Community discussions

 
NetworkMeister
just joined
Topic Author
Posts: 13
Joined: Thu Feb 12, 2015 8:59 pm

Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 4:57 pm

Add DNS over HTTPS (DoH) client to RouterOS. This will significantly improve the privacy of network users and devices (especially when RouterOS device serves as DNS cache/recursive resolver).

https://developers.google.com/speed/pub ... over-https
https://developers.cloudflare.com/1.1.1 ... ver-https/

While experimental protocol, the infrastructure is already provided by 2 of the biggest 4 recursive DNS providers and provides significant benefits in practice.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 905
Joined: Sun Oct 01, 2006 11:44 pm

Re: Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 6:18 pm

DNSCrypt support would also be welcome, to avoid the overhead of wrapping all DNS requests in HTTP / TCP.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 6:47 pm

There's also DNS over TLS (RFC7858).

But when you look how much attention MikroTik gave to DNS in the past (there's nothing over basic functionality and one could argue that even some basics are missing), I don't see any of this happening anytime soon.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
msatter
Forum Guru
Forum Guru
Posts: 1308
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 9:24 pm

Add DNS over HTTPS (DoH) client to RouterOS. This will significantly improve the privacy of network users and devices (especially when RouterOS device serves as DNS cache/recursive resolver).

https://developers.google.com/speed/pub ... over-https
https://developers.cloudflare.com/1.1.1 ... ver-https/

While experimental protocol, the infrastructure is already provided by 2 of the biggest 4 recursive DNS providers and provides significant benefits in practice.
viewtopic.php?f=2&t=132678
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
hardtik
just joined
Posts: 7
Joined: Sat Apr 15, 2017 11:00 pm

Re: Add DNS over HTTPS (DoH) support

Wed Feb 13, 2019 11:09 am

+1

Can anybody from MikroTik reply on this thread?
 
dave864
just joined
Posts: 21
Joined: Fri Mar 11, 2016 2:37 pm

Re: Add DNS over HTTPS (DoH) support

Sun Apr 07, 2019 12:32 am

+1
About time DNSCrypt or DNS over TLS was implemented.
 
anav
Forum Guru
Forum Guru
Posts: 3130
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Add DNS over HTTPS (DoH) support

Sun Apr 07, 2019 4:45 pm

RPI apparently has the ability to do this and is very inexpensive, now that I have ad block working I might give this a try.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
MtHoodlum
just joined
Posts: 14
Joined: Fri Sep 07, 2012 2:09 am

Re: Add DNS over HTTPS (DoH) support

Sun Jul 07, 2019 8:10 am

also interested in encrypted DNS. +1
 
jplr
just joined
Posts: 1
Joined: Tue Jul 16, 2019 11:09 am

Re: Add DNS over HTTPS (DoH) support

Tue Jul 16, 2019 11:11 am

also interested in encrypted DNS. +1
 
khaverblad
newbie
Posts: 38
Joined: Sat Mar 08, 2014 12:32 am
Location: Sweden

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 2:58 pm

@Mikrotik are you considering implementation of DNS over HTTPS or DNSCrypt? Would be great with an update on this topic.
--
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 4:26 pm

This is something that (when you want to have it at all) should be implemented in the client, not in the router.
And of course MikroTIk already supports DNS over HTTPS done by the client.
(and you will lose the possibility of controlling access to sites, shaping bandwidth to certain sites, etc. but that is what it is all about)
 
khaverblad
newbie
Posts: 38
Joined: Sat Mar 08, 2014 12:32 am
Location: Sweden

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 4:49 pm

And that is my point, if Mikrotik implemented it, it wouldn't break anything as it would if enabled on the client side.
--
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 5:06 pm

But then it also does not bring the advantages that the client side implementers think it will bring!
So they will work around it even when you implement it in the router.
It appears that some implementations allow a switchoff (lookup a DNS name which should return NXDOMAIN) but MikroTik DNS does not support static names which return NXDOMAIN, and experience shows that this kind of switches is removed or made possible to override in no-time.
 
khaverblad
newbie
Posts: 38
Joined: Sat Mar 08, 2014 12:32 am
Location: Sweden

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 5:12 pm

Well, doesn't necessary have to be the client side who wants to implement it :-)
--
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 9:16 pm

"Funny" thing is that implementation in browser (as Mozilla is pushing now; or generally per-application) makes the least sense of all. Either I want to protect whole network, so I need it on router. Or I want to protect computer (better for mobile devices, because with them I don't always have control over network) and then I need system-wide solution there. Not only browsers use DNS.

And the idea with canary domain and ability to tell browser this way to not use DoH, it's not hard to predict how it will go, is it? If I'm the bad guy who wants to mess with users' DNS, of course I will use that.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
davidg
just joined
Posts: 3
Joined: Fri Jul 14, 2017 9:20 am
Location: Transylvania, Ro

Re: Add DNS over HTTPS (DoH) support

Thu Sep 12, 2019 1:10 pm

And the idea with canary domain and ability to tell browser this way to not use DoH, it's not hard to predict how it will go, is it? If I'm the bad guy who wants to mess with users' DNS, of course I will use that.
I'm actually reading this post because I was wondering if routerOS had any way to NXDOMAIN a given address, in order to implement the canary domain as per https://support.mozilla.org/en-US/kb/co ... over-https. I don't want traffic on our (SOHO) network that skips DNS-based filtering or tells google/cloudflare everything.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Thu Sep 12, 2019 4:26 pm

Yes that is why there is some discussion about this.
However, be warned that this "canary domain", as Sob already writes too, is likely to go away in the future once hackers who want to play man-in-the-middle on DNS see this, implement the canary domain, Mozilla finds out about that, and decides to disable that feature (at least by default).

You should prepare for the situation that you get less and less control over what happens on your network!
All wellknown ways of peeking in traffic to implement policies (like website blocking, or QoS implementations that e.g. try to set a lower priority for some traffic) are going to be taken away from you by those browser developers.

It is not only DNS over HTTPS. Firefox will also start to do all web browsing traffic over a "VPN" between the browser and some Cloudflare service, running over HTTPS.
So no way to block sites by IP address anymore! (or to put lower priority on some websites)
You will only see a lot of sessions to a single HTTPS service and no more way to get insight in what is happening over those sessions.
 
User avatar
Anastasia
newbie
Posts: 37
Joined: Wed Oct 28, 2015 7:12 pm

Re: Add DNS over HTTPS (DoH) support

Tue Nov 19, 2019 4:03 pm

Does the company mikrotik have plans to do DNS over HTTPS?
Where is the official answer about this?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Add DNS over HTTPS (DoH) support

Tue Nov 19, 2019 4:15 pm

For the time being, we have to look to other platforms, ex dnsmasq
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24277
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Add DNS over HTTPS (DoH) support

Wed Nov 20, 2019 3:58 pm

For the sake of argument, can you give some examples why do you need DoH on the router, if you can use it in your browser already?
No answer to your question? How to write posts
 
User avatar
eworm
Member
Member
Posts: 407
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Add DNS over HTTPS (DoH) support

Wed Nov 20, 2019 5:08 pm

Probably because there is so much more than just browsers...
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Wed Nov 20, 2019 5:37 pm

For me the main need for DoH support is the capability in the local DNS server to add static names that return NXDOMAIN. And while you are at it, also other
record types like NS, TXT etc. Some browsers try to resolve use-application-dns.net which on internet DNS would return an IP address. When it returns NXDOMAIN
instead, it is assumed the local admin does not want the users to use DoH and this feature is switched off. But in RouterOS it is not possible to arrange that.
(IMHO the browser makers should also accept responses like 127.0.0.1 as indicator, but they don't)

Who is online

Users browsing this forum: MSN [Bot] and 74 guests