Add DNS over HTTPS (DoH) client to RouterOS. This will significantly improve the privacy of network users and devices (especially when RouterOS device serves as DNS cache/recursive resolver).
https://developers.google.com/speed/public-dns/docs/dns-over-https
https://developers.cloudflare.com/1.1.1.1/dns-over-https/
While experimental protocol, the infrastructure is already provided by 2 of the biggest 4 recursive DNS providers and provides significant benefits in practice.
DNSCrypt support would also be welcome, to avoid the overhead of wrapping all DNS requests in HTTP / TCP.
There’s also DNS over TLS (RFC7858).
But when you look how much attention MikroTik gave to DNS in the past (there’s nothing over basic functionality and one could argue that even some basics are missing), I don’t see any of this happening anytime soon.
+1
Can anybody from MikroTik reply on this thread?
+1
About time DNSCrypt or DNS over TLS was implemented.
RPI apparently has the ability to do this and is very inexpensive, now that I have ad block working I might give this a try.
also interested in encrypted DNS. +1
This is something that (when you want to have it at all) should be implemented in the client, not in the router.
And of course MikroTIk already supports DNS over HTTPS done by the client.
(and you will lose the possibility of controlling access to sites, shaping bandwidth to certain sites, etc. but that is what it is all about)
But then it also does not bring the advantages that the client side implementers think it will bring!
So they will work around it even when you implement it in the router.
It appears that some implementations allow a switchoff (lookup a DNS name which should return NXDOMAIN) but MikroTik DNS does not support static names which return NXDOMAIN, and experience shows that this kind of switches is removed or made possible to override in no-time.
“Funny” thing is that implementation in browser (as Mozilla is pushing now; or generally per-application) makes the least sense of all. Either I want to protect whole network, so I need it on router. Or I want to protect computer (better for mobile devices, because with them I don’t always have control over network) and then I need system-wide solution there. Not only browsers use DNS.
And the idea with canary domain and ability to tell browser this way to not use DoH, it’s not hard to predict how it will go, is it? If I’m the bad guy who wants to mess with users’ DNS, of course I will use that.
I’m actually reading this post because I was wondering if routerOS had any way to NXDOMAIN a given address, in order to implement the canary domain as per https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https. I don’t want traffic on our (SOHO) network that skips DNS-based filtering or tells google/cloudflare everything.
Yes that is why there is some discussion about this.
However, be warned that this “canary domain”, as Sob already writes too, is likely to go away in the future once hackers who want to play man-in-the-middle on DNS see this, implement the canary domain, Mozilla finds out about that, and decides to disable that feature (at least by default).
You should prepare for the situation that you get less and less control over what happens on your network!
All wellknown ways of peeking in traffic to implement policies (like website blocking, or QoS implementations that e.g. try to set a lower priority for some traffic) are going to be taken away from you by those browser developers.
It is not only DNS over HTTPS. Firefox will also start to do all web browsing traffic over a “VPN” between the browser and some Cloudflare service, running over HTTPS.
So no way to block sites by IP address anymore! (or to put lower priority on some websites)
You will only see a lot of sessions to a single HTTPS service and no more way to get insight in what is happening over those sessions.
Does the company mikrotik have plans to do DNS over HTTPS?
Where is the official answer about this?
For the time being, we have to look to other platforms, ex dnsmasq
For the sake of argument, can you give some examples why do you need DoH on the router, if you can use it in your browser already?
Probably because there is so much more than just browsers…
For me the main need for DoH support is the capability in the local DNS server to add static names that return NXDOMAIN. And while you are at it, also other
record types like NS, TXT etc. Some browsers try to resolve use-application-dns.net which on internet DNS would return an IP address. When it returns NXDOMAIN
instead, it is assumed the local admin does not want the users to use DoH and this feature is switched off. But in RouterOS it is not possible to arrange that.
(IMHO the browser makers should also accept responses like 127.0.0.1 as indicator, but they don’t)
I’d like to append my request for RoS DoH support as well.
We should not have to trade security for usability when the need arises.
To elaborate:
I am currently intercepting all DNS server requests, redirecting them to the router itself (RB4011), using static DNS at router level to block many social sites as well as redirect some domains to internal servers, while all allowed requests are forwarded to 1.1.1.1 or 8.8.8.8.
If I use DoH at browser level - I get security but I can no longer redirect the domains.
When Windows 10 starts recognizing DoH enabled DNS servers, the manual rules won’t apply either.
The only way I see is for RoS to intoduce DoH support and transparently resolve using DoH enabled DNS servers.
Default case: DoH is enabled in neither browser or OS.
Case 1: No DoH support at router level. Browser uses DoH:
Case 2: No DoH support at router level. OS supports DoH.
(Windows 10 DNS client is said to support DoH natively for DoH enabled DNS servers in the next major update)
Ideal case: If Mikrotik adds native DoH support to RoS:
DoH uses HTTPS as a transport, so transparent redirects are not gonna be possible.
DoH has nothing to do with security. Really nothing. Some believe it has something to do with confidentiality (which is not the same as security), though this statement is also arguable.
And… Yes, I would also like to ask for a builtin way (like the ability to return NXDOMAIN for a given domain) to tell clients to NOT use DoH.