DNS over TLS router.

dbeato

@travisdh1 said in DNS over TLS router.:

@dbeato said in DNS over TLS router.:

@travisdh1 said in DNS over TLS router.:

I've never heard of this company, but the fact that a router is available with DNS over TLS built in is an encouraging sign.

https://blog.cloudflare.com/dns-over-tls-built-in/

But internally the Device is not secure.

If you have bad actors inside your network, you probably have bigger issues than them sniffing DNS traffic.

Very few client devices or operating systems support any type of encrypted DNS lookup. This is just one small step in the journey.

Oh I know, but that's where you should start, check internally and the go externally. I am just saying it because anyone that would like to claim their site to be secure and then just have clear text internally is kidding themselves.

scottalanmiller

@dbeato said in DNS over TLS router.:

@travisdh1 said in DNS over TLS router.:

@dbeato said in DNS over TLS router.:

@travisdh1 said in DNS over TLS router.:

I've never heard of this company, but the fact that a router is available with DNS over TLS built in is an encouraging sign.

https://blog.cloudflare.com/dns-over-tls-built-in/

But internally the Device is not secure.

If you have bad actors inside your network, you probably have bigger issues than them sniffing DNS traffic.

Very few client devices or operating systems support any type of encrypted DNS lookup. This is just one small step in the journey.

Oh I know, but that's where you should start, check internally and the go externally. I am just saying it because anyone that would like to claim their site to be secure and then just have clear text internally is kidding themselves.

Except the thing you are protecting against here is specifically external.

JaredBusch

I still want to know how much of a threat DNS snooping actually is.

I'm all for the Lets Encrypt goal of encrypt everything.

But almost no where will this be useful.

Most of your devices will use the DHCP assigned DNS server. So the external DNS traffic that is being encrypted is not able to be traced to the device behind the NAT in the first place.

The linked article paints a horrible picture of IoT devices not using DHCP assigned DNS information.

Block port 53 out and move on.

travisdh1

@jaredbusch yes, yes, and yes. I honestly wouldn't care if I didn't have so much free time at the moment.

scottalanmiller

@jaredbusch said in DNS over TLS router.:

I still want to know how much of a threat DNS snooping actually is.

I'm in the same boat. I get wanting to hide this from the government in some limited cases. But in general, I just don't care at all.

scottalanmiller

@jaredbusch said in DNS over TLS router.:

The linked article paints a horrible picture of IoT devices not using DHCP assigned DNS information.

Which is a totally different problem that can't be fixed by DNS over TLS.

JaredBusch

@scottalanmiller said in DNS over TLS router.:

@jaredbusch said in DNS over TLS router.:

The linked article paints a horrible picture of IoT devices not using DHCP assigned DNS information.

Which is a totally different problem that can't be fixed by DNS over TLS.

Also, I wonder how many of these devices actually do this. There was a link to an article for specific items that the author obviously says do this. But how many really do?

I have few IoT class devices at home yet.

wrx7m

@scottalanmiller - How different is this from Chrome and now Firefox using their own DNS settings and bypassing the internal/DHCP assigned DNS server addresses?

scottalanmiller

@wrx7m said in DNS over TLS router.:

@scottalanmiller - How different is this from Chrome and now Firefox using their own DNS settings and bypassing the internal/DHCP assigned DNS server addresses?

Same, and all SO TERRIBLE - if it is hard coded and not at the end users discretion. If it is end user managed, then it is the same as accepting DHCP.

scottalanmiller

@jaredbusch said in DNS over TLS router.:

@scottalanmiller said in DNS over TLS router.:

@jaredbusch said in DNS over TLS router.:

The linked article paints a horrible picture of IoT devices not using DHCP assigned DNS information.

Which is a totally different problem that can't be fixed by DNS over TLS.

Also, I wonder how many of these devices actually do this. There was a link to an article for specific items that the author obviously says do this. But how many really do?

I have few IoT class devices at home yet.

I would guess very few, as they would break and be the vendor's fault very often.

wrx7m

@scottalanmiller - Yeah... I don't want my browser overriding the DNS server settings that are on my network for a reason.

scottalanmiller

@wrx7m said in DNS over TLS router.:

@scottalanmiller - Yeah... I don't want my browser overriding the DNS server settings that are on my network for a reason.

Not by the browsers choice instead of mine, definitely not.

JaredBusch

@scottalanmiller said in DNS over TLS router.:

@jaredbusch said in DNS over TLS router.:

@scottalanmiller said in DNS over TLS router.:

@jaredbusch said in DNS over TLS router.:

The linked article paints a horrible picture of IoT devices not using DHCP assigned DNS information.

Which is a totally different problem that can't be fixed by DNS over TLS.

Also, I wonder how many of these devices actually do this. There was a link to an article for specific items that the author obviously says do this. But how many really do?

I have few IoT class devices at home yet.

I would guess very few, as they would break and be the vendor's fault very often.

Added rule to my ERL. let's find out.. THe only allwoed IP right now is my internal PiHole.
0_1531776576104_caa77da0-52e0-482e-9508-452ece3ec368-image.png

My DHCP is set to give out the PiHole and then the rotuer in case I shut down the VM.
0_1531776837062_60cba6fa-dc33-45ce-849c-20b6a2712705-image.png

JaredBusch

Well, there is a hit already.

Jul 16 16:29:35 jared kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=24:a4:3c:b3:53:85:a4:da:22:2d:b5:0d:08:00 SRC=10.254.103.67 DST=8.8.8.8 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=36373 DF PROTO=UDP SPT=60926 DPT=53 LEN=45 
Jul 16 16:29:35 jared kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=24:a4:3c:b3:53:85:a4:da:22:2d:b5:0d:08:00 SRC=10.254.103.67 DST=8.8.8.8 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=36373 DF PROTO=UDP SPT=35969 DPT=53 LEN=45 
Jul 16 16:29:40 jared kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=24:a4:3c:b3:53:85:a4:da:22:2d:b5:0d:08:00 SRC=10.254.103.67 DST=8.8.4.4 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=36874 DF PROTO=UDP SPT=53557 DPT=53 LEN=45 
Jul 16 16:29:40 jared kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=24:a4:3c:b3:53:85:a4:da:22:2d:b5:0d:08:00 SRC=10.254.103.67 DST=8.8.4.4 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=36874 DF PROTO=UDP SPT=40114 DPT=53 LEN=45

That IP 10.254.103.67 is one of the WyzeCams I have. It is trying to hit Google DNS.

JaredBusch

But that IP is consistently using my PiHole also.
0_1531777171552_2aeadadb-4e87-4dce-82fe-5145d1cb71dc-image.png

wrx7m

@jaredbusch Built in fail over?

black3dynamite

In Firefox, is network.dns.disablePrefetch controls what DNS Firefox will use?

wrx7m

@black3dynamite said in DNS over TLS router.:

In Firefox, is network.dns.disablePrefetch controls what DNS Firefox will use?

I don't think that is what overrides DNS to their own configured servers. I recently saw the Cloudflare announcement after upgrading to the latest version of FF.

Here is an article about it:
https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/

wrx7m

The settings are
network.trr, network.trr.mode and network.trr.uri