DoT

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

umrico

Occasional Visitor
I would like to use DoT with Cloudflare for Families. Are these settings correct?
Screenshot_20210215-210310_Chrome.jpg
 

dave14305

Part of the Furniture
leave the DNS server1 and DNS server2 fields blank
That’s not a good idea, and I don’t think the UI lets you do that. Why do you suggest that?
 

Mutzli

Very Senior Member
With above settings you'll have devices that will ignore the routers DNS settings, but you can force them to use the routers DNS.
Use these setting:
1613446233665.png


Next set your DNSFilter in the LAN settings to router:
1613446298957.png


Now all of your traffic should go through 1.0.0.2. You can check this by tracking the outgoing traffic. Connect to the router by SSH console and enter the following command:

Code:
tcpdump -ni eth0 -p port 53 or port 853

When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.
 

umrico

Occasional Visitor
With above settings you'll have devices that will ignore the routers DNS settings, but you can force them to use the routers DNS.
Use these setting:
View attachment 30808

Next set your DNSFilter in the LAN settings to router:
View attachment 30809

Now all of you traffic should go through 1.0.0.2. You can check this by tracking the outgoing traffic. Connect to the router by SSH console and enter the following command:

Code:
tcpdump -ni eth0 -p port 53 or port 853

When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.
Thank you so much!!!!!!
 

RAH-66

Regular Contributor
When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.
check it yourself and see the difference
 

Mutzli

Very Senior Member
for only use DoT - TLS port 853, those fields use port 53
Those DNS servers on port 53 are only in use at boot up, when the router doesn't yet start the DNSSEC service. So instead of using your ISP's DNS service it would use the DNS servers defined here.
I checked my connection and it does what it supposed to do and route everything through port 853. 0 requests on port 53.
 

JJohnson1988

Occasional Visitor
The Cloudflare team never announced it, but I believe they have DoT over 1.1.1.2 as well as 1.1.1.3. However, it was my understanding that the TLS hostname is now security.cloudflare-dns.com due to the standard hostname being cumbersome (e.g. 1dot1dot1dot1.cloudflare-dns.com). Maybe someone can confirm?
 

Mutzli

Very Senior Member
The Cloudflare team never announced it, but I believe they have DoT over 1.1.1.2 as well as 1.1.1.3. However, it was my understanding that the TLS hostname is now security.cloudflare-dns.com due to the standard hostname being cumbersome (e.g. 1dot1dot1dot1.cloudflare-dns.com). Maybe someone can confirm?
They are DoT ready, at least for the last 3-4 months.
 

dave14305

Part of the Furniture
Using DNS Rebind Protection with a filtering service like Cloudflare for Families changes the response you receive. Instead of 0.0.0.0, you get an empty response due to the rebind protection, and you get a syslog message about the potential rebind attack.
Code:
Feb 15 22:47:02 dnsmasq[7522]: possible DNS-rebind attack detected: playboy.com
Ultimately, the domain is still prevented from being resolved, but not in the way the service intended.
 

Mutzli

Very Senior Member
Using DNS Rebind Protection with a filtering service like Cloudflare for Families changes the response you receive. Instead of 0.0.0.0, you get an empty response due to the rebind protection, and you get a syslog message about the potential rebind attack.
Code:
Feb 15 22:47:02 dnsmasq[7522]: possible DNS-rebind attack detected: playboy.com
Ultimately, the domain is still prevented from being resolved, but not in the way the service intended.
What's the use case for rebind protection if it's not necessary when using a filtering service?
 

RAH-66

Regular Contributor
Those DNS servers on port 53 are only in use at boot up, when the router doesn't yet start the DNSSEC service. So instead of using your ISP's DNS service it would use the DNS servers defined here.
I checked my connection and it does what it supposed to do and route everything through port 853. 0 requests on port 53.
a logical question - why fill in these fields if they are ignored?
 

szl

New Around Here
The Cloudflare team never announced it, but I believe they have DoT over 1.1.1.2 as well as 1.1.1.3. However, it was my understanding that the TLS hostname is now security.cloudflare-dns.com due to the standard hostname being cumbersome (e.g. 1dot1dot1dot1.cloudflare-dns.com). Maybe someone can confirm?

security.cloudflare-dns.com -> 1.1.1.2, 1.0.0.2, 2606:4700:4700::1112, 2606:4700:4700::1002

family.cloudflare-dns.com -> 1.1.1.3, 1.0.0.3, 2606:4700:4700::1113, 2606:4700:4700::1003

source here
 

Mutzli

Very Senior Member

JPotter

New Around Here
In case DNSSec fails.
And if you want routing to fail if DNSSec and DoT fails? Leave them blank? That is my intent. Or does it simply just send the DNS to my ISP if it fails? I don't want that to happen.

I am entirely trying to resolve DNS through DoT and do not want my ISP to ever see my queries.
 

RMerlin

Asuswrt-Merlin dev
for only use DoT - TLS port 853, those fields use port 53
Your router needs to talk to an NTP server to set its clock before encryption can be used. So, no DoT without a working regular DNS to set that clock first.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top