Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DNSSEC / DNS over HTTPS/TLS

Adiqq
Level 7

‎07-18-2018 04:59 AM - last edited on ‎03-05-2024 07:57 PM by Community Admin

Hi,

I have suggestion that would benefit users that require enhanced security.
Currently original Asus firmware supports manual configuration of DNS server, so we can point it to e.g. Cloudflare DNS instead ISP DNS that can be monitored and censored. However, I'm not sure that that pointing it to e.g. Cloudflare DNS will use DNS over HTTPS to provide additional security, there's also no support for DNS over TLS. It would be great to allow user to select allowed connection modes, e.g. disable DNS over UDP on port 53.

https://developers.cloudflare.com/1.1.1.1/dns-over-https/
https://developers.cloudflare.com/1.1.1.1/dns-over-tls/
0 Kudos
28,179 Views
9 REPLIES 9

Adiqq
Level 7

‎01-06-2019 06:55 AM

Any update for this? Using https://www.cloudflare.com/ssl/encrypted-sni/ I can confirm that Asus router does not use secure connection for DNS.

You are not using secure transport for your DNS
We detected you’re using 1.1.1.1 (a secure DNS resolver) but not over a secure connection.
Anybody listening on the wire can see the DNS queries you make when using the Internet.
0 Kudos

devnulldump
Level 7
In response to Adiqq

‎05-16-2020 06:32 PM

Adiqq wrote:
Any update for this? Using https://www.cloudflare.com/ssl/encrypted-sni/ I can confirm that Asus router does not use secure connection for DNS.


This post is more than a year old, and sadly, ASUS still doesn't support this functionality yet on the firmware. The only way to get "DNS over HTTPS (DoH)" is to hardcode 1.1.1.1 on your LAN DHCP settings which essentially bypasses the ASUS firmware's DNS caching service which is incapable of doing dns/https. I have it working that way for a while. Good thing is, it adds the caching service as secondary DNS on the DHCP offer so in case cloudflare is down you will fallback to ASUS caching DNS.
0 Kudos

wilsondenq
Level 10
In response to devnulldump

‎05-18-2020 01:58 AM

devnulldump wrote:
This post is more than a year old, and sadly, ASUS still doesn't support this functionality yet on the firmware. The only way to get "DNS over HTTPS (DoH)" is to hardcode 1.1.1.1 on your LAN DHCP settings which essentially bypasses the ASUS firmware's DNS caching service which is incapable of doing dns/https. I have it working that way for a while. Good thing is, it adds the caching service as secondary DNS on the DHCP offer so in case cloudflare is down you will fallback to ASUS caching DNS.




If you want to use cloudflare dns, do remember to clean dns cache to make sure it works properly.
killall -HUP dnsmasq

And I also recommend adguard dns.https://adguard.com/
0 Kudos

devnulldump
Level 7
In response to wilsondenq

‎05-31-2020 05:35 AM

wilsondenq wrote:
If you want to use cloudflare dns, do remember to clean dns cache to make sure it works properly.
killall -HUP dnsmasq

And I also recommend adguard dns.https://adguard.com/


It is nothing to do w/ dns cache. As I stated above (also as stated by the OP's note), the local DNS caching service from the ASUS firmware is incapable of doing DNS over HTTPS. ASUS needs to make the caching server fix in order for it to work. Until then (probably never since ASUS is not keen on fixing this or many other issues posted here), I added cloudflare 1.1.1.1 to "LAN - DHCP Server" options and it works just fine... no need to restart anything.
0 Kudos

dnmoqf
Level 7

‎07-19-2019 05:11 AM

also interested in this functionality...
0 Kudos

max0x7ba
Level 7

‎06-06-2020 09:45 AM

I vote for DNS over HTTPS feature to. This is security basics these days.
0 Kudos

RedSector73
Level 12
In response to max0x7ba

‎06-06-2020 05:51 PM

DNS over TLS (DoT) is supported if you can use AsusWRT-Merlin Firmware. I use this with my RT-AC87U.

https://www.asuswrt-merlin.net/
https://sourceforge.net/projects/asuswrt-merlin/files/
0 Kudos

max0x7ba
Level 7
In response to RedSector73

‎06-07-2020 05:07 AM

RedSector73 wrote:
DNS over TLS (DoT) is supported if you can use AsusWRT-Merlin Firmware. I use this with my RT-AC87U.


That firmware doesn't support AX11000, unfortunately.

And it is essential functionality that should work out of the box with the original firmware, IMO.
0 Kudos

lucenera
Level 7
In response to max0x7ba

‎06-16-2020 08:07 AM

I also have an AX11000 and would like the possibility of enabling DNSSEC and DNS over TLS to be integrated in the out-of-the-box firmware. In fact, these two complementary technologies are the de facto standard for DNS query security. Since AX11000 is the top model, the most expensive and with support for the latest technologies (Wi-Fi 6 and WPA3), it should not fall on the security area, as unfortunately many products do.
0 Kudos