Why DNS over TLS is so important, and if you are not using it you should be

rexbinary

Occasional Visitor
Do you trust the person that runs the relay not to keep logs?

Like I said, there's no valid reason to run DNSCrypt when DoT is present.

If one is going down the dark web, it's a good way to get attention, and like I mentioned, even with a proxy, DNSCrypt is easily detected and defeated. Same goes with Tor...
I do trust Quad9. I don't believe DoT is any more "battle-tested" than DNSCrypt, and DoT can be blocked just as easy. While DNSCrypt is my preference and recommendation I'd rather someone run DoT or DoH rather than nothing.
 

Zastoff

Very Senior Member
What you believe has little bearing on reality...

It's your network, do what you want - I'd rather run my network on facts rather than faith in a non-standard implementation of DNS security
Still awaiting the actual facts on a comparison for the available encrypted DNS protocols?
What is known is that DoH and DoT provides more information then needed to the server about the device used then regular dns/dnscrypt.
Session tickets/tracking also needed for DoH/DoT, Reuses it over a period of time to speed things up as it take some time/cpu power to create new tickets/sessions (this also fingerprint devices).
The encrypted dns protocols try to protect from mitm/eavesdropping and so on..Tools seem to be available to extract information even from tls 1.3 sessions for those that may know how to..
When i search on the subject i found no evidence/tests that says one protocol is better then the other..
We have them all available so i see no right or wrong alternative, until we see some real facts or actual tests by impartial security experts.
Another option is unbound manager and be your own dns server(not encrypted) instead and avoid public dns servers.
 
Last edited:

Treadler

Very Senior Member
The authoritative dns servers are ‘public’ too though, if you think about it?:oops:
A matter of who you’re going to trust I guess…….
 

Zastoff

Very Senior Member
The authoritative dns servers are ‘public’ too though, if you think about it?:oops:
A matter of who you’re going to trust I guess…….
Indeed the authoritative/root servers used by unbound is sort of public also i guess but the advantage in that case is that unbound only use them rarely from what i understand..
(Hope someone correct me if i am wrong on how unbound works/behaves as my knowledge is limited)
None of the dns solutions is perfect regarding security/privacy..and the trust part is for every user to decide,
or ignore it and use isp/regular dns servers, Some browsers override dns by default.. and some manufactures hardcode dns in to your devices.
 
Last edited:

Lost Dog

Regular Contributor
I recommend using unbound and configure it to do DoT with Quad9.
For what reason? This is from the Unbound thread:

Q. Does unbound support DoT
A.
@dave14305 replied: "unbound does not use any encrypted traffic as a 'recursive resolver'. It can’t make 'recursive queries' using encryption. You can reconfigure unbound to become a forwarder (like dnsmasq and Stubby) and use DoT, but what’s the value of unbound then as just another forwarder? when dnsmasq+Stubby already do that well enough."

It seems that having unbound configured with DoT negates the value of using unbound.
 

Zastoff

Very Senior Member
For what reason? This is from the Unbound thread:



It seems that having unbound configured with DoT negates the value of using unbound.
I have read the same(my knowledge with unbound is limited), But dosen't unbound manager include a ad-block and some kind of dns-firewall? Maybe that's why he likes and recommends it.
 
Last edited:

Mogsy

Regular Contributor
Running nextdns DoT + Diversion was not a good experience for me. These big names dont like DoT do they?

CF9C5C7E-ED9B-4821-8C1C-FEA8EB2CCB87.jpeg


I was trying DNS Filter for some IoT device with Quad9 and Cleanbrowsing and got “threat intelligence feeds” hits. This is Cleanbrowsing’s cdn/dns right? And didn’t forward local queries to upstream dns

27E7AD3A-03C6-4875-B7E2-258C054BC90A.jpeg




Wan connection was broken. Had to swap to ISP (CGnat) router to restore connection. Once I get my iptables sorted, I’ll pick other DoT or maybe try dnscrypt.
 

Mogsy

Regular Contributor
What ISP?

cgnat shouldn't change anything
Not sure. Nothing odd in logs. Just that wan connection was broken. Reboot, waited, nothing happened. Switched off, still the same. Had to plug it in ISP router then connection back within seconds
Btw this is not my ISP, just brought my router here to troubleshoot/experiment some things. Will post findings/help request in my old thread. Currently trying AdGuard TLS. Didn’t know I have Beta acc. Oh ISP is Hyperoptic UK. Their ZTE router lan dns suffix was mynet with WPAD
 

Ubimo

Senior Member
For what reason? This is from the Unbound thread:



It seems that having unbound configured with DoT negates the value of using unbound.
Do I understand this in the right manner?
If you use Unbound with DoT, unbound gets the requests encrypted from e.g. Quad9 instead of unencrypted from the authoritative servers. However, Unbound still caches my DNS queries and my queries are answered by the router on which Unbound is running.
So I have the advantage that my DNS requests are encrypted and Unbound still caches my DNS requests. (~1ms response time)

If I would't use unbound, my DNS queries would be forwarded every time to my DNS server. (~20ms response time)
 

Treadler

Very Senior Member
Do I understand this in the right manner?
If you use Unbound with DoT, unbound gets the requests encrypted from e.g. Quad9 instead of unencrypted from the authoritative servers. However, Unbound still caches my DNS queries and my queries are answered by the router on which Unbound is running.
So I have the advantage that my DNS requests are encrypted and Unbound still caches my DNS requests. (~1ms response time)

If I would't use unbound, my DNS queries would be forwarded every time to my DNS server. (~20ms response time)
Without Unbound, the routers’ inbuilt dnsmasq does the caching/forwarding.

Unbound used as a caching/forwarder, using DoT to a recursive resolver (Quad9 say), is just replacing the job already done by dnsmasq. Redundant really.

However, Unbound used as a caching/recursive resolver removes the public resolver from the equation, no DoT, unencrypted to the authoritatives. A different scenario.

You makes your choice……..:)
 

Ubimo

Senior Member
Aha, thanks, I did not know that dnsmasq is also caching my DNS requests.
Can I also see somewhere the cache hits and misses of dnsmasq?
 

Treadler

Very Senior Member
Aha, thanks, I did not know that dnsmasq is also caching my DNS requests.
Can I also see somewhere the cache hits and misses of dnsmasq?
I think it’s possible, someone with more knowledge than me may show the way.
 

dave14305

Part of the Furniture
Can I also see somewhere the cache hits and misses of dnsmasq?
Close enough:
Bash:
kill -SIGUSR1 $(pidof dnsmasq); grep answered /tmp/syslog.log
 

dave14305

Part of the Furniture
Thanks, but this command does not work on my side:

Code:
[email protected]:/tmp/home/root# kill -SIGUSR1 $(3413); grep answered /tmp/syslog.log
-sh: 3413: not found
kill: you need to specify whom to kill
[email protected]:/tmp/home/root#
3413 is the pid of dnsmasq --log-async
Replace $(pidof dnsmasq) with just the pid. The command was written to find the pid for you.
Code:
kill -SIGUSR1 3413; grep answered /tmp/syslog.log
 

Ubimo

Senior Member
OK, thanks. When I entered this command, nothing happend. Nothing showed up in syslog. htop shows, that dnsmasq is still running.
What should happen, when this is executed?
 

dave14305

Part of the Furniture
OK, thanks. When I entered this command, nothing happend. Nothing showed up in syslog. htop shows, that dnsmasq is still running.
What should happen, when this is executed?
Code:
Jun 19 09:50:21 dnsmasq[29241]: queries forwarded 3711, queries answered locally 397
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top