Jump to content

DNS over TLS in router

DamirB
By DamirB
in Networking
 Share
Posted

Hi all,

 

I switched to Cloudflare quite a while ago and learned recently that those DNS requests are not encryted by default. I checked my router, which is an Asus RT-AC87U, and it has no support for encrytped DNS. I saw however that the Merlin software does support DNS over TLS. Unfortunately it seems that Merlin for my router sees no active development and is one version behind the last update Asus provided. That last update was a security patch and I cannot decide if it is worth it to stay on the official software to keep those security patched, or to go to Merlin and have DNS over TLS support. 

 

These are the fixes in the last Asus firmware:

1.Fixed the FragAttack vulnerability.
2.Fixed DoS vulnerability. Thanks for Tsinghua University NISL's contribution.

 

Something else that makes me hesitant is that I am not sure how devices connected to the router behave, if I have DNS over TLS enabled on the router, does that mean that the DNS request for all the devices go through the router and are therefore encrypted or do some devices handle DNS completely by themselves therefore making the router settings useless?

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
27 minutes ago, DamirB said:

Something else that makes me hesitant is that I am not sure how devices connected to the router behave, if I have DNS over TLS enabled on the router, does that mean that the DNS request for all the devices go through the router and are therefore encrypted or do some devices handle DNS completely by themselves therefore making the router settings useless?

 

The latter, its always possible for specific software (eg Android) to bypass your routers DNS.

 

On pfSense I have a rule to catch all attempts to the unencrypted DNS port on the Internet and redirect them back to the router, but if a device decides to use DNS over TLS/HTTPS directly there would be no way to redirect that as the certificate wouldn't match.

Basically the very thing that makes it secure also allows specific software to hard-code its own DNS server and bypass your local one.

 

The main benefit to it is to stop your ISP from being able to log your DNS lookups.

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 5/17/2022 at 7:05 AM, DamirB said:

That last update was a security patch and I cannot decide if it is worth it to stay on the official software to keep those security patched, or to go to Merlin and have DNS over TLS support. 

I dropped RT-AC87 support a few years ago, so that's not an option if you want DNS over TLS support.  That router has also been EOL by Asus for quite some time now.

 

https://www.asus.com/event/network/EOL-product/

 

On 5/17/2022 at 7:05 AM, DamirB said:

if I have DNS over TLS enabled on the router, does that mean that the DNS request for all the devices go through the router and are therefore encrypted or do some devices handle DNS completely by themselves therefore making the router settings useless?

With Asuswrt-Merlin, the DNS over TLS queries are done by the router, and in a typical setup, your LAN clients will use the router as their DNS server (which will in turn use DoT).

 

Some clients have hardcoded DNS servers (like the Netflix Android app for instance).  The workaround with Asuswrt-Merlin is to enable DNSFilter, and force all clients to use the Router as their DNS server when they use regular DNS queries.  You can also have the router disable the automatic DoH promotion that is supported by newer Windows and Firefox clients, however anything that arbitrarily decides to use DoH will not be intercepted by the router.

 

All of this however will require a newer supported router.

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 5/17/2022 at 12:33 PM, Alex Atkin UK said:

The main benefit to it is to stop your ISP from being able to log your DNS lookups.

Yep, I've run my own DNS server for years, the overhead is negligible, it's also a good way to route out "misbehaving" software and apps.

I even caught one ISP redirecting BIND's outgoing requests, queried it via email to tech support, and the redirect went away without reply; remember just because you are paranoid doesn't mean they aren't out to get you(r data)!

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×