Secure my DNS requests

upower3 · April 2, 2018, 8:39pm

There are number of DNS technics that can hime my queries from ISP along the path: DNS Crypt, DNS over HTTPs, DNS over TLS etc. Please add support for any (or some) or these to ROS, due to fact this is more and more popular demand nowdays in too many countries.

You can definitely recall Russia and China government state-scale sites blacklist which push ISP to return fake reply for sites that are backlisted for political reasons.

Kamaz · April 3, 2018, 8:10am

I want to hide my activity to, so it would be great to make such functionality like DNS over HTTPs, DNS over TLS.

andrewvs · April 3, 2018, 12:30pm

Another +1 for some form of encrypted DNS support out of the box.

This is quite topical with the recently announced DNS resolver partnership between Cloudflare and APNIC promoting its use: https://1.1.1.1/

Sob · April 3, 2018, 1:34pm

Then hopefully your activity doesn’t include anything with http. Plain old http is fully readable, and https does protect content, but still leaks target hostname because of SNI.

bewza · April 4, 2018, 10:21pm

One more request related to this one http://forum.mikrotik.com/t/feature-request-dnscrypt-support/53792/1
Hope we will get answer from dev or support team.

Kamaz · April 7, 2018, 5:24am

Any updates?

msatter · April 7, 2018, 10:05am

It may be in RouterOS 7 or not.

Because government’s are getting more and more curious, in what civilians are interested in on the Internet it is better to put also the DNS request into a Private Network together with the rest of your internet traffic.

Let’s hope that Mikrotik is going to develop better support in router, for OpenVPN and IKE2 as client.

squeeze · April 9, 2018, 12:18pm

And Wireguard which trounces both of them for security, throughput, and latency.

msatter · April 10, 2018, 11:00am

Looks very impressive and lets hope it will be adapted widely soon.

upower3 · April 10, 2018, 11:11am

Yet this “impressive” VPN can not be used on Windows, so seems to be no use out there in the wild. So far Windows PCs are a huge part of user base, so not to support them is something risky.

There are some VPN technologies like Wireguard, tinc, some others, all are (seems to be) good, but no router should support all of them. Even SSTP looks an overkill. Let’s do few protocols but do them very good (not like semi-done ovpn now).

Sob · April 10, 2018, 3:26pm

From their homepage:

WireGuard is not yet complete. > You should not rely on this code. > It has not undergone proper degrees of security auditing and the protocol is still subject to change. We’re working toward a stable 1.0 release, but that time has not yet come.

So one day it may become great and if it does, I hope to see it in RouterOS too. But until then, improvements for good old OpenVPN would be enough to make many people happy.

phin · April 10, 2018, 7:57pm

I just setup pi-hole in a vm.

Pi-hole connects to DNS via TLS.

DHCP hands out PiHole as dns server
DHCP hands out router as secondary dns server to handle local dns request based on static entries applied via dhcp handouts.

squeeze · April 12, 2018, 8:44am

Agreed. Just something to be aware of, because by the time they get around to OpenVPN improvements, Wireguard may be mainstream …

BioDranik · November 5, 2018, 7:11am

+1 for secure DNS feature.

BostjanC · November 19, 2018, 9:46am

+1 for secure DNS feature.

Support for
DNS over HTTPS, DNS over TLS