Double NAT issue?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
blonde
DD-WRT Novice


Joined: 06 Sep 2019
Posts: 24

PostPosted: Wed Oct 16, 2019 11:52    Post subject: Double NAT issue? Reply with quote
Hiya,


I have a ISP modem+router and a DDWRT router. I wondering as I see the local network IP in the DDWRT router (192.168.1.x) as in the ISP modem for the DDWRT router and in the DDWRT router, I see the WAN IP as the same 192.168.1.x and my DDWRT router is accessible in 192.168.y.1 IP(web UI access IP). I get a fist LAN cable out of the ISP's modem+router to the WAN port of DDWRT router and I'm connecting my laptop to LAN ports of DDWRT router. But also I have internet in the LAN ports of the ISP's modem+router. As circumstances now I believe I'm on double NAT:
1) Whats wrong with having a double NAT?
2) Do my speed decrease if I have double NAT?
3) If I remove the double NAT, what I will gain?
4) Shall I remove double NAT and enable remote in the management section of DDWRT to be able to access the DDWRT web-UI or any methods of remote access, ad while I'm having double NAT, I can't access to my DDWRT router remotely?(in case I need to restart it if the VPN glitches?)
5) I change the 'connection type' in the ISP's modem+router from DHCP to PPP, and I clicked the 'Apply' but still when I restart the DWRT router, I don't have my WAN IP as a public IP yet? Also if I turn off then turn on the ISP's modem+router, this settings of connection type reverts back to DHCP. Am I doing something wrong that I don't get the results?
6) Shall I remove this double NAT or not as I believe I have double NAT? Whats the pros/cons of this double NAT?
7) As I think ISP have the admin access to the modem+router they provided, I want to replace it, what do you think about TP-link TD-W9960 or TP-link TD-W9970? Anything better, more secure and privacy minded?

Tnx and best of luck
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4832
Location: Texas

PostPosted: Wed Oct 16, 2019 12:15    Post subject: Reply with quote
Double NAT is not really a bad thing.
However iffin it twas me I would put the ISP modem in 'Bridge mode' and let the DD-WRT router do everything.
I think most ISP modems are able to be put in 'Bridge mode' but maybe not all.
Just have to google your modem + bridge mode and see what you can find.

others may have better advice -- I'm just passing thru Razz
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 489

PostPosted: Fri Oct 18, 2019 2:26    Post subject: Reply with quote
1. Depends on your use case
2. Possibly, In theory it should because you have two systems doing NAT traversal processing, but say your internet speed is 50 Mbps and each of your routers have a NAT throughput of 100 Mbps, you will not see a difference, ... the biggest change would be a slight delay increase (because of the extra hop/processing)
3. Not having double NAT, In theory your second NAT is even more secure/filtered than machines after the first NAT, because NAT is a "firewall"
4. remote management is never very secure, but you can always port forward into the second NAT router. Ie for first NAT router remote could be 80, and then second NAT router could be on 8080
5. I do not know enough about the ISP modem+router to actually answer
6. This is similar to above, be careful that both routers do not use the same private IP addresses such as both on 192.168.1.0/24, this causes IP address collision
7. This depends on your ISP, do you have a separate modem or is there modem+router all you need? Is your ISP setting any tags or VLANs or things like that? Privacy is different, are you using your ISP's DNS? are you using https to connect to sites? Is your DNS encrypted? Are you using a VPN or Tor or a Proxy?
blonde
DD-WRT Novice


Joined: 06 Sep 2019
Posts: 24

PostPosted: Sat Oct 19, 2019 13:11    Post subject: Reply with quote
mrjcd wrote:
Double NAT is not really a bad thing.
However iffin it twas me I would put the ISP modem in 'Bridge mode' and let the DD-WRT router do everything.
I think most ISP modems are able to be put in 'Bridge mode' but maybe not all.
Just have to google your modem + bridge mode and see what you can find.

others may have better advice -- I'm just passing thru Razz


Hiya,


Thanks. Regarding:
'However iffin it twas me I would put the ISP modem in 'Bridge mode' and let the DD-WRT router do everything.' If I do this, as I have VPN on router, how can I access to feds website that is not possible to open them with VPN, like banks, library,...?

'I think most ISP modems are able to be put in 'Bridge mode' but maybe not all.'> My ISP's modem is a Fiber over copper like(copper from street to my house), I think its called VDSL/VDSL2, and modem that ISP provided its 'Sagemcom Fast 5364', and it has two mode DHCP or PPP, I assuming PPP is bridge mode in this modem? But the issue is, after I 'apply' the setting and restart the modem, settings for connection-type reverts back to DHCP. I don't know how to fix this? Thus I decided to get a Motorola MD1600 as I think this brand is reputable and secure?

Tnx and best of luck
blonde
DD-WRT Novice


Joined: 06 Sep 2019
Posts: 24

PostPosted: Sat Oct 19, 2019 16:16    Post subject: update Reply with quote
Wildlion wrote:
1. Depends on your use case
2. Possibly, In theory it should because you have two systems doing NAT traversal processing, but say your internet speed is 50 Mbps and each of your routers have a NAT throughput of 100 Mbps, you will not see a difference, ... the biggest change would be a slight delay increase (because of the extra hop/processing)
3. Not having double NAT, In theory your second NAT is even more secure/filtered than machines after the first NAT, because NAT is a "firewall"
4. remote management is never very secure, but you can always port forward into the second NAT router. Ie for first NAT router remote could be 80, and then second NAT router could be on 8080
5. I do not know enough about the ISP modem+router to actually answer
6. This is similar to above, be careful that both routers do not use the same private IP addresses such as both on 192.168.1.0/24, this causes IP address collision
7. This depends on your ISP, do you have a separate modem or is there modem+router all you need? Is your ISP setting any tags or VLANs or things like that? Privacy is different, are you using your ISP's DNS? are you using https to connect to sites? Is your DNS encrypted? Are you using a VPN or Tor or a Proxy?




Hiya,


Thanks. Regarding 'remote management is never very secure, but you can always port forward into the second NAT router. Ie for first NAT router remote could be 80, and then second NAT router could be on 8080', I don't know how to do it, do you have any guide? My router is Asus RT-AC87U. ?

Do you know how can I change the LAN-Mac-Address, as there is no option for it on the Web-UI? I tried command below but as soon as I restarted the router, its hanged, it take so long to find a way to re-flash it,
---//{x replace with the actual characters for Mac address}---
nvram eth0macaddr=xx:xx:xx:xx:xx:xx
nvram commit
--------------------------------------------------------------
Is the above code for my router Asus RT-AC87U is correct? Also is it true that even if your laptop and router's MAC address is changed, still in the first transfer but, the router or network-adapter in the laptop would sending the original MAC address hidden to the receiver or hidden feds intelligence agencies?

Regarding, '7. This depends on your ISP, do you have a separate modem or is there modem+router all you need? Is your ISP setting any tags or VLANs or things like that? Privacy is different, are you using your ISP's DNS? are you using https to connect to sites? Is your DNS encrypted? Are you using a VPN or Tor or a Proxy?' I have a fiber with VDSL/VDSL2 modem a I think, as fiber doesn't came with fiber cable to house, so from the street to my flat, its copper lines. I have ISP modem+router in DHCP and from Ethernet, take one cable to my router Asus RT-AC87U.I think there is a 'VLAN' ID in the connection-type page of the ISP modem+router. I'm using a private DNS in the ISP's modem+router, and encrypted DNS on laptop and encrypted DNS on the router. Regarding 'HTTPS' do you referring to the applet for web-browsers that always opens website on HTTPS? I have that on T0R but I don't have it always on the typical web-browser. I'm using a general high speed VPN for watching movies+anime, and a couple of commercial VPS I have that I installed one of them on the router(openvpn), and for entering passwords I'm using the web-applet of the other commercial VPN provider to increase security. Sometimes if speed didn't decrease, I like to connect to second VPN provider(not the one on the router), on the laptop, in SSTP{its MS protocol thus I don't like it as much as Openvpn}/Openvpn protocols. Also still working on my highly encrypted VPS that I'm running my own Openvpn configuration with highest possible encryption algorithm that Openvpn and my router can handle without significant delay, as I prefer to replace the router's VPN with my own Openvpn on VPS for increasing security.
I bought the two commercial VPN and my VPS by crypto, tried to use on a untraceable network, but I'm not sure how much I'm successful it keeping my purchase untraceable. I need an advise on how to securely pay by crypto and the network can not trace back to my IP? Do you know?

Also in the encrypted DNS settings on my Asus RT-AC87U, the drop-down menu related to selecting encrypted DNS service provider is disappeared. But I checked my DNS on web-browser and looks like the its on encrypted DNS. As I installed encrypted DNS on my laptop too, and I'm using laptop installed encrypted DNS as first DNS and router's encrypted DNS as fallback DNS. Thus I believe I should be on encrypted DNS. ?

I was thinking on setting up a private encrypted DNS on another VPS package, other than the one that I'm setting up my Openvpn server. But I'm not sure having a private encrypted DNS server on VPS make me more vulnerable to feds hackers attacks and deep-packet-filtering techniques that can applied to my network by feds hackers or I can be more safe in private encrypted DNS server?

Also I was thinking about purchasing satellite internet(send+receive) by dish, but as I live in UK, I coulden't find a single satellite internet provider in that service the UK geographic area that can accept crypto payment. There is on America, but there is not any satellite internet provider that accept crypto payment in UK. I'm not sure when I'm on satellite internet, does my data will cross in the feds radar(searching internet keywords by feds I mean), or not? As if the data cross the feds radar, whats the point of spending huge fees for satellite service, while I can encrypt the data by VPN and encrypt the DNS and use the normal fiber internet? Do you now how to find out about this? and what is most secure and privacy-minded?

Its Saturday and I'm celebrating my weekend by Vodka, if my sentences grammar is incorrect, its because of Vodka lol Smile

Tnx and best of luck


Last edited by blonde on Mon Oct 21, 2019 10:44; edited 1 time in total
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 489

PostPosted: Sat Oct 19, 2019 21:01    Post subject: Reply with quote
Lol... happy Saturday!!

So for the port forwarding: It sounded like your ISP router/modem is first, so in those pages does it have port forwarding? Look for that. In DD-WRT it is NAT/QoS->Port Forwarding . If you are on stock it is Advanced Settings ->WAN->Virtual Server/Port Forwarding, in the Port Range field you would put 8080 (or whatever port you want) and then on the local side put the router IP and say port 80.

I have never needed to change the LAN side MAC address, I am not sure what you are doing this for on the router's switch side. Do you mean to change the WAN side MAC address? If so, it is Setup->Mac Address Clone (on DD-WRT).

If you have the settings saved, when the system comes up it should always use the MAC address you selected, not even the first packet would be different. MAC addresses are used only for "local" network traffic, meaning the systems are connected single hop, after that first hop the MAC address does not matter. Trying to explain clearer, your computer and LAN side of router would communicate via MAC address, but the WAN side of your router does not know the MAC address of your computer.

So on #7, you should probably google (your ISP) using your own router. Some ISPs have special configs that need to be used, which is why I am asking.

The rest of my answer on #7 was checking to see if you are using/encrypting your traffic past your ISP. If you are using encrypted DNS and https for websites, ssh, or vpn, then unless your ISP has given you their certificate instead the ISP can not decrypt the traffic without either the keys or brute forcing it. They would still have a record of what ip address as in the numbers, but they may not know what you did or exactly what site. So for instance if you are using a VPN, all your ISP sees is traffic to and from the VPN but not what is inside or anywhere else it goes. A possible leak would be if DNS was unencrypted or going to your ISP, then they could watch those packets.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2972
Location: UK, London, just across the river..

PostPosted: Sat Oct 19, 2019 21:05    Post subject: Reply with quote
just typing in this forum fed’s are on you already,
they already know where are you and the
fact that you want to hide badly, now you are
target....!
have you ever heard for deep packet inspection,
geo targeting, words filtering ?
im mot joking! !!
crypto is highly tracible too!
there is no way to hide in uk.....
by the way Hyperoptics have a decent,
proper fibre to home, with decent price for
gigabit speed...
also that many dns running its just more
opportunity to hack, clever ppl use 1 with
few resolvers....
old dnscrypt was cracked and they abandoned the project
now dnscrypt proxy v2 is on the market
make sure your vpn doesnt leak too 🤣

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41379 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41517 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 443
Location: Appalachian mountains, USA

PostPosted: Sat Oct 19, 2019 21:14    Post subject: Reply with quote
Alozaros wrote:
old dnscrypt was cracked and they abandoned the project

I was aware that they abandoned the old implementation and moved on (to a fancier dnscrypt-proxy that can do DoH as well), but I hadn't heard about the protocol being cracked or the code being hacked. Can you say more or provide a link?

_________________
Six of the Linksys WRT1900ACSv2 on r38159, r39144, r40009, and r40784. On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (old=NordVPN, new=AirVPN).
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2972
Location: UK, London, just across the river..

PostPosted: Sat Oct 19, 2019 23:17    Post subject: Reply with quote
hmm... now this is a bit lime...as i don't remember clearly, may be in one of the defcon's...

The guy was talking about weakness in key exchange mechanisms, as well some other issues with some of the servers does not encrypt well, some random replay's arrive in plain text, but only few ware under the radar, most of those you know and use ware ok...
they even talked about a specific tool that cracks the key's real time....and than mimic the public keys
to hijack the session...

I believe that this was one of the main reason that they abandoned it... v2 much better and has a tons of very useful settings easy to access and control, ...sadly very few v2 public servers are available...and many v 1.95 that are still decent too

sadly i cant make it work on mips (my 1043v2), what i haven't tried is to use only DoH as may be DNScrypt is a bottleneck for such a slow CPU...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41379 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41517 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 443
Location: Appalachian mountains, USA

PostPosted: Sun Oct 20, 2019 15:34    Post subject: Reply with quote
Alozaros wrote:
The guy was talking about weakness in key exchange mechanisms, as well some other issues with some of the servers does not encrypt well, some random replay's arrive in plain text, but only few ware under the radar, most of those you know and use ware ok...
they even talked about a specific tool that cracks the key's real time....and than mimic the public keys
to hijack the session...

I believe that this was one of the main reason that they abandoned it... v2 much better and has a tons of very useful settings easy to access and control, ...sadly very few v2 public servers are available...and many v 1.95 that are still decent too

sadly i cant make it work on mips (my 1043v2), what i haven't tried is to use only DoH as may be DNScrypt is a bottleneck for such a slow CPU...

And I'm sticking with old v1 DNSCrypt just because I don't want to get into entware/jffs but prefer sticking with a config that starts totally fresh on every boot.

A tool that cracks keys in real time is a disturbing thought, but that shouldn't be an issue if the point is just to foil ISPs and DNS providers' plans to sell browsing histories.

Certainly the DNSCrypt servers listed in the menu and file on our routers by default contains mostly minor players or even DNS hobbyists as well as some big guys (OpenDNS?) that will sell your info in a flash. To find a provider I could feel comfortable with, I had to leave that list behind and dig into what was posted online about v2 providers. (See the DNSCrypt link in my sig.) I only pursued it far enough to get Quad9 DNS working, but the approach should work for others in the much larger v2 list.

A lot of people are excited about DNS-over-HTTPS as a newer alternative to DNSCrypt, but I've seen recent news items quoting DNS gurus who claim that it is far from secure, that it transmits key encrypted info in parallel in the clear. They recommend DNS-over-TLS as the more secure alternative.

_________________
Six of the Linksys WRT1900ACSv2 on r38159, r39144, r40009, and r40784. On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (old=NordVPN, new=AirVPN).
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2972
Location: UK, London, just across the river..

PostPosted: Sun Oct 20, 2019 17:19    Post subject: Reply with quote
SurprisedItWorks wrote:
And I'm sticking with old v1 DNSCrypt just because I don't want to get into entware/jffs but prefer sticking with a config that starts totally fresh on every boot.


you don't need jffs all works via opt...either Stubby or DNScrypt...

DNSCrypt v 1.95 that works out of the box its a good option for DD-WRT... i used to start mine from start up script..and used
only DNSSEC compatible servers with no filter, but it lacks of settings and so on, i moved to v2....

SurprisedItWorks wrote:
Certainly the DNSCrypt servers listed in the menu and file on our routers by default contains mostly minor players or even DNS hobbyists as well as some big guys (OpenDNS?) that will sell your info in a flash. To find a provider I could feel comfortable with, I had to leave that list behind and dig into what was posted online about v2 providers. (See the DNSCrypt link in my sig.) I only pursued it far enough to get Quad9 DNS working, but the approach should work for others in the much larger v2 list.


well if you use an old very old build they might need an update...on the last Kong build i used to call it via start up script
an it was ok...to use the one i prefer... i also like 9.9.9.9 until they block something i use and im pissed, and change it something else...
Otherwise Quad9 PCH is great way to prevent malware spreading and i find it the most secure DNS ever...
yep you can use it via Stubby TLS or DNSCrypt v 1.95 via script...sadly its not compatible with v2 or you can use it on browser level FFx

SurprisedItWorks wrote:
A lot of people are excited about DNS-over-HTTPS as a newer alternative to DNSCrypt, but I've seen recent news items quoting DNS gurus who claim that it is far from secure, that it transmits key encrypted info in parallel in the clear. They recommend DNS-over-TLS as the more secure alternative.


Actually FFx DoH is great and does not do a parallel hit's/answers you can specify it not to ...
the settings need reading/understanding...i also use quad9 there and it works out of the box DoH...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41379 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41517 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 443
Location: Appalachian mountains, USA

PostPosted: Sun Oct 20, 2019 23:56    Post subject: Reply with quote
Alozaros wrote:
Actually FFx DoH is great and does not do a parallel hit's/answers you can specify it not to ...
the settings need reading/understanding...i also use quad9 there and it works out of the box DoH...

This is the recent article I was remembering that expressed skepticism about DoH:

DNS-over-HTTPS causes more problems than it solves, experts say
https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/

_________________
Six of the Linksys WRT1900ACSv2 on r38159, r39144, r40009, and r40784. On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (old=NordVPN, new=AirVPN).
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2972
Location: UK, London, just across the river..

PostPosted: Mon Oct 21, 2019 1:28    Post subject: Reply with quote
SurprisedItWorks wrote:
Alozaros wrote:
Actually FFx DoH is great and does not do a parallel hit's/answers you can specify it not to ...
the settings need reading/understanding...i also use quad9 there and it works out of the box DoH...

This is the recent article I was remembering that expressed scepticism about DoH:

DNS-over-HTTPS causes more problems than it solves, experts say
https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/


This article is bollocks !! A lot of bias in it....
Do you think plain text DNS is bett..?
So far, DNSCrypt holds the win for best DNS solution, at least if you use a decent server....
Than DoH & DoT are coming as a back up low class kind off but still useful..
Those DNS encryptions are not to hide, but more likely to go around ISP filters or slight increase of security kind of...
The only way to hide is VPN ...

Yep my ISP hates me... or at least they are not happy with my stuff..!!

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41379 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41517 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 443
Location: Appalachian mountains, USA

PostPosted: Mon Oct 21, 2019 16:12    Post subject: Reply with quote
Alozaros wrote:
SurprisedItWorks wrote:
This is the recent article I was remembering that expressed scepticism about DoH:

DNS-over-HTTPS causes more problems than it solves, experts say
https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/

This article is bollocks !! A lot of bias in it....
Perhaps this is what was meant by the article's critiques of DoH in browsers as any kind of private-browsing solution: "By design, the TLS protocol, as used in HTTPS and HTTP/2, leaks websites host names in plain text, so DNSCrypt is not enough to hide this information." (From https://www.dnscrypt.org/) This is something new to me. I assumed, apparently incorrectly, that only the IP address is made visible by the browser once DNS resolution is complete. If this quote is correct, then DNSCrypt and DoH are equally affected, as it's a flaw in the design of HTTPS.
Quote:
Do you think plain text DNS is bett..?
Certainly I don't, but again, I posted it here to get input from those who know more about it than I do.
Quote:
So far, DNSCrypt holds the win for best DNS solution, at least if you use a decent server....
DNSCrypt v1 is also the simplest to implement in dd-wrt, as there is no requirement for root certificates or adding packages to dd-wrt. Do share if you know of a link to a current (BS) dd-wrt v2 setup how-to suitable for DNS and package noobs. The forum discussions I've found on DNSCrypt v2, DoH, and DoT -- I have a collection of them -- assume a fair bit of background.
Quote:
Than DoH & DoT are coming as a back up low class kind off but still useful..
Those DNS encryptions are not to hide, but more likely to go around ISP filters or slight increase of security kind of...
I see it as a way to bypass ISP logging/selling one's DNS history and to mitigate one particular type (probably quite rare) of MITM attack.
Quote:
The only way to hide is VPN ...
Personally I use VPN and DNSCrypt both. I don't depend on the vpn provider's DNS resolvers because I don't have a way to know that my access to it doesn't bypass the vpn, because I don't know how it is secured, and because I want Quad9's malware filtering. My vpn provider (NordVPN) offers some kind of filter solution (IPSec), but their website says too little about its particulars for me to rely on it. I can't even tell for sure that it uses a DNS-filtering approach, because their website is oriented so strongly to nontechies.
Quote:
Yep my ISP hates me... or at least they are not happy with my stuff..!!
Yeah, I keep seeing articles about how ISPs say DoH is going to ruin the internet, meaning ruin their sales of our browsing histories!

(Starting to feel guilty about hijacking this thread though... I guess we should wrap up soon or move the discussion.)

_________________
Six of the Linksys WRT1900ACSv2 on r38159, r39144, r40009, and r40784. On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (old=NordVPN, new=AirVPN).
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum