"DNS over TLS" or "DNS over HTTPS"

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5, 6, 7  Next
Author Message
Handyone
DD-WRT User


Joined: 18 Sep 2014
Posts: 154

PostPosted: Sun Apr 15, 2018 5:21    Post subject: "DNS over TLS" or "DNS over HTTPS" Reply with quote
Is it possible to use either DNS over TLS or DNS over HTTPS which are supported by the new Cloudflare DNS service?
If so, how to setup DD-WRT for it?

I found this guide on how to "DNS-Over-TLS" for LEDE
https://blog.cloudflare.com/dns-over-tls-for-openwrt
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sun Apr 15, 2018 7:08    Post subject: Reply with quote
well... i guess in DD_WRT if you remove DNSmasq it will be a mess..

Honestly i do want to know the same question how to take advantage of 1.1.1.1 options TLS or HTTPS on DD-WRT router..
so far on the high grade DD-WRT routers i do have DNScrypt, but on lower grade routers there is nothing like...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Handyone
DD-WRT User


Joined: 18 Sep 2014
Posts: 154

PostPosted: Sun Apr 15, 2018 8:07    Post subject: Reply with quote
Alozaros wrote:
well... i guess in DD_WRT if you remove DNSmasq it will be a mess..

Honestly i do want to know the same question how to take advantage of 1.1.1.1 options TLS or HTTPS on DD-WRT router..
so far on the high grade DD-WRT routers i do have DNScrypt, but on lower grade routers there is nothing like...


Cloudflare DNS is the fastest DNS service available right now and it doesn't support DNSCrypt, only DNS over TLS and DNS over HTTPS.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sun Apr 15, 2018 10:18    Post subject: Reply with quote
naah DNScrypt is different DNS resolving technique than DoT or DoH where DNS requests are encrypted from the router side to the DNScrypt resolver...and returned answer is encrypted too..
DNScrypt resolvers have an encryption key exchange with the router side and the one i use has DNSSEC support too, witch is a kind of an secure verification too...
I do not use ISP DNS services and i prefer DNScypt resolvers...if possible...
1.1.1.1 is not the fastest DNS resolver everywhere, but yes, it has some speed, they also keep some data for statistic use only too...
I also use on my lower flash ram routers 9.9.9.9 or 1.1.1.1 Wink

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Thu Sep 05, 2019 16:59; edited 1 time in total
Handyone
DD-WRT User


Joined: 18 Sep 2014
Posts: 154

PostPosted: Sun Apr 15, 2018 11:50    Post subject: Reply with quote
Alozaros wrote:
naah DNScrypt is different DNS resolving technique where DNS requests are encrypted from the router side to the DNScrypt resolver..

DNScrypt resolvers have an encryption key and the one i choose has DNSSEC support too witch is a kind of an encryption too...
I do not use ISP DNS services and i prefer DNScypt resolvers...if possible
1.1.1.1 is not the fastest DNS resolver everywhare but yes it has some speed, they also keep some data too...
I also use on my lower flash ram routers 9.9.9.9 or 1.1.1.1 Wink


I didn't say they are the same, just that it's not supported by CloudFlare.



In addition, the maintainer of DNSCrypt stopped supporting it, closed the repository on GitHub and put the domain on sale.
The repository has already been cloned and is now maintained by Dyne and they do not plan to add any new features, so DNSCrypt is abandoned in favor of the "DNS over TLS" standard.
Unlike DNSCrypt, "DNS over TLS" has an RFC standard and this is actually a serious advantage. With standardization, operating system manufacturers can provide implementations in every platform, and in fact, it's already in progress on Android.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sun Apr 15, 2018 22:19    Post subject: Reply with quote
i guess DNSCypt is still supported but by different developer

https://dnscrypt.info
https://github.com/jedisct1/dnscrypt-proxy/releases

2.0.9 came out 5 days ago...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
rawd
DD-WRT User


Joined: 06 Jan 2014
Posts: 173

PostPosted: Tue Apr 17, 2018 2:23    Post subject: Reply with quote
I picked up a Raspberry P, installed Pihole and followed this guide to configure Cloudflare DNS over HTTPS. Working great and a snap to setup.

https://bendews.com/posts/implement-dns-over-https/

_________________
R7800 AP WDS - OpenWrt SNAPSHOT r16941
R7800 Client WDS - OpenWrt SNAPSHOT r16941
R7000 CB - r46949 std
PiHole v5.3.1 - dnscrypt-proxy 2.0.45 - RPi 3 B+
Synology DS220+ - DSM 7 RC
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Tue Apr 17, 2018 21:50    Post subject: Reply with quote
well if UNBOUND was working it would be easy to run DNS via TLS...
the other option is Stubby https://getdnsapi.net/blog/dns-privacy-daemon-stubby/
or via DNSmasq

it would be great if DNS over TLS is implemented as a easy to configure feature via DD-WRT GUI

more to read
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients

some DNS via HTTPS
https://github.com/aarond10/https_dns_proxy

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
eturk
DD-WRT Novice


Joined: 02 Mar 2018
Posts: 9

PostPosted: Wed Oct 31, 2018 20:48    Post subject: Reply with quote
any progress on DNS-over-TLS?
would like to use it with 1.1.1.1 Cloudflare DNS
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Thu Nov 01, 2018 12:34    Post subject: Reply with quote
eturk wrote:
any progress on DNS-over-TLS?
would like to use it with 1.1.1.1 Cloudflare DNS


yep it will be cool to see it on router level...
so far i have DNSCrypt & DNSSEC on my high grade DDWRT routers only
on my low grade routers i just use 9.9.9.9 or 1.1.1.1 DNS resolvers and in my Advanced DNSmasq

domain-needed
bogus-priv
no-resolv
server=9.9.9.9
server=149.112.112.9
no-negcache

and use Firefox settings to use DNS over Https from here
https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/

also i use this Ffx resolver https://dns9.quad9.net/dns-query
as i use 9.9.9.9 in my DNSmasq and it supports DoH Wink

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sigals
DD-WRT Novice


Joined: 09 Nov 2018
Posts: 12

PostPosted: Fri Nov 09, 2018 20:59    Post subject: Reply with quote
I've been trying to get stubby working through opkg with not much luck so far.

I created an issue on their github.

https://github.com/getdnsapi/getdns/issues/409
dareino
DD-WRT User


Joined: 06 Apr 2018
Posts: 70

PostPosted: Fri Nov 09, 2018 23:34    Post subject: Reply with quote
Im running Firefox w/built in DNS over Https. They are working in conjunction with Cloudflare!....
I lost interest in FF years ago but now it rocks!..its my main browser. There are links to setup FF w/DOH,just google it. Right now its basically in testing phase but its working fine!
d
dareino
DD-WRT User


Joined: 06 Apr 2018
Posts: 70

PostPosted: Sat Nov 10, 2018 0:11    Post subject: Reply with quote
d0ug wrote:
Alozaros wrote:
naah DNScrypt is different DNS resolving technique where DNS requests are encrypted from the router side to the DNScrypt resolver..

DNScrypt resolvers have an encryption key and the one i choose has DNSSEC support too witch is a kind of an encryption too...
I do not use ISP DNS services and i prefer DNScypt resolvers...if possible
1.1.1.1 is not the fastest DNS resolver everywhare but yes it has some speed, they also keep some data too...
I also use on my lower flash ram routers 9.9.9.9 or 1.1.1.1 Wink


I wouldn't trust cloudflare at all. There has to be some catch to them providing those services for free for the most part. They are in the perfect position to be able to MITM all traffic "protected" by their cloudflare services. They are either harvesting data to sell off to the highest bidder to pay for these services, or are being funded by if not a front of some of the 3 letter govt agencies to get access to MITM traffic.


The service is free for users but they charge corporations for their services. They also have an Auditor that confirms all quires are deleted after 24hrs. Ya you can take that with a grain of salt but you have to trust someone...cough..google...cough

d
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sat Nov 10, 2018 0:20    Post subject: Reply with quote
among 8.8.8.8 , 1.1.1.1 and 9.9.9.9 i choose quad9 i whiresharked all of them
but yep you have to choose who to trust and i dont trust GGl at all especially chrome
otherwise on my high grade routers i use DNScrypt instead

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sigals
DD-WRT Novice


Joined: 09 Nov 2018
Posts: 12

PostPosted: Sat Nov 10, 2018 16:09    Post subject: Reply with quote
I managed to get this working using unbound from opkg and pointing dnsmasq at it to handle the queries.

Goto page 1, 2, 3, 4, 5, 6, 7  Next Display posts from previous:    Page 1 of 7
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum