large enough to swallow governments. These are the same people, IMO, that VPN's target. The snake-oil of today, if you will.

The other side is that anyone on a public VPN is automatically assumed to be hiding something. Because that is what they are selling.

Can someone without a public VPN be anonymous? No, depending on what ISP they're on. Can that same person be anonymous with a public VPN and a possibly warped ISP? No again, because of the traffic matching that is possible today, even for smaller ISP's and the unknown agreements and contracts they have with similar minded (dollar orientated) organizations out there.

Sorry, I don't mean this conversation to become overblown. But the very design of the system is broken, if anonymity is the goal.

The www was never meant to offer that. Quite the opposite, in fact.

https://www.snbforums.com/threads/experimental-wireguard-for-rt-ac86u.46164/page-7#post-489660

 

[NoelS]

You are correct that the only way to be 100% anonymous is to go off the grid altogether. But there are few of us willing to do that. So, if you stay on the grid, you can use no public VPN and be 100% guaranteed that you are not anonymous. Or, based on a variety of things (such as history of "no information found" when requests by authorities are made to the VPN, transparency reports, and increasingly by audits, etc.), an intelligent evaluation can be made. ASUS "could" be hiding surveillance chips in their routers, but we choose to trust them. Your argument of "can't trust" could be applied to everything we do, in which case we should go offline and live on a farm. But we make evaluations of trust on things we do every day. Again, a VPN is not a solution without proper opsec. As I stated above, depending on how important your needs are, there are many layers. A public VPN (well chosen) by itself will give some level of protection. Getting it anonymously (gift card, crypto, etc.) brings you another level. Using it on a public wifi brings you more privacy still. And there is much more you can do. But, without a public VPN, you are guaranteed to get what you say a VPN cannot guarantee.

P.S. In the end, I think we are saying pretty much the same thing. For the vast majority of the masses who blindly throw money at a VPN with little knowledge (or worse still, use a free one), EVERYTHING you say is spot on. Even IF you have a good public VPN, without good opsec, your money is wasted. This is a good discussion if it helps inform a few who might otherwise waste their money or take action based on a false sense of protection. This discussion probably belongs in the VPN section, but somehow grew organically here. I'm more than glad to continue this discussion with anyone who wants to delve into more details on this topic over there.

 

[L&LD]

You are correct that the only way to be 100% anonymous is to go off the grid altogether. But there are few of us willing to do that. So, if you stay on the grid, you can use no public VPN and be 100% guaranteed that you are not anonymous. Or, based on a variety of things (such as history of "no information found" when requests by authorities are made to the VPN, transparency reports, and increasingly by audits, etc.), an intelligent evaluation can be made. ASUS "could" be hiding surveillance chips in their routers, but we choose to trust them. Your argument of "can't trust" could be applied to everything we do, in which case we should go offline and live on a farm. But we make evaluations of trust on things we do every day. Again, a VPN is not a solution without proper opsec. As I stated above, depending on how important your needs are, there are many layers. A public VPN (well chosen) by itself will give some level of protection. Getting it anonymously (gift card, crypto, etc.) brings you another level. Using it on a public wifi brings you more privacy still. And there is much more you can do. But, without a public VPN, you are guaranteed to get what you say a VPN cannot guarantee.

I don't understand what you mean by 'proper opsec' above.

I do know it doesn't matter how anonymously a public VPN is purchased. Using public WiFi is another crude step (assuming individuals live in the same city for at least a few weeks/months at a time and uses the web in pretty much the same way wherever they go). No matter how many steps are taken, each additional step just makes the behavior more worth looking into.

https://www.makeuseof.com/tag/5-ways-vpn-not-secure-think/

https://www.makeuseof.com/tag/3-dangers-logging-public-wi-fi/

https://www.makeuseof.com/tag/product-client-personal-data-economy-explained/

The above articles are just basic and tip-of-the-iceberg introductions to what I've been saying here.

Even if we were to go as far as owning our own ISP, we still wouldn't be anymore anonymous than before. If anything, less so.

As for surveillance chips inside equipment I own and can test and keep retesting behind other equipment to see differences or other strange behavior, my confidence level is much, much higher. Including the fact that there are many others doing the same thing with identical hardware too.

Do I know for a fact that my router and therefore my internal network is safe from within my router itself? No. But that probability is very, very low. And can probably go to virtually zero if I'm using equipment from many different vendors inside my private network in a methodical/stacked fashion.

Do I know for a fact that the public VPN is not as private or anonymous as advertised? Yes. All real information points to that. Regardless of what public VPN's push on the people to make them keep paying for one.

 

[L&LD]

P.S. In the end, I think we are saying pretty much the same thing. For the vast majority of the masses who blindly throw money at a VPN with little knowledge (or worse still, use a free one), EVERYTHING you say is spot on. Even IF you have a good public VPN, without good opsec, your money is wasted. This is a good discussion if it helps inform a few who might otherwise waste their money or take action based on a false sense of protection. This discussion probably belongs in the VPN section, but somehow grew organically here. I'm more than glad to continue this discussion with anyone who wants to delve into more details on this topic over there.

Yes, I'm sure we are too.

I think that all steps short of paying for a public VPN make us blend more and be truly anonymous.

For the less knowledgeable, buying and using a VPN may be a harsh wake-up call if they really believe the marketing blurbs.

Kind of reminds me of the RV owners who bought their first RV and set the cruise control and then promptly went back to make themselves tea.

Or, the first 4x4 and/or SUV drivers that promptly slid off the roads (and some flipped their rides too) because the traction when accelerating was so good, they expected the braking and cornering to be the same on those ice roads.

 

[NoelS]

We agree on everything (very good points on your above posts ), save for my position that if privacy/anonymity is important or desired, I believe that and educated/informed use of a public VPN will give you greater assurance of same than being naked with none.

 

[laracroftonline]

Can somebody write a good tutorial on how to setup dot succesfully on asuswrt?

 

[L&LD]

Can somebody write a good tutorial on how to setup dot succesfully on asuswrt?

No need to, RMerlin already has done it. Please see the wiki pages.

https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

 

[Carnbroe]

Interesting discussion re VPN's however my reason for deploying DOT for me is simply to be able to continue to protect my network by using a DNS filtering service. A few weeks ago my ISP silently added in a DNS sink hole which like a black hole suck in all port 53 traffic and then returns the address using their own DNS servers rather than the one I choose (its easy to prove this). Needless to say the ISP's DNS system is not filtered and it happily returns the IP address of every malware or phishing site available. Using DOT ensures that the port 53 traffic gets removed from the visible traffic as its within the vpn tunnel and hence doesn't get sucked into my subversive ISP's DNS system.

Setting up DOT was relatively painless for me. (go to the WAN page on the router, scroll down to WAN DNS Settings, select DNS Privacy Protocol to DOT. Now add in the Preset Servers for IPv4 and IPv6. Finally scroll down and press Apply. Job Done.)

The issue for me was proving it was working (I've not a clue how to install tcpdump through Entware and that only shows the dataflows rather than confirming that the far end is blocking requests). Proving its working is tricky as each provider has a different way to check this and it can be further confused by whats in your cached browser data. (For CleanBrowsing only: clear your browsers cache then try to access http://badexample.com/ You should get a message saying the IP address could not be found. If you see a cat falling over then its not working. For other providers its a different test which you should find somewhere in the depth of their website. )

 

[martinr]

No need to, RMerlin already has done it. Please see the wiki pages.

https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

That looks like an excellent guide. Many thanks. I’m away from home and have resisted the temptation to play Russian roulette with a remote upgrade - I rely too much on my permanently-connected OpenVPN server, with Skynet and Diversion for protection. So I’m going off a screenshot I saw the other day, which prompted a question: what should the Connect to DNS Server Automatically now be set to, with DoT enabled? I’d imagine No, but I think in the screenshot it was set to Yes with DoT enabled.

Used to be that, if you specified your DNS servers, you’d have that setting at No, to stop the ISP’s DNS server being contacted.

Quite possibly, if I had upgraded, and played with the settings, the answer would then be obvious.

PS. DNSFiltering is set to Router in global mode.

 

[owine]

That looks like an excellent guide. Many thanks. I’m away from home and have resisted the temptation to play Russian roulette with a remote upgrade - I rely too much on my permanently-connected OpenVPN server, with Skynet and Diversion for protection. So I’m going off a screenshot I saw the other day, which prompted a question: what should the Connect to DNS Server Automatically now be set to, with DoT enabled? I’d imagine No, but I think in the screenshot it was set to Yes with DoT enabled.

Used to be that, if you specified your DNS servers, you’d have that setting at No, to stop the ISP’s DNS server being contacted.

Quite possibly, if I had upgraded, and played with the settings, the answer would then be obvious.

PS. DNSFiltering is set to Router in global mode.

Does not matter. The router will use the DNS settings (whether connect automatically or manually specified) prior to NTP clock sync. Once NTP is set, stubby starts and the DNS settings are ignored in favor of the DNS Privacy settings.

 

[Marin]

[QUOTE="The issue for me was proving it was working (I've not a clue how to install tcpdump through Entware and that only shows the dataflows rather than confirming that the far end is blocking[/QUOTE]

opkg install tcpdump

Sent from my iPhone using Tapatalk

 

[Doug Nix]

I tested my configuration of DNS-over-TLS after I installed 384.11 using tcpdump, and was happy to see that all of my DNS traffic was moving through et0 on port 853. Today, I updated to 384.11_2, and when I execute the same test using tcpdump (
tcpdump -i eth0 -p port 853 or 53 -n), I don't see any traffic on either port 53 or 853. If I change the interface to "any", I definitely see traffic, but on both ports. If I run this test on eth1, I don't see any traffic on these ports. I'm confused. It doesn't look like DNS over TLS is working, and I'm not sure what the next steps might be to troubleshoot this.

 

[dave14305]

I tested my configuration of DNS-over-TLS after I installed 384.11 using tcpdump, and was happy to see that all of my DNS traffic was moving through et0 on port 853. Today, I updated to 384.11_2, and when I execute the same test using tcpdump (
tcpdump -i eth0 -p port 853 or 53 -n), I don't see any traffic on either port 53 or 853. If I change the interface to "any", I definitely see traffic, but on both ports. If I run this test on eth1, I don't see any traffic on these ports. I'm confused. It doesn't look like DNS over TLS is working, and I'm not sure what the next steps might be to troubleshoot this.

You would still expect to see DNS traffic coming on br0 as port 53 from the LAN to dnsmasq so “any” would just muddy the picture. Only traffic on the WAN interface will show port 853 if Stubby is working. Are you certain you are generating new dns requests that would not be cached by dnsmasq already while you are tcpdumping?

 

[Doug Nix]

Hey Dave14305. No, I'm not certain that requests aren't being cached. What I do know is that this test worked as described by RMerlin on the AsusWRT-Merlin site when I was running 384.11, but that something has changed with the update to 384.11_2. I'm not knowledgable enough to figure this out without some help. Is there a way I can dump any cached traffic?

 

[Martineau]

Is there a way I can dump any cached traffic?

Tell dnsmasq to dump its cache data

killall -SIGUSR1 dnsmasq

then list the results...

grep cached /opt/var/log/dnsmasq.log | sed 's/^.*]://p'

and some stats....

grep cached /opt/var/log/dnsmasq.log | sed 's/^.*cached//p' | sort | uniq -c

 

[Doug Nix]

Tell dnsmasq to dump its cache data

killall -SIGUSR1 dnsmasq

then list the results...

grep cached /opt/var/log/dnsmasq.log | sed 's/^.*]://p'

and some stats....

grep cached /opt/var/log/dnsmasq.log | sed 's/^.*cached//p' | sort | uniq -c

Ok, so I did that and got the expected flood of cached data, and ditto the stats.

Before I did that, I decided to check again to see if anything had changed since last night. I'm seeing packets on eth0 going to both ports 53 and 853, with most of the port 53 traffic going to 1.1.1.1. This is a positive change from last night when I wasn't seeing anything much. I noticed in RMerlin's discussion of DNS-over-TLS that there is a problem at Cloudflare with the way these calls are handled, so maybe that's the reason? 1.1.1.1 isn't all the traffic, but a lot of it. I guess at this point I'm not sure what to make of this. Perhaps it's nothing and I should just stop poking at it.

 

[bluzfanmr1]

Ok, so I did that and got the expected flood of cached data, and ditto the stats.

Before I did that, I decided to check again to see if anything had changed since last night. I'm seeing packets on eth0 going to both ports 53 and 853, with most of the port 53 traffic going to 1.1.1.1. This is a positive change from last night when I wasn't seeing anything much. I noticed in RMerlin's discussion of DNS-over-TLS that there is a problem at Cloudflare with the way these calls are handled, so maybe that's the reason? 1.1.1.1 isn't all the traffic, but a lot of it. I guess at this point I'm not sure what to make of this. Perhaps it's nothing and I should just stop poking at it.

Do you have DNSFilter enabled in the LAN tab and set to "Router"? That will force everything through port 853. If you do not have that set and have clients hard coded with a DNS server, or you do have that set but have other clients set to bypass "Router" mode, you will see that traffic on port 53.