new to dns over tls

[eturk]

Seems I also need to turn off: Validate unsigned DNSSEC replies

https://1.1.1.1/help - showing not connected to 1.1.1.1 & no DoT
https://surfshark.com/dns-leak-test - shows "Your DNS requests are exposed!"


Asus Rt-AC3100 w/ 386.1 beta 3

 

[Treadler]

Seems I also need to turn off: Validate unsigned DNSSEC replies

https://1.1.1.1/help - showing not connected to 1.1.1.1 & no DoT
https://surfshark.com/dns-leak-test - shows "Your DNS requests are exposed!"


Asus Rt-AC3100 w/ 386.1 beta 3

1) It’s a glitch with the Cloudflare site. When you’re done testing, turn DNSSEC on again.

2) Different issue. Dns leak does not equal Dns encryption fault.

 

[Sharkbyte]

Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions.

1. In the webui go to WAN / Internet Connection / WAN DNS Setting
2. Set Connect to DNS Server automatically to No. (When using DoT this setting governs what happens in case your selected DoT DNS server doesn't load correctly. Setting it to Yes means that your router will start off with your ISP's DNS server before the router loads your selected DoT server. Setting it to No means that your router will start off with whatever fallback DNS server you select.)
3. At DNS Server1, enter 1.1.1.1. (As most will recognize, this is for Cloudflare. I chose it because I personally choose to assiduously avoid using my ISP's DNS server for any purpose, even the time check at router startup.)
4. At DNS Server2, enter 1.0.0.1. (This is Cloudflare's secondary address.)
5. Set Forward local domain queries to upstream DNS to No. (Whether it's your ISP's DNS server, Cloudflare or whatever, the upstream DNS doesn't know your local network map.)
6. Set Enable DNS Rebind protection to Yes. (Doing so helps to defend against possible cross-scripting attacks.)
7. Set Enable DNSSEC support to Yes. (@RMerlin recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
8. Set Validate unsigned DNSSEC replies to Yes. (@RMerlin also recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
9. Set Prevent client auto DoH to Auto.
10. At DNS Privacy Protocol, select DNS-over-TLS (DoT).
11. At DNS-over-TLS Profile, select Strict.
12. At Preset servers, select your preferred DNS service. I went with Quad9's 9.9.9.9 and 149.112.112.112 because I prefer Quad9 and like its filtering of malicious websites. (If you choose 2 different services, such as Quad9 and Cloudflare, the router will alternate between the two, rather than using one as primary and another as backup).
13. Hit Apply.

Thanks to @themiron and @RMerlin for implementing DoT. Thanks to all for alpha and beta testing this feature and for your earlier comments on configuration options.

Once again, this is just what I've chosen based on my judgments of what I've read on this forum. Exercise your own judgment. Good luck!

[1/24/20 edit] Added thanks to @themiron, who developed DoT in Merlin almost entirely himself.

Great advice and write up! Thank you for taking time to write this up. I’m going to inter great it with the adgaurd dns

 

[Sharkbyte]

Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions.

1. In the webui go to WAN / Internet Connection / WAN DNS Setting
2. Set Connect to DNS Server automatically to No. (When using DoT this setting governs what happens in case your selected DoT DNS server doesn't load correctly. Setting it to Yes means that your router will start off with your ISP's DNS server before the router loads your selected DoT server. Setting it to No means that your router will start off with whatever fallback DNS server you select.)
3. At DNS Server1, enter 1.1.1.1. (As most will recognize, this is for Cloudflare. I chose it because I personally choose to assiduously avoid using my ISP's DNS server for any purpose, even the time check at router startup.)
4. At DNS Server2, enter 1.0.0.1. (This is Cloudflare's secondary address.)
5. Set Forward local domain queries to upstream DNS to No. (Whether it's your ISP's DNS server, Cloudflare or whatever, the upstream DNS doesn't know your local network map.)
6. Set Enable DNS Rebind protection to Yes. (Doing so helps to defend against possible cross-scripting attacks.)
7. Set Enable DNSSEC support to Yes. (@RMerlin recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
8. Set Validate unsigned DNSSEC replies to Yes. (@RMerlin also recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
9. Set Prevent client auto DoH to Auto.
10. At DNS Privacy Protocol, select DNS-over-TLS (DoT).
11. At DNS-over-TLS Profile, select Strict.
12. At Preset servers, select your preferred DNS service. I went with Quad9's 9.9.9.9 and 149.112.112.112 because I prefer Quad9 and like its filtering of malicious websites. (If you choose 2 different services, such as Quad9 and Cloudflare, the router will alternate between the two, rather than using one as primary and another as backup).
13. Hit Apply.

Thanks to @themiron and @RMerlin for implementing DoT. Thanks to all for alpha and beta testing this feature and for your earlier comments on configuration options.

Once again, this is just what I've chosen based on my judgments of what I've read on this forum. Exercise your own judgment. Good luck!

[1/24/20 edit] Added thanks to @themiron, who developed DoT in Merlin almost entirely himself.

Great advice and write up! Thank you for taking time to write this up. I’m going to inter great it with the adgaurd

 

[Viktor Jaep]

@Sharkbyte You may want to take a look at this excellent script to see if your DoT is working correctly, and identify any potential DNS leak culprits... https://www.snbforums.com/threads/how-to-monitor-dns-traffic-in-real-time.77151/

 

[Sharkbyte]

@Sharkbyte You may want to take a look at this excellent script to see if your DoT is working correctly, and identify any potential DNS leak culprits... https://www.snbforums.com/threads/how-to-monitor-dns-traffic-in-real-time.77151/

Thank you for your help! Looks awesome!