1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

how activate encrypted SNI asus rt ax88u

Discussion in 'Asuswrt-Merlin' started by prototype658, Jan 23, 2020.

  1. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    hello,

    I am having problems activating encrypt sni on my router asus rt ax88u.
    Here is what the cloudflare test gives me.
    I specify that I must deactivate "Validate unsigned DNSSEC" replies otherwise the "secure DNS" test of the cloudflare site fails. I have the latest firmware 384.14.
    Here are the router settings.

    Thank you in advance for your help

    Test : www.cloudflare.com/cdn-cgi/trace

    sni=plaintext

    [​IMG]

    [​IMG]
     
    Last edited: Jan 23, 2020
  2. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    414
    Don`t think it is possible in the router gui, ESNI i a browser thing and only Firefox supports it atm
    But there is a way to work around it in DNSCrypt-proxy(Firefox still needed). But DNSCrypt-proxy supports DoH and DNSCrypt protocols (not DoT like in router gui)
    Here is the wiki
    And the Installer for DNSCrypt-proxy or via amtm
     
  3. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    Thank you for that answer and links.

    If "encrypted SNI" does not activate the dns requests are still encrypt or not ?

    another question, is "Sinodun" better secure than "cloudflare" or not ?
     
  4. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    414
    SNI=The desired hostname is not encrypted, so an eavesdropper can see which site/server is being requested, Like your ISP if they really look for it that is..
    The rest is all encrypted with DoT in your case
    Only did some quick tests with cloudflare.. and dont know anything about Sinodun
    I use Anonymized DNSCrypt wiki ;) But DoT in router gui is good!
     
  5. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    thank you for this additional information.
    I will keep the current "DOT" configuration.
    On the other hand, why if I activate "validate unsigned DDNSEC replies" the "cloudflare" test "secure DNS" fails ?

    [​IMG]

    [​IMG]
     
  6. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    414
    The cloudflare test can`t handle DNSSec
    Just ignore the test site and use cloudflare with DNSSec if you want
     
    L&LD likes this.
  7. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    thank you. So it's not a configuration problem with the asus router ?

    Are the following DNS correct ? or you have to put another one ?

    for information, if I don't put a dns, the configuration is not saved

    [​IMG]
     
    dave14305 likes this.
  8. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    on the other hand I find it strange that the dns port is always 53 with a Wireshark capture, normally it should be 853 ?

    [​IMG]
     
  9. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    414
    When i tested DoT (It Worked Fine)
    I did a check with tcpdump (installed thru Entware)
    Code:
    tcpdump -i eth0 -p port 853
    and
    Code:
    tcpdump -i eth0 -p port 53
     
    Last edited: Jan 23, 2020
  10. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    Thank you for that answer.

    I found another way to see if its working.

    Is DNS over TLS working correctly ?

    [​IMG]
     
  11. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    414
    Looks like it ;)
     
  12. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    great if it's good :)

    Now, is there a trick to activate SNI in Firefox ?
     
    Last edited: Jan 23, 2020
  13. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    414
    Hmm im not using Firefox or ESNI
    If you enable ESNI in your Firefox browser it will also set DNS servers in Firefox..it will bypass router DNS settings
    The trick in the wiki i posted before was with having your own server installed(inside dnscrypt-proxy) and configure firefox so you get sort of control back to the router
    Firefox will create a sort vpn thru your connection to bypass router settings
    And ESNI isen`t working very well yet from what i understand
    Think you should go with a vpn instead and set Accept DNS Configuration=Exclusive (all traffic and DNS thu the encrypted tunnel)
     
  14. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    thanks for this solution but I don't have the skills to install dnscrypt-proxy...

    With DNS over TLS my DNS actually queries are still encrypted or more difficult to visualize ?

    Is that still a good solution ?

    It is still strange that Wireshark always sees port 53 on a DNS request. But in the asus router, netstat displays 1.1.1.1:853, strange ... I think it's good ?

    I'm probably using Wireshark badly...

    This config screen si correct for you ?

    [​IMG]

    [​IMG]
     
    Last edited: Jan 23, 2020
    Butterfly Bones and dave14305 like this.
  15. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,143
    Location:
    USA
    Config looks good. DNS from LAN to Router will still be port 53. DNS from router to Cloudflare will be port 853.

    Where was this capture done? Seems like the PC.
     
  16. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    Hello, thank you for this answer. The capture was made from my PC lan, yes.

    So it's normal that it is marked in port 53 ?

    Will my dns requests be well encrypted ?

    Another question, "Enable DNSSEC support" fails the "Secure DNS" cloudflare test, is it really annoying to deactivate it permanently for the test to succeed ?
     
  17. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,143
    Location:
    USA
    Yes, standard DNS queries will occur between your LAN devices and the router. In theory, you trust your LAN from snooping, and most consumer devices don't support DNS-over-TLS natively.
    Yes, from the router to the Internet they will be encrypted.
    You shouldn't sacrifice DNSSEC just to pass an inherently broken test on the Cloudflare site. Ironically, Cloudflare's site uses faulty DNS names that don't pass DNSSEC validation by the router. See the earlier discussion here:
    https://community.cloudflare.com/t/is-cf-cloudflareresolve-com-is-not-a-valid-dnssec-zone/64805/3
     
  18. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    646
    this is the routers "local traffic" running on 53, not your clients.
     
  19. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    646
    Yea I see what you mean. Cloudflare seems to care more about slight performance gains and would sacrifice minor security to achieve that, but there are other aspects that it captures as far as security is concerned that benefit as well. when one uses cloudflare there are alot of trade offs that should be considered. DNSSEC is just one extra feature that is cause to smoke and mirror reactions. If people only knew how much dnssec is actually used or supported, they would ask themselves why do they sacrifice the slight performance loss for this function any ways.
     
  20. prototype658

    prototype658 Occasional Visitor

    Joined:
    Jan 23, 2020
    Messages:
    12
    @dave14305
    Many thanks for your analysis and response which helps me a lot.
    It is therefore preferable to activate "DNSSEC support" with "Validate unsigned DNSSEC replies" even if the cloudflare test displays this error ?
    Look it screenshoot...

    @SomeWhereOverTheRainBow
    Thank you for the answer. Yes this is normal according to @dave14305 but external requests are apparently well encrypted.


    [​IMG]

    [​IMG]
    [​IMG]

    [​IMG]