Community discussions

 
User avatar
cREoz
just joined
Posts: 10
Joined: Wed Sep 04, 2013 9:51 pm

Re: Feature request - DNSCrypt support...

Sun Jul 08, 2018 8:37 pm

+1 for DNSCrypt support
 
mlenhart
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Mon Oct 30, 2017 11:30 pm

Re: Feature request - DNSCrypt support...

Sun Jul 08, 2018 10:36 pm

+1 for DNSSec/DNSCrypt
 
cavok
just joined
Posts: 9
Joined: Tue Feb 12, 2013 9:14 am

Re: Feature request - DNSCrypt support...

Mon Jul 09, 2018 2:00 am

I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work :)
Would love to get this info, please.
 
vladvalmont
just joined
Posts: 1
Joined: Tue Jul 10, 2018 6:17 pm
Location: Saint Petersburg, Russia

Re: Feature request - DNSCrypt support...

Tue Jul 10, 2018 6:23 pm

+1 for DNSCrypt support
 
foxxiu7
just joined
Posts: 5
Joined: Sun Aug 25, 2013 3:30 am

Re: Feature request - DNSCrypt support...

Wed Jul 11, 2018 2:35 am

I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work :)
Would love to get this info, please.
I'm also interested how to add DNSCrypt support on the RPi as currently I'm using two MikroTiks and RaspberryPi with pi-hole and OpenDNS.
 
User avatar
Anastasia
newbie
Posts: 32
Joined: Wed Oct 28, 2015 7:12 pm

Re: Feature request - DNSCrypt support...

Sat Sep 15, 2018 8:41 pm

+1 for DNSCrypt support
 
MikroRouter
just joined
Posts: 12
Joined: Wed Nov 02, 2011 11:00 am

Re: Feature request - DNSCrypt support...

Thu Oct 04, 2018 11:40 am

Hope this can be implemented soon...
 
thief
just joined
Posts: 2
Joined: Mon Oct 08, 2012 10:13 am

Re: Feature request - DNSCrypt support...

Mon Oct 08, 2018 7:47 am

+1 for DNSSec/DNSCrypt
 
User avatar
Kamaz
newbie
Posts: 26
Joined: Sun Apr 30, 2017 9:35 am

Re: Feature request - DNSCrypt support...

Tue Oct 09, 2018 8:39 pm

+1 for DNSSec/DNSCrypt
 
Azure
just joined
Posts: 4
Joined: Fri Dec 23, 2016 10:49 pm

Re: Feature request - DNSCrypt support...

Wed Oct 10, 2018 2:31 pm

Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC
Yes! This!
DNScrypt is great and all... But I'd like to see DNS-TLS as Quad9 supports it.
In the end, either is better than neither!

https://www.quad9.net/faq/#Does_Quad9_s ... S_over_TLS
 
skiif
just joined
Posts: 1
Joined: Thu Oct 25, 2018 9:17 am

Re: Feature request - DNSCrypt support...

Thu Oct 25, 2018 9:23 am

+1 for DNS-over-TLS as it's an IETF approved standard, but of course DNScrypt and DNS-HTTPs also will be very appreciated.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8251
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature request - DNSCrypt support...

Thu Oct 25, 2018 11:55 am

DNS over TLS is now supported both by CloudFlare (1.1.1.1) and Google (8.8.8.8), so looks like it's time =)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: Feature request - DNSCrypt support...

Thu Oct 25, 2018 12:54 pm

DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that's a no-no.
https://www.theregister.co.uk/2018/10/2 ... _standard/
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Tue Jan 14, 2014 9:09 pm

Re: Feature request - DNSCrypt support...

Sun Oct 28, 2018 2:00 pm

DNS over TLS is now supported both by CloudFlare (1.1.1.1) and Google (8.8.8.8), so looks like it's time =)
+1
 
estas
just joined
Posts: 18
Joined: Sat Nov 03, 2018 8:34 pm

Re: Feature request - DNSCrypt support...

Wed Nov 28, 2018 4:21 pm

+1 for DNS-over-TLS and DNSCrypt!
and also waiting UDP Proxy...
 
xkubus
just joined
Posts: 4
Joined: Sun Dec 11, 2011 7:49 pm

Re: Feature request - DNSCrypt support...

Mon Jan 07, 2019 10:38 am

+1 Please!
 
EvgeniyV
just joined
Posts: 4
Joined: Sun Oct 28, 2018 5:49 pm

Re: Feature request - DNSCrypt support...

Tue Jan 08, 2019 1:19 am

+1
interesting, how many people still have to write "+1" that this gave the result? :-?
 
User avatar
Kamaz
newbie
Posts: 26
Joined: Sun Apr 30, 2017 9:35 am

Re: Feature request - DNSCrypt support...

Mon Jan 14, 2019 11:30 am

Google provides DNS-over-TLS https://developers.google.com/speed/pub ... s-over-tls from January 2019,
also it provides DNS-over-HTTPS https://developers.google.com/speed/pub ... over-https from September 2018.
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: Feature request - DNSCrypt support...

Mon Jan 14, 2019 12:04 pm

+1
interesting, how many people still have to write "+1" that this gave the result? :-?
Topic started at 30 Jan 2012 09:55 ... we wait for a miracle
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 634
Joined: Fri Nov 10, 2017 8:19 am

Re: Feature request - DNSCrypt support...

Mon Jan 14, 2019 1:59 pm

Topic started at 30 Jan 2012 09:55 ... we wait for a miracle
No. It just proves how futile is the idea of implementing nonstandard or nonstable technologies - they are gone withing few years. Where is DNScrypt today? Is it massively accepted? No. If mikrotik implemented it back then, it would be enormous waste of time.
Wait for standardized solution which is widely accepted. Then ask for support and you got at least a chance...
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: Feature request - DNSCrypt support...

Mon Jan 14, 2019 9:39 pm

Topic started at 30 Jan 2012 09:55 ... we wait for a miracle
No. It just proves how futile is the idea of implementing nonstandard or nonstable technologies - they are gone withing few years. Where is DNScrypt today? Is it massively accepted? No. If mikrotik implemented it back then, it would be enormous waste of time.
Wait for standardized solution which is widely accepted. Then ask for support and you got at least a chance...
ovpn UDP support may be too "enormous waste of time"?
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
poizzon
Member Candidate
Member Candidate
Posts: 112
Joined: Fri Jun 21, 2013 12:53 pm

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 2:36 am

+10
--
poi
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8251
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 8:28 am

+10
+10 to "enormous waste of time"? :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23946
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 8:45 am

Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8251
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 1:43 pm

HTTPS gives you more security
Huh?..
inability to catch this traffic as an administrator
Well, as it was earlier - by IP address :)

But generally yes - it's harder for your ISP to block/redirect DoH than DoT as it uses shared port number (443).
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23946
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 2:24 pm

Huh? Since DNS over HTTPS uses port 443 and there is no visual difference in traffic type, admin can't intercept or block this traffic (except by destination address).
No answer to your question? How to write posts
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 3:20 pm

Huh? Since DNS over HTTPS uses port 443 and there is no visual difference in traffic type, admin can't intercept or block this traffic (except by destination address).
When will the DoH appear 😚? Когда же?
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8251
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 3:21 pm

What about SNI? :) ESNI is not on stage currently
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 3:26 pm

At home i'm mangling DNS fwd+out connections and redirect to EU OVPN (CHR VPS), but DoH = peer-to-peer encryption & we all need it (=
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23946
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 3:29 pm

No answer to your question? How to write posts
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 264
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 4:36 pm

add DNSSEC features

Sent from my C6833 using Tapatalk

 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23946
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 4:43 pm

add DNSSEC features

Sent from my C6833 using Tapatalk
What does it mean?
No answer to your question? How to write posts
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 264
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 6:35 pm

add DNSSEC features

Sent from my C6833 using Tapatalk
What does it mean?
https://en.m.wikipedia.org/wiki/Domain_ ... Extensions

Sent from my C6833 using Tapatalk

 
User avatar
anthonws
just joined
Posts: 19
Joined: Sat Jan 09, 2016 6:46 pm

Re: Feature request - DNSCrypt support...

Mon Jan 21, 2019 10:15 pm

Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?
Both would be the ideal scenario :) Naturally that I understand that there's budget/resources constrains and prioritization of features, and therefore that is not viable.

Using Mikrotik mainly as Home gear, my natural choice would be to go with DoH. But, since your main target is Enterprise then it makes sense to invest on the DoT first. I'm sure that the Home users/clients like me will be able to still use DoT.

Ultimately, one or the other will provide the additional security (with more or less controls) that the majority of your customers are looking for :)

What about SNI? :) ESNI is not on stage currently
Isn't that at the Browser level only?
 
anav
Forum Guru
Forum Guru
Posts: 2724
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Feature request - DNSCrypt support...

Tue Jan 22, 2019 4:31 pm

At a minimum, from a practical point of view, wouldn't it matter more that juniper, cisco, fortigate, zyxel etc......... started implementing such technologies.
Further if mikrotik saw a decrease in sales and an erosion in the current base to such vendors due to technology available elsewhere, then they would be forced to move.
However, that would be too late so it is a matter of timing besides the other usual suspects, money, human resources, code stability, hardware limitations.......

.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
R1CH
Forum Veteran
Forum Veteran
Posts: 861
Joined: Sun Oct 01, 2006 11:44 pm

Re: Feature request - DNSCrypt support...

Wed Feb 13, 2019 12:41 pm

Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?
Why not both? Although DNS over HTTPS seems to be the way forward, very few providers are actually deploying DNS over TLS. As long as you maintain a persistent connection to the resolver, latency should be minimal.
 
User avatar
eworm
Member
Member
Posts: 304
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Feature request - DNSCrypt support...

Wed Feb 13, 2019 11:30 pm

At FOSDEM 2019 Daniel Stenberg (the maintainer of curl) had a talk about DNS over HTTPS - the good, the bad and the ugly. Very interesting topic and he scheds some light on DoT, DNScrypt, DNSsec & Co as well.

IMHO DoH is the way to go.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
pothi
just joined
Posts: 8
Joined: Fri Sep 14, 2018 7:48 pm
Location: Srivilliputhur, Tamil Nadu, India
Contact:

Re: Feature request - DNSCrypt support...

Sun Mar 03, 2019 9:57 am

As an administrator, I'd like to have some (or full) control over the traffic, thus favoring DNS over TLS.

As a user, I don't want any control over my internet connection, thus supporting DNS over HTTPS.

Both are better than plain text DNS query.
Love breaking things and start over!
 
kenyloveg
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Tue Jul 14, 2009 3:25 pm

Re: Feature request - DNSCrypt support...

Thu Mar 14, 2019 3:50 pm

Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
 
mutinsa
just joined
Posts: 17
Joined: Tue Feb 06, 2018 4:55 am
Location: Moscow, Russia
Contact:

Re: Feature request - DNSCrypt support...

Sun Apr 07, 2019 10:37 pm

+1.
Sergey Mutin
Certified Mikrotik Consultant
MikroTik: MTCNA, MTCRE, MTCIPv6E, MTCTCE, MTCUME, MTCINE, MTCWE | Cisco: CCNA R&S | Juniper: JNCIA-Junos | Zabbix: ZCU | Asterisk: dCAA | HE.net IPv6: Sage
 
anav
Forum Guru
Forum Guru
Posts: 2724
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Feature request - DNSCrypt support...

Mon Apr 08, 2019 12:14 am

Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
Why limit the destination address to one pubic DNS server. Why not just dstport 53 protocol udp/tcp redirect to port 5353 (sounds like dnssec for pihole).
In your rule, somebody hardcoding 8.8.8.8 or 1.1.1.1 would not get trapped.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
anthonws
just joined
Posts: 19
Joined: Sat Jan 09, 2016 6:46 pm

Re: Feature request - DNSCrypt support...

Wed Apr 10, 2019 12:46 am

DoH is no longer a "waste of time" and it's now massively used by the industry (there's even Android Apps to turn on that nowadays with CloudFare for example).

So, questions:

1. Is there an intention from Mikrotik to implement this?
2. Is there a sharable roadmap for the feature to be implemented?
3. If #1 = negative, why and what's the alternative for your users to be able to make use of such technologies?

Thanks,
anthonws.
 
kenyloveg
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Tue Jul 14, 2009 3:25 pm

Re: Feature request - DNSCrypt support...

Mon Apr 15, 2019 7:39 am

Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
Why limit the destination address to one pubic DNS server. Why not just dstport 53 protocol udp/tcp redirect to port 5353 (sounds like dnssec for pihole).
In your rule, somebody hardcoding 8.8.8.8 or 1.1.1.1 would not get trapped.
Tested this works with opendns, but failed with cloudflare or some other public dns. (assume ISP rules to intercept opendns is not created for now)
 
obesbash
just joined
Posts: 1
Joined: Mon Apr 29, 2019 12:54 pm

Re: Feature request - DNSCrypt support...

Tue Apr 30, 2019 6:00 pm

+1 for DNSSec/DNSCrypt
 
darkmanlv
just joined
Posts: 24
Joined: Thu Mar 26, 2015 3:19 pm
Location: Riga, Latvia
Contact:

Re: Feature request - DNSCrypt support...

Wed Jun 12, 2019 3:04 pm

+1 DNSCrypt, when?
 
febhost32
just joined
Posts: 2
Joined: Sat Mar 30, 2019 4:56 am

Re: Feature request - DNSCrypt support...

Sun Jun 16, 2019 7:24 am

+1 for DNSCrypt

Who is online

Users browsing this forum: No registered users and 7 guests