Why DNS over TLS is so important, and if you are not using it you should be

[HappyJuicy]

I highly recommand ControlD owned by windscribe https://controld.com/free-dns/ or Mullvad DNS

 

[anotherengineer]

Interesting stuff

I'm guessing CIRA does not have DNS over TLS?

Free DNS Servers | CIRA

Canadian Shield is a free DNS firewall service provided by CIRA that protects your devices from malware, phishing, and other cyber threats. Learn how Canadian Shield can help keep you safe online and get started today.

www.cira.ca

DNSSEC: Securing the domain name system – CIRA

 

[Treadler]

Interesting stuff

I'm guessing CIRA does not have DNS over TLS?

Free DNS Servers | CIRA

Canadian Shield is a free DNS firewall service provided by CIRA that protects your devices from malware, phishing, and other cyber threats. Learn how Canadian Shield can help keep you safe online and get started today.

www.cira.ca

DNSSEC: Securing the domain name system – CIRA

It certainly does.

 

[drinkingbird]

What's the word for when you're so worried about a fairly insignificant thing but completely ignoring the much bigger threats?

 

[Swistheater]

My stubby.postconf to change roundrobin and enable DNSSEC in Stubby:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Note: if you enable DNSSEC this way in Stubby do not enable it in the GUI.

Correct, If you do enable dnssec in the GUI and in stubby, do not enable validate unsigned replies because this will create a DNS problem where dnsmasq tries to validate the already validated replies. DNSmasq will create a query loop where it will keep tripping on the same request refusing to resolve any other request until the loop is broken. If you want DNSMASQ to cache the validated replies all you need to do is enable dnssec, but leave validate unsigned replies unchecked!. Another method is to use proxy-dnssec using dnsmasq.conf.add or dnsmasq.postconf. however this type of response will not be cached like using dnssec with validate unsigned replies unchecked!.

 

[Treadler]

I hear you.
I will experiment, Quad9 DoT, only selecting one server. Round robin out of the equation then?

No improvement seen, just specifying one resolver with Quad9.
Reverted to DoT using Cleanbrowsing Security. All good now…..

 

[learning_curve]

What's the word for when you're so worried about a fairly insignificant thing but completely ignoring the much bigger threats?

It's a phrase: "...being overly concerned about the ambience of the deck chair layout in 1st Class, whilst ignoring the Iceberg, that's dead ahead..." Titanic 15/4/1912

 

[Paliv]

I highly recommand ControlD owned by windscribe https://controld.com/free-dns/ or Mullvad DNS

ControlD is good if you pay for it and can whitelist things. Their free adblocking DNS breaks a lot of services.

 

[bbunge]

No improvement seen, just specifying one resolver with Quad9.
Reverted to DoT using Cleanbrowsing Security. All good now…..

My problems with Quad9 were caused by my ISP. Via anycast they routed Quad9 to servers 1000 miles away while Cloudflare servers are 100 miles away. And Quad9 also has servers in the same center as Cloudflare!
For now I am using Cloudflare Security over DoT with DNSSEC.

 

[heysoundude]

This is *exactly* why you would want to configure a whole-home VPN and route all your local traffic through it... using Quad9 or whatever DoH/DoT services you need to, to keep your queries safe from prying ISP eyes. Keep whatever is going over your WAN traffic to an absolute minimum. Ever since the FCC changed the rules here in the US, I have done my part in preventing our ISPs from intercepting our traffic for their particular purposes. Shameless plug for VPNMON-R2, which even takes it a step beyond and keeps them guessing through massive randomization of endpoints within your country or multiple countries. You've definitely hit my hot button with this one.

I'm liking what @ZebMcKayhan is doing with WireGuard and @Martineau has done by bringing us unbound.
unbound just inside WireGuard and in front of NPT (I would LOOOOOVE to see NPT replace NAT) would be my ideal, or closest to it
scanning the QR code to connect to wifi also launches the WG connection between your device and the "home server" of your router...
it's coming...and the people around here who code may beat the Asus team to the punch (and show them the way)

 

[anotherengineer]

P

What's the word for when you're so worried about a fairly insignificant thing but completely ignoring the much bigger threats?

Paranoia or tunnel vision? Lol

i personally don’t have any add ons. Stock merlin and stock settings and basic open dns in the wan.

always trying to learn more and get the best bang for effort though as I am not an expert in routers or cyber security.

 

[ZebMcKayhan]

unbound just inside WireGuard and in front of NPT (I would LOOOOOVE to see NPT replace NAT) would be my ideal, or closest to it

While NPT is a really brilliant thing it does not provide any privacy. Besides it is not compatible with conntrack, would you trade your stateful firewall for NPT?

But its a shame and I agree that I would want NPT as well but we will have to settle for NETMAP (if/when it gets included in firmware), which is not quite as lean and neat but much easier to use.

Most Wireguard providers are still handing out single ips though so one could only hope in a distant future maybe.

 

[HappyJuicy]

ControlD is good if you pay for it and can whitelist things. Their free adblocking DNS breaks a lot of services.

You can use there DNS with no blacklist

 

[Morris]

Sorry to hear that, @Morris... it's just that in the years I've been using DoT, I haven't had a single issue. It's only as stable as the DoT servers you select.

And that's probably the issue. In my case it AdGuard DNS. The servers stayed up yet would stop answering my DNS queries when using DoT. Very strange as they would answer from another device.

 

[Paliv]

You can use there DNS with no blacklist

And it’s the slowest one I’ve ever tried. Not worth the hit if it’s not doing anything. Probably just my location/ISP routing.

 

[SomeWhereOverTheRainBow]

While NPT is a really brilliant thing it does not provide any privacy. Besides it is not compatible with conntrack, would you trade your stateful firewall for NPT?

But its a shame and I agree that I would want NPT as well but we will have to settle for NETMAP (if/when it gets included in firmware), which is not quite as lean and neat but much easier to use.

Most Wireguard providers are still handing out single ips though so one could only hope in a distant future maybe.

I wish they could just go crazy and upgrade all kernels and run nftables.

 

[Smokey613]

DoT on Asus routers has not been reliable for me. I use the NextDNS client and it works great.

 

[SomeWhereOverTheRainBow]

DoT on Asus routers has not been reliable for me. I use the NextDNS client and it works great.

Nothing against nextdns because they are providing a great service for those with limited means to do such, but I have yet to find a reason to switch to something I can do myself for free (with troubleshooting not required). However, I think they are doing a great job with how far they have come for the subset they service.

 

[Morris]

DoT on Asus routers has not been reliable for me. I use the NextDNS client and it works great.

Thank you for coming forward. I'm not alone. Do you recall the DNS servers you were using when you had the issues?

 

[SomeWhereOverTheRainBow]

Thank you for coming forward. I'm not alone. Do you recall the DNS servers you were using when you had the issues?

IIRC he was trying to use NextDNS on the routers DoT platform. However, He soon discovered a brick wall. i.e. Nextdns secondary DNS servers are not friendly to round robin queries done by Stubby. You have to completely disable round robin queries with stubby in order to use NextDNS, otherwise queries to the secondary DNS servers will quickly reach ratelimits. NextDNS developers designed NextDNS to "promote" the DoH concept which is what their client uses. however they do provide subpar DoT servers.