Setting up DNS over TLS and DNS over HTTPS protocols to support the use of encrypted DNS queries

The 'phonebook of Internet', the DNS (Domain Name System) has a long history and still, by default, relies on the protocol that does not encrypt query data. That means your requests for resolving the web site addresses are transmitted in an open form. DNS traffic is vulnerable to attackers, because there is a possibility to "overhear" the communication channel and then intercept unprotected personal data. Internet service providers can monitor traffic and basically collect everything about which sites you visit, as well.

This behaviour can be changed by using an encrypted channel. Special DNS protocol extensions, DNS over TLS (DNS over TLS, or DoT, RFC7858) and DNS over HTTPS (DNS over HTTPS, or DoH, RFC8484) are developed to ensure the security of DNS traffic. Information on how DoT and DoH specifically work and what exactly is their improvement over prior implementations can be found on the following pages:

There are also lists of public DNS services that support DoT/DoH:


Beginning with the stable release of version 3.1, KeeneticOS is enabled to support DNS over TLS and DNS over HTTPS protocols. Below, we will guide you to encrypt your DNS traffic, as sent over the router, by default.

NOTE: Important! For the following scenario, it is vital that devices in your home environment use automatic IPv4 assignment, or are set up manually to use a router's address as only DNS server. This is to ensure that DNS requests your devices issue are handled by the router itself, and not wired directly to your ISP for instance.

In our example router is set up via the web configurator (while it is still possible to program the same setup using CLI commands).
As a secure publicly available anycast DNS resolver, we take a Cloudflare DNS service, namely 1.1.1.1 and 1.0.0.1 DNS servers, which supports the DoT and DoH protocols and provides easy way to check for proper settings. 

NOTE: Important! When the DoT/DoH protocol is enabled, all incoming DNS queries will be sent to the server address specified during the configuration. The DNS servers that are received from your ISP and/or manually registered DNS servers will not be used, except for the (manually configured) DNS servers that exclusively apply to requests of specific domains and/or via select interfaces.
When AdGuard DNS or SkyDNS Internet filters is enabled, only the DNS queries from devices that are not registered to use the filter profile (that is, from devices which are using a "No filtering" profile) will be sent to specified DoT/DoH servers over an encrypted connection.
Please note below that AdGuard service can automaticaly support secure transfer of the queries.

In order for the DoT/DoH protocol to work, system components: 'DNS-over-TLS proxy' and 'DNS-over-HTTPS proxy' are needed to be installed. Please open 'System components options' menu by clicking on 'Component options' button in the 'Management - System settings' section, and mark the required components for installation.
If you only want to use DNS over TLS, it is sufficient to install the 'DNS-over-HTTPS proxy' component. And otherwise, to only use DNS over HTTPS, you may omit the 'DNS-over-TLS proxy' component.
Please click 'Save' button that appears when modifying component options. You should see the selected components are installed after the system reboots. 

dot-01-en.png

Proceeding then with the setup on the 'Internet safety' page under 'Network rules' menu section.

DNS-over-TLS

dot-02-en.png

Navigate to and click the 'Add DNS-over-TLS server' button. The fields for filling in the server parameters will appear. It is not necessary to specify the port, once the server uses a default port number of 853. Also, use of SPKI fingerprinting is optional, Cloudflare for example did not manifest it as required, so this field can just be left blank.

dot-03-en.png

Let's fill in the Cloudflare DoT server settings. DNS server addresses are 1.1.1.1 and 1.0.0.1, the TLS domain name is the same for each of them, it is the "cloudflare-dns.com", and we leave the default Any setting for a Connection. The latter will allow to use DoT server with every WAN interface that's configured on a router, in case there are many:

dot-04-en.png

Once again, click Save upon entering the values.

Please note, that other services might require a non-standardized port number and/or make use of SPKI Fingerprint. In such cases, please supply the DNS server address in full format, such as "89.234.186.112:443" and paste provided Base64 encoded SPKI pin (RFC7858) into the SPKI Fingerprint field.

DNS-over-HTTPS

dot-05-en.png

Click the 'Add DNS-over-HTTPS server' button. In the fields that appear, it is required to specify the URL of the DNS server, and the request format to use by DNS service for that server - "JSON" (default setting) or "DNS message" (plain DNS request format described in RFC1035). If necessary, define the connection interface that the server will be used for (by default server will be used for any WAN interface). SPKI Fingerprint is optional and not required by Cloudflare as of time of writing.

dot-06-en.png

Cloudflare DNS-over-HTTPS server URL is the same, independent of the format expected in the answer to request - JSON or plain DNS message. It might not be the best practice to concurrently set up both format types for the same resolver, so we'll only use the default value JSON for our example. URL address is "https://cloudflare-dns.com/dns-query". 

dot-07-en.png

Press 'Save' button to confirm configuration changes.

TIP: Note: When there are multiple DNS-over-TLS and/or DNS-over-HTTPS servers specified in the router settings, system resolver will use them in the order of priority that's based on the measured response time.

Checking the settings

The Cloudflare service also supplies verification pages. Let's open a special webpage at address https://www.cloudflare.com/ssl/encrypted-sni/ to check the browser security.

On that page, click the "Check My Browser" button to start the DNS query processing test.

dot-check-01.png

In case above settings are configured correctly, the test should be completed successfully for "Secure DNS", "DNSSEC" and "TLS 1.3".
The Encrypted SNI (ESNI) feature must be enabled in the browser itself to pass the test on that page.

dot-check-02.png

To repeat the test please press "Run the test again" button on page.

Also, connectivity per protocol can be tested on an https://cloudflare-dns.com/help page.

dot-08-en.png

It shows whether or not your system' DNS resolve is handled via Cloudlfare server, and which security protocol is enabled. To repeat the test, just manualy refresh the page in your browser.

If the tests fail, please first make sure that the computer's IP settings are set to "Obtain DNS server address automatically". If you manually configure the DNS server addresses, please check that the only DNS server address set is you router's local address.

TIP: Tip: It is possible to just enable the AdGuard DNS Internet filter if you don't want to manually configure DoT/DoH protocols. In that case, no additional setting is required, you must only install the DNS-over-HTTPS and/or DNS-over-TLS protocol support components. When AdGuard DNS is enabled, and respective DoT/DoH components are installed, DNS encryption will be enabled automatically.
You can check AdGuard for encryption support directly via the command line interface (CLI) of the router by executing the command show adguard-dns availability:

(config)> show adguard-dns availability
available: yes
port: 53
doh-supported: yes
doh-available: yes
dot-supported: yes
dot-available: yes

When AdGuard DNS is enabled with encryption, the service status check on https://adguard.com/en/adguard-dns/overview.html and https://adguard.com/en/test.html might not pass.
This is normal and due to when Internet filters are enabled, it is set is to block the transit DoT/DoH by default to avoid DNS query leaks. 

 

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.