Help with DNS encryption configuration

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

GoldenSW

New Around Here
Hello, I'm trying to set up the DNS encryption on my RT-AX86U using Cloudflare. However, I just can't get 1.1.1.1/help to recognize that I'm connected to 1.1.1.1 or that I'm using either DoT or DoH (DoH when active in Mozilla). I also want my browser to always use Cloudflare's DoH, meaning it needs to overwrite the router.
I've posted the WAN configuration below. LAN section DNS servers are blank. Should I change that as well?

dns.png
 

eibgrad

Very Senior Member
"Prevent client auto DoH" should be Yes. Browsers (at least so far) have agreed to check this setting in DNSMasq, and if enabled, NOT use DoH within the browser and bypass your settings in DNSMasq. Not unless you've already disabled DoH in the browser itself.
 

dave14305

Part of the Furniture
The Cloudflare help page doesn’t work when DNSSEC is enabled. Test again with DNSSEC disabled.
 

GoldenSW

New Around Here
"Prevent client auto DoH" should be Yes. Browsers (at least so far) have agreed to check this setting in DNSMasq, and if enabled, NOT use DoH within the browser and bypass your settings in DNSMasq. Not unless you've already disabled DoH in the browser itself.
I want my browser to take priority though. I want TLS used everywhere else except the browser.

The Cloudflare help page doesn’t work when DNSSEC is enabled. Test again with DNSSEC disabled.
It does seem to change the results. Even so, this page seems very unreliable... If I run the test a few times with no changes on my part, sometimes it says I'm connected to 1.1.1.1, other times it says I'm not lol
So basically there's nothing wrong with my initial config but just the test not working as it should?
 

dave14305

Part of the Furniture
So basically there's nothing wrong with my initial config but just the test not working as it should?
Looks good to me. Do you have DNSFilter enabled at all?
 

GoldenSW

New Around Here
Looks good to me. Do you have DNSFilter enabled at all?
I don't. I've been doing some reading on this topic and from what I understood letting the router handle all the DNS queries can be beneficial for performance since it can cache relevant information, as opposed to letting Firefox use DoH which I assume has to contact the server for every request?
 

heysoundude

Very Senior Member
Hello, I'm trying to set up the DNS encryption on my RT-AX86U using Cloudflare. However, I just can't get 1.1.1.1/help to recognize that I'm connected to 1.1.1.1 or that I'm using either DoT or DoH (DoH when active in Mozilla). I also want my browser to always use Cloudflare's DoH, meaning it needs to overwrite the router.
I've posted the WAN configuration below. LAN section DNS servers are blank. Should I change that as well?

I don't. I've been doing some reading on this topic and from what I understood letting the router handle all the DNS queries can be beneficial for performance since it can cache relevant information, as opposed to letting Firefox use DoH which I assume has to contact the server for every request?
I am unclear on what your end goal is in encrypting DNS - You trust yourself and your users, I'm assuming, and you likely trust that the internet will work. great. set up your own little black book, use the phone book of the internet to fill it with, and let big data and your ISP pound salt:
if you're looking to avoid big data monitoring your DNS lookups, using your own recursive caching DNS server is the way to go.
thankfully, the kind people here have made it VERY simple - they've built/modified a script called unbound.
what that does is builds your network's own DNS server, and for new/unknown/uncached queries, it goes to the internet's Authoritative servers, bypassing google or cloudflare or whomever is evaluating/observing what it is you're looking up. you basically become a peer to google and cloudflare in that regard...but most notably, your DNS pings are notably shorter and faster, because clients on your network only have to look as far as the router for DNS, and if it's not found, the router goes to the same source as google and cloudflare or your ISP (they have their own DNS server, built from tracking all their subscribers actions)
No encryption required. the majority of my network lookups are in the 0-1usec range. I believe non-cached lookups are averaging in the 20ms range...average is likely in the 10-12ms neighbourhood, or faster. what's your ping time to cloudflare?

ping comparison.jpg
^ that's raw dog pings to cloudflare, google and my router from my desktop. no encryption.

so, do the math - if caching DNS addys on my local network saves me 7.5ms each (or more!), AND affords me the privacy I've come to appreciate, wouldn't you agree that messing with DoH/DoT is inefficient?

unbound - This Is The Way
 

bbunge

Part of the Furniture
Here are some settings for CloudFlare Secure:
 

Attachments

  • B5B9D231-611C-48B6-9F75-6312DA32F278.jpeg
    B5B9D231-611C-48B6-9F75-6312DA32F278.jpeg
    117.6 KB · Views: 50

GoldenSW

New Around Here
I am unclear on what your end goal is in encrypting DNS - You trust yourself and your users, I'm assuming, and you likely trust that the internet will work. great. set up your own little black book, use the phone book of the internet to fill it with, and let big data and your ISP pound salt:
if you're looking to avoid big data monitoring your DNS lookups, using your own recursive caching DNS server is the way to go.
thankfully, the kind people here have made it VERY simple - they've built/modified a script called unbound.
what that does is builds your network's own DNS server, and for new/unknown/uncached queries, it goes to the internet's Authoritative servers, bypassing google or cloudflare or whomever is evaluating/observing what it is you're looking up. you basically become a peer to google and cloudflare in that regard...but most notably, your DNS pings are notably shorter and faster, because clients on your network only have to look as far as the router for DNS, and if it's not found, the router goes to the same source as google and cloudflare or your ISP (they have their own DNS server, built from tracking all their subscribers actions)
No encryption required. the majority of my network lookups are in the 0-1usec range. I believe non-cached lookups are averaging in the 20ms range...average is likely in the 10-12ms neighbourhood, or faster. what's your ping time to cloudflare?

View attachment 36234
^ that's raw dog pings to cloudflare, google and my router from my desktop. no encryption.

so, do the math - if caching DNS addys on my local network saves me 7.5ms each (or more!), AND affords me the privacy I've come to appreciate, wouldn't you agree that messing with DoH/DoT is inefficient?

unbound - This Is The Way
This is interesting and I see your point, privacy wise it's probably the best way to go then. I'll have to test it and see if it's really worth the hassle over a simple on/off GUI interface.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top