cancel
Showing results for 
Search instead for 
Did you mean: 

DNSSEC / DNS over HTTPS/TLS

Adiqq
Level 7
Hi,

I have suggestion that would benefit users that require enhanced security.
Currently original Asus firmware supports manual configuration of DNS server, so we can point it to e.g. Cloudflare DNS instead ISP DNS that can be monitored and censored. However, I'm not sure that that pointing it to e.g. Cloudflare DNS will use DNS over HTTPS to provide additional security, there's also no support for DNS over TLS. It would be great to allow user to select allowed connection modes, e.g. disable DNS over UDP on port 53.

https://developers.cloudflare.com/1.1.1.1/dns-over-https/
https://developers.cloudflare.com/1.1.1.1/dns-over-tls/
27,484 Views
9 REPLIES 9

Adiqq
Level 7
Any update for this? Using https://www.cloudflare.com/ssl/encrypted-sni/ I can confirm that Asus router does not use secure connection for DNS.

You are not using secure transport for your DNS
We detected you’re using 1.1.1.1 (a secure DNS resolver) but not over a secure connection.
Anybody listening on the wire can see the DNS queries you make when using the Internet.

Adiqq wrote:
Any update for this? Using https://www.cloudflare.com/ssl/encrypted-sni/ I can confirm that Asus router does not use secure connection for DNS.


This post is more than a year old, and sadly, ASUS still doesn't support this functionality yet on the firmware. The only way to get "DNS over HTTPS (DoH)" is to hardcode 1.1.1.1 on your LAN DHCP settings which essentially bypasses the ASUS firmware's DNS caching service which is incapable of doing dns/https. I have it working that way for a while. Good thing is, it adds the caching service as secondary DNS on the DHCP offer so in case cloudflare is down you will fallback to ASUS caching DNS.

devnulldump wrote:
This post is more than a year old, and sadly, ASUS still doesn't support this functionality yet on the firmware. The only way to get "DNS over HTTPS (DoH)" is to hardcode 1.1.1.1 on your LAN DHCP settings which essentially bypasses the ASUS firmware's DNS caching service which is incapable of doing dns/https. I have it working that way for a while. Good thing is, it adds the caching service as secondary DNS on the DHCP offer so in case cloudflare is down you will fallback to ASUS caching DNS.




If you want to use cloudflare dns, do remember to clean dns cache to make sure it works properly.
killall -HUP dnsmasq

And I also recommend adguard dns.https://adguard.com/

wilsondenq wrote:
If you want to use cloudflare dns, do remember to clean dns cache to make sure it works properly.
killall -HUP dnsmasq

And I also recommend adguard dns.https://adguard.com/


It is nothing to do w/ dns cache. As I stated above (also as stated by the OP's note), the local DNS caching service from the ASUS firmware is incapable of doing DNS over HTTPS. ASUS needs to make the caching server fix in order for it to work. Until then (probably never since ASUS is not keen on fixing this or many other issues posted here), I added cloudflare 1.1.1.1 to "LAN - DHCP Server" options and it works just fine... no need to restart anything.

dnmoqf
Level 7
also interested in this functionality...

max0x7ba
Level 7
I vote for DNS over HTTPS feature to. This is security basics these days.

DNS over TLS (DoT) is supported if you can use AsusWRT-Merlin Firmware. I use this with my RT-AC87U.

https://www.asuswrt-merlin.net/
https://sourceforge.net/projects/asuswrt-merlin/files/

RedSector73 wrote:
DNS over TLS (DoT) is supported if you can use AsusWRT-Merlin Firmware. I use this with my RT-AC87U.


That firmware doesn't support AX11000, unfortunately.

And it is essential functionality that should work out of the box with the original firmware, IMO.

I also have an AX11000 and would like the possibility of enabling DNSSEC and DNS over TLS to be integrated in the out-of-the-box firmware. In fact, these two complementary technologies are the de facto standard for DNS query security. Since AX11000 is the top model, the most expensive and with support for the latest technologies (Wi-Fi 6 and WPA3), it should not fall on the security area, as unfortunately many products do.