What's new

how activate encrypted SNI asus rt ax88u

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

prototype658

Guest
hello,

I am having problems activating encrypt sni on my router asus rt ax88u.
Here is what the cloudflare test gives me.
I specify that I must deactivate "Validate unsigned DNSSEC" replies otherwise the "secure DNS" test of the cloudflare site fails. I have the latest firmware 384.14.
Here are the router settings.

Thank you in advance for your help

Test : www.cloudflare.com/cdn-cgi/trace

sni=plaintext

1579780759-2.jpg


1579780810-sqsq.jpg
 
Last edited by a moderator:
Don`t think it is possible in the router gui, ESNI i a browser thing and only Firefox supports it atm
But there is a way to work around it in DNSCrypt-proxy(Firefox still needed). But DNSCrypt-proxy supports DoH and DNSCrypt protocols (not DoT like in router gui)
Here is the wiki
And the Installer for DNSCrypt-proxy or via amtm
 
Thank you for that answer and links.

If "encrypted SNI" does not activate the dns requests are still encrypt or not ?

another question, is "Sinodun" better secure than "cloudflare" or not ?
 
SNI=The desired hostname is not encrypted, so an eavesdropper can see which site/server is being requested, Like your ISP if they really look for it that is..
The rest is all encrypted with DoT in your case
Only did some quick tests with cloudflare.. and dont know anything about Sinodun
I use Anonymized DNSCrypt wiki ;) But DoT in router gui is good!
 
thank you for this additional information.
I will keep the current "DOT" configuration.
On the other hand, why if I activate "validate unsigned DDNSEC replies" the "cloudflare" test "secure DNS" fails ?

1579786019-1.jpg


1579786047-3.jpg
 
The cloudflare test can`t handle DNSSec
Just ignore the test site and use cloudflare with DNSSec if you want
 
thank you. So it's not a configuration problem with the asus router ?

Are the following DNS correct ? or you have to put another one ?

for information, if I don't put a dns, the configuration is not saved

1579786578-aqaq.jpg
 
on the other hand I find it strange that the dns port is always 53 with a Wireshark capture, normally it should be 853 ?

1579808899-sans-titre-2.jpg
 
When i tested DoT (It Worked Fine)
I did a check with tcpdump (installed thru Entware)
Code:
tcpdump -i eth0 -p port 853
and
Code:
tcpdump -i eth0 -p port 53
 
Last edited:
Thank you for that answer.

I found another way to see if its working.

Is DNS over TLS working correctly ?

1579811972-sans-titre-3.jpg
 
Looks like it ;)
 
great if it's good :)

Now, is there a trick to activate SNI in Firefox ?
 
Last edited by a moderator:
great if it's good :)

Now, is there a trick to activate SNI in Firefox ?
Hmm im not using Firefox or ESNI
If you enable ESNI in your Firefox browser it will also set DNS servers in Firefox..it will bypass router DNS settings
The trick in the wiki i posted before was with having your own server installed(inside dnscrypt-proxy) and configure firefox so you get sort of control back to the router
Firefox will create a sort vpn thru your connection to bypass router settings
And ESNI isen`t working very well yet from what i understand
Think you should go with a vpn instead and set Accept DNS Configuration=Exclusive (all traffic and DNS thu the encrypted tunnel)
 
thanks for this solution but I don't have the skills to install dnscrypt-proxy...

With DNS over TLS my DNS actually queries are still encrypted or more difficult to visualize ?

Is that still a good solution ?

It is still strange that Wireshark always sees port 53 on a DNS request. But in the asus router, netstat displays 1.1.1.1:853, strange ... I think it's good ?

I'm probably using Wireshark badly...

This config screen si correct for you ?

1579816915-2.jpg


1579817051-1.jpg
 
Last edited by a moderator:
It is still strange that Wireshark always sees port 53 on a DNS request. But in the asus router, netstat displays 1.1.1.1:853, strange ... I think it's good ?

I'm probably using Wireshark badly...

This config screen si correct for you ?
Config looks good. DNS from LAN to Router will still be port 53. DNS from router to Cloudflare will be port 853.

Where was this capture done? Seems like the PC.
 
Hello, thank you for this answer. The capture was made from my PC lan, yes.

So it's normal that it is marked in port 53 ?

Will my dns requests be well encrypted ?

Another question, "Enable DNSSEC support" fails the "Secure DNS" cloudflare test, is it really annoying to deactivate it permanently for the test to succeed ?
 
So it's normal that it is marked in port 53 ?
Yes, standard DNS queries will occur between your LAN devices and the router. In theory, you trust your LAN from snooping, and most consumer devices don't support DNS-over-TLS natively.
Will my dns requests be well encrypted ?
Yes, from the router to the Internet they will be encrypted.
Another question, "Enable DNSSEC support" fails the "Secure DNS" cloudflare test, is it really annoying to deactivate it permanently for the test to succeed ?
You shouldn't sacrifice DNSSEC just to pass an inherently broken test on the Cloudflare site. Ironically, Cloudflare's site uses faulty DNS names that don't pass DNSSEC validation by the router. See the earlier discussion here:
https://community.cloudflare.com/t/is-cf-cloudflareresolve-com-is-not-a-valid-dnssec-zone/64805/3
 
Yes, standard DNS queries will occur between your LAN devices and the router. In theory, you trust your LAN from snooping, and most consumer devices don't support DNS-over-TLS natively.

Yes, from the router to the Internet they will be encrypted.

You shouldn't sacrifice DNSSEC just to pass an inherently broken test on the Cloudflare site. Ironically, Cloudflare's site uses faulty DNS names that don't pass DNSSEC validation by the router. See the earlier discussion here:
https://community.cloudflare.com/t/is-cf-cloudflareresolve-com-is-not-a-valid-dnssec-zone/64805/3
Yea I see what you mean. Cloudflare seems to care more about slight performance gains and would sacrifice minor security to achieve that, but there are other aspects that it captures as far as security is concerned that benefit as well. when one uses cloudflare there are alot of trade offs that should be considered. DNSSEC is just one extra feature that is cause to smoke and mirror reactions. If people only knew how much dnssec is actually used or supported, they would ask themselves why do they sacrifice the slight performance loss for this function any ways.
 
@dave14305
Many thanks for your analysis and response which helps me a lot.
It is therefore preferable to activate "DNSSEC support" with "Validate unsigned DNSSEC replies" even if the cloudflare test displays this error ?
Look it screenshoot...

@SomeWhereOverTheRainBow
Thank you for the answer. Yes this is normal according to @dave14305 but external requests are apparently well encrypted.


1579858175-1.jpg


1579858206-sans-titre-2.jpg

1579858862-sans-titre-3.jpg


1579858887-sans-titre-4.jpg

 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top