Hi,
Last days CloudFlare has annouced new DNS service.
This includes also secured DNS
Please advice me if secured DNS can be implemented in Mikrotik.
I know that other DNS technology DNSCrypt is still not implemented.
CloudFlare is one of the best dns
http://www.dnsperf.com/
Thanks in advance.
I want that too, but it’s not compatible with RouterOS, just like the advanced OpenVPN setup. Needless to say, I’m using an ad-blocking DNS (Adguard DNS) blocks malware sites as well. 1.1.1.1 DNS seems real good (need to see the malware results compare to other alternatives), hope they also implement ad-blocking feature.
Why would you trust your metadata to a third party else than where you sent you internet traffic through!?
I see no claims at all about filtering malware or ads. It is just a DNS resolver.
Why would you trust your metadata to a third party else than where you sent you internet traffic through!?
In some cases the ISP DNS resolver has “additional features” that some people may not like, including returning false IP addresses for
certain domains or returning a false IP address for every lookup of a nonexisting domain.
Using an independent resolver may fix that.
It will help with filtering, at least for now. It won’t do that much for privacy, because everything moves to https and SNI is happy to tell anyone on the way what domain you access.
The part about filtering I’m worried about, is that current DNS filtering is great. When someone wants to censor something (governments just love that), DNS filtering is the first thing they try. In most simple case, when it’s done on ISP’s resolvers, it sort of works, at least for regular user who uses network config provided by ISP. And surprisingly, censors are often satisfied with that. For ISP, it’s not hard to set up either. And every user who doesn’t like that, simply uses different resolvers. In the end, everyone is happy. But the more these “uncensorable” ways are going to be used, the sooner will the censors want to do something about it. It’s not really an argument against these new secure ways, because the idea that “if we want to censor something, it should actually work” will come to them sooner or later anyway…
+1
I want it too
Me too
+1
Same for me. +1
+1, I’m not paranoid but I’m sure SOB is tracking my DNS! 
Will be implemented in ROS v7 
This is hope or you know something more ?
I just wondering which solution became more popular :
It’s not hope or knowing more, it’s cruel joke. Have you heard about ROS v7 before, right? 
On topic, DNS over TLS has head start, it’s already RFC. On the other hand, it uses “unusual” port 853 by default, and it’s going to be problem in some places. If I’d want to guess, DNS over HTTPS has better chance. Not that I’d be too excited by this “make everything on internet HTTPS” movement.
Considering that HTTPS is HTTP over TLS (nowadays), then DNS over HTTP does sound stupid, doesn’t it?
Not much worse than becoming XML compliant by pushing binary blob MIME64 encoded into XML file. Our favourite RAN vendor does it 
I was looking for that as well.
Why is everyone suddenly looking for this?
The performance will be dreadful compared to normal DNS, isn’t it?
You would probably only want this when there is really no other way of having unfiltered DNS.
In most cases the use of a VPN to some unfiltered site is way more practical.
I guess that’s desperate folks trying to access some content where internet is not as free as elsewhere. And cross-border VPN is blocked as well. These days HTTP over SSL is allowed almost everywhere while many other encrypted protocols are not, therefore everybody got idea to piggy-back other protocols on top of HTTPS.
Then piggy-back a VPN on top of TLS (e.g. SSTP or OpenVPN) and work from there…
I’m also interested in this feature.
And maybe not everyone want to or have the resources to redirect ALL their traffic outside of a country to accommodate, what .4% of their requests? Or they don’t want the performance penalty?
The explanation is simple. People are suddenly looking into this, because they’ve seen news about Cloudflare’s new public resolvers. It might have opened their eyes about how DNS works and motivated them to want more privacy. Or they just wanted to check if RouterOS supported it, in case they would need it one day. VPN is good too, but VPN’s don’t grow on trees. Technically, neither do DNS resolvers, but in terms of accessibility it’s like if they were, they are free for everyone, unlike VPNs.
You should understand that encrypting your DNS for the sole purpose of “websurfing” does not yield any privacy because the ISP can still look into the https session startups and see the SNI (which was added to allow https on shared hosting). So when you really want privacy, you need to tunnel all your traffic to an external VPN.
(this of course only gives you privacy against the ISP and your local government, now the VPN provider can see everything you do)
Securing only DNS and not the actual traffic brings very little. It could be a workaround against polluted DNS (some answers modified, maybe a default answer instead of “not found”), but is only required when the ISP does some dst-nat to capture all standard DNS traffic (so you can’t simply use 1.1.1.1 or 8.8.8.8 instead of your ISP’s DNS forwarders), even on nonstandard ports like 5353 which are provided to work around such things.
When you still want DNS over TLS, a better solution would be to setup an SSTP or OpenVPN connection to some service that allows you to send DNS queries (in UDP) over such a VPN to their resolvers. The DNS queries go over that VPN, the other traffic is sent directly. This will be way more efficient than DNS over TLS, as setting up a TLS connection has a lot of overhead. (the connection could be kept alive for multiple queries but apparently nobody does that)