Community discussions

MUM Europe 2020
 
NetworkMeister
just joined
Topic Author
Posts: 13
Joined: Thu Feb 12, 2015 8:59 pm

Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 4:57 pm

Add DNS over HTTPS (DoH) client to RouterOS. This will significantly improve the privacy of network users and devices (especially when RouterOS device serves as DNS cache/recursive resolver).

https://developers.google.com/speed/pub ... over-https
https://developers.cloudflare.com/1.1.1 ... ver-https/

While experimental protocol, the infrastructure is already provided by 2 of the biggest 4 recursive DNS providers and provides significant benefits in practice.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 909
Joined: Sun Oct 01, 2006 11:44 pm

Re: Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 6:18 pm

DNSCrypt support would also be welcome, to avoid the overhead of wrapping all DNS requests in HTTP / TCP.
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 6:47 pm

There's also DNS over TLS (RFC7858).

But when you look how much attention MikroTik gave to DNS in the past (there's nothing over basic functionality and one could argue that even some basics are missing), I don't see any of this happening anytime soon.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 9:24 pm

Add DNS over HTTPS (DoH) client to RouterOS. This will significantly improve the privacy of network users and devices (especially when RouterOS device serves as DNS cache/recursive resolver).

https://developers.google.com/speed/pub ... over-https
https://developers.cloudflare.com/1.1.1 ... ver-https/

While experimental protocol, the infrastructure is already provided by 2 of the biggest 4 recursive DNS providers and provides significant benefits in practice.
viewtopic.php?f=2&t=132678
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
hardtik
just joined
Posts: 7
Joined: Sat Apr 15, 2017 11:00 pm

Re: Add DNS over HTTPS (DoH) support

Wed Feb 13, 2019 11:09 am

+1

Can anybody from MikroTik reply on this thread?
 
dave864
just joined
Posts: 21
Joined: Fri Mar 11, 2016 2:37 pm

Re: Add DNS over HTTPS (DoH) support

Sun Apr 07, 2019 12:32 am

+1
About time DNSCrypt or DNS over TLS was implemented.
 
anav
Forum Guru
Forum Guru
Posts: 3146
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Add DNS over HTTPS (DoH) support

Sun Apr 07, 2019 4:45 pm

RPI apparently has the ability to do this and is very inexpensive, now that I have ad block working I might give this a try.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
MtHoodlum
just joined
Posts: 14
Joined: Fri Sep 07, 2012 2:09 am

Re: Add DNS over HTTPS (DoH) support

Sun Jul 07, 2019 8:10 am

also interested in encrypted DNS. +1
 
jplr
just joined
Posts: 1
Joined: Tue Jul 16, 2019 11:09 am

Re: Add DNS over HTTPS (DoH) support

Tue Jul 16, 2019 11:11 am

also interested in encrypted DNS. +1
 
khaverblad
newbie
Posts: 38
Joined: Sat Mar 08, 2014 12:32 am
Location: Sweden

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 2:58 pm

@Mikrotik are you considering implementation of DNS over HTTPS or DNSCrypt? Would be great with an update on this topic.
--
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 4:26 pm

This is something that (when you want to have it at all) should be implemented in the client, not in the router.
And of course MikroTIk already supports DNS over HTTPS done by the client.
(and you will lose the possibility of controlling access to sites, shaping bandwidth to certain sites, etc. but that is what it is all about)
 
khaverblad
newbie
Posts: 38
Joined: Sat Mar 08, 2014 12:32 am
Location: Sweden

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 4:49 pm

And that is my point, if Mikrotik implemented it, it wouldn't break anything as it would if enabled on the client side.
--
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 5:06 pm

But then it also does not bring the advantages that the client side implementers think it will bring!
So they will work around it even when you implement it in the router.
It appears that some implementations allow a switchoff (lookup a DNS name which should return NXDOMAIN) but MikroTik DNS does not support static names which return NXDOMAIN, and experience shows that this kind of switches is removed or made possible to override in no-time.
 
khaverblad
newbie
Posts: 38
Joined: Sat Mar 08, 2014 12:32 am
Location: Sweden

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 5:12 pm

Well, doesn't necessary have to be the client side who wants to implement it :-)
--
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 9:16 pm

"Funny" thing is that implementation in browser (as Mozilla is pushing now; or generally per-application) makes the least sense of all. Either I want to protect whole network, so I need it on router. Or I want to protect computer (better for mobile devices, because with them I don't always have control over network) and then I need system-wide solution there. Not only browsers use DNS.

And the idea with canary domain and ability to tell browser this way to not use DoH, it's not hard to predict how it will go, is it? If I'm the bad guy who wants to mess with users' DNS, of course I will use that.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
davidg
just joined
Posts: 3
Joined: Fri Jul 14, 2017 9:20 am
Location: Transylvania, Ro

Re: Add DNS over HTTPS (DoH) support

Thu Sep 12, 2019 1:10 pm

And the idea with canary domain and ability to tell browser this way to not use DoH, it's not hard to predict how it will go, is it? If I'm the bad guy who wants to mess with users' DNS, of course I will use that.
I'm actually reading this post because I was wondering if routerOS had any way to NXDOMAIN a given address, in order to implement the canary domain as per https://support.mozilla.org/en-US/kb/co ... over-https. I don't want traffic on our (SOHO) network that skips DNS-based filtering or tells google/cloudflare everything.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Thu Sep 12, 2019 4:26 pm

Yes that is why there is some discussion about this.
However, be warned that this "canary domain", as Sob already writes too, is likely to go away in the future once hackers who want to play man-in-the-middle on DNS see this, implement the canary domain, Mozilla finds out about that, and decides to disable that feature (at least by default).

You should prepare for the situation that you get less and less control over what happens on your network!
All wellknown ways of peeking in traffic to implement policies (like website blocking, or QoS implementations that e.g. try to set a lower priority for some traffic) are going to be taken away from you by those browser developers.

It is not only DNS over HTTPS. Firefox will also start to do all web browsing traffic over a "VPN" between the browser and some Cloudflare service, running over HTTPS.
So no way to block sites by IP address anymore! (or to put lower priority on some websites)
You will only see a lot of sessions to a single HTTPS service and no more way to get insight in what is happening over those sessions.
 
User avatar
Anastasia
newbie
Posts: 37
Joined: Wed Oct 28, 2015 7:12 pm

Re: Add DNS over HTTPS (DoH) support

Tue Nov 19, 2019 4:03 pm

Does the company mikrotik have plans to do DNS over HTTPS?
Where is the official answer about this?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1796
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Add DNS over HTTPS (DoH) support

Tue Nov 19, 2019 4:15 pm

For the time being, we have to look to other platforms, ex dnsmasq
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24325
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Add DNS over HTTPS (DoH) support

Wed Nov 20, 2019 3:58 pm

For the sake of argument, can you give some examples why do you need DoH on the router, if you can use it in your browser already?
No answer to your question? How to write posts
 
User avatar
eworm
Member
Member
Posts: 423
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Add DNS over HTTPS (DoH) support

Wed Nov 20, 2019 5:08 pm

Probably because there is so much more than just browsers...
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Wed Nov 20, 2019 5:37 pm

For me the main need for DoH support is the capability in the local DNS server to add static names that return NXDOMAIN. And while you are at it, also other
record types like NS, TXT etc. Some browsers try to resolve use-application-dns.net which on internet DNS would return an IP address. When it returns NXDOMAIN
instead, it is assumed the local admin does not want the users to use DoH and this feature is switched off. But in RouterOS it is not possible to arrange that.
(IMHO the browser makers should also accept responses like 127.0.0.1 as indicator, but they don't)
 
Rez
just joined
Posts: 2
Joined: Wed Nov 27, 2019 2:56 pm

Re: Add DNS over HTTPS (DoH) support

Wed Nov 27, 2019 3:47 pm

I'd like to append my request for RoS DoH support as well.
We should not have to trade security for usability when the need arises.

To elaborate:
I am currently intercepting all DNS server requests, redirecting them to the router itself (RB4011), using static DNS at router level to block many social sites as well as redirect some domains to internal servers, while all allowed requests are forwarded to 1.1.1.1 or 8.8.8.8.
If I use DoH at browser level - I get security but I can no longer redirect the domains.
When Windows 10 starts recognizing DoH enabled DNS servers, the manual rules won't apply either.
The only way I see is for RoS to intoduce DoH support and transparently resolve using DoH enabled DNS servers.

Default case: DoH is enabled in neither browser or OS.
  • DNS requests are not secure.
  • Router DNS cache is used.
  • Router static DNS entries are honored.
Case 1: No DoH support at router level. Browser uses DoH:
  • Browser DNS requests are secure.
  • OS DNS requests are not secure.
  • Router DNS cache is not used for browser requests.
  • Router static DNS entries are ignored for browser requests.
Case 2: No DoH support at router level. OS supports DoH.
(Windows 10 DNS client is said to support DoH natively for DoH enabled DNS servers in the next major update)
  • Windows uses DoH.
  • All DNS requests are secure.
  • Router DNS cache is not used.
  • Router static DNS entries are ignored.
Ideal case: If Mikrotik adds native DoH support to RoS:
  • Home network (Browser, OS, IOT devices) > DNS req. > RouterOS > DoH req. > Cloudflare / Google
  • All DNS requests are secure.
  • Router DNS cache is used.
  • Router static DNS entries are honored.
  • Devices do not need to support DoH directly to benefit from it.
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Add DNS over HTTPS (DoH) support

Wed Nov 27, 2019 5:48 pm

The only way I see is for RoS to intoduce DoH support and transparently resolve using DoH enabled DNS servers.
DoH uses HTTPS as a transport, so transparent redirects are not gonna be possible.

[*]DNS requests are not secure.
DoH has nothing to do with security. Really nothing. Some believe it has something to do with confidentiality (which is not the same as security), though this statement is also arguable.

And... Yes, I would also like to ask for a builtin way (like the ability to return NXDOMAIN for a given domain) to tell clients to NOT use DoH.
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Wed Nov 27, 2019 7:34 pm

Using a pi-hole here and have just, put a small doh-proxy in front. Wotk great and I have TLS 1.3 secure connection.

The router blocks on IP basis DoH addresses that I know of, so that is cut off. Normal DNS requests are delivered at Pi-hole by the router. DoT is next as proxy ior Pi-hole.

The DNS server of RouterOS limited and if you want more, get other solution.

Pi-hole is also a development version that tackles the CNAME cloaking of third party tracking and cookies behaving as first party to avoid detection.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Rez
just joined
Posts: 2
Joined: Wed Nov 27, 2019 2:56 pm

Re: Add DNS over HTTPS (DoH) support

Wed Nov 27, 2019 8:21 pm

The only way I see is for RoS to intoduce DoH support and transparently resolve using DoH enabled DNS servers.
DoH uses HTTPS as a transport, so transparent redirects are not gonna be possible.
It would be transparent to the client devices which are still using vanilla DNS requests - not the router.
Upon client request - the router does the resolve via DOH, caches it and serves it back as a "vanilla" dns response to the client.

[*]DNS requests are not secure.
DoH has nothing to do with security. Really nothing. Some believe it has something to do with confidentiality (which is not the same as security), though this statement is also arguable.
How would you call preventing your ISP and all servers in between to sniff and log your DNS queries then?
Indeed the term "security" might be a bit much, considering that third party DNS providers are involved but still I'd rather risk with one instead of all of them along the way.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Wed Nov 27, 2019 9:30 pm

[*]DNS requests are not secure.
DoH has nothing to do with security. Really nothing. Some believe it has something to do with confidentiality (which is not the same as security), though this statement is also arguable.
How would you call preventing your ISP and all servers in between to sniff and log your DNS queries then?
You transfer the possibility for your ISP (a party you selected yourself and probably know well, and who you pay for your internet service) to sniff the DNS traffic to another party who you do not know, you do not know where they are located, and you do not pay them money for the service directly (so they have to earn money from your requests in a different way).

You choose what you prefer.

it is similar to using a VPN (in the newfangled sense of the word). It may prevent your ISP from sniffing, but you transfer that possibility to the VPN company.
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Wed Nov 27, 2019 11:27 pm

It would be up to you what DOH resolver you'd use, it could be something public, some trusted commercial service, your own server somewhere else, anything. So this part is fine, but what you'll achieve is different matter.

If you want to keep DNS queries secret, there's currently no point, because you'll most likely use them to connect to some website and SNI will tell anyone on the way to which one.

It will prevent tampering, so ISP will no longer be able to block something simply by blocking relevant DNS queries. That seems good at first sight. Problem is, they probably don't do that just for fun, but often because they have to. So the result will be that they will have to find some other, much worse method.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Wed Nov 27, 2019 11:43 pm

Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.

SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.

https://wiki.openssl.org/index.php/TLS1.3
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 1:29 am

I'd say you're looking at too low level. SNI is what makes multiple https websites on single IP address possible. It's very common and it's not going away. So even though client may not use SNI, if we're talking about common stuff like web browsers, they all use (and have to use) SNI, because "web wouldn't work" without it. I know there's some work on encrypted SNI, but AFAIK it's not finished yet. When it becomes common, it will solve the information leak problem and then it will also make sense to hide DNS queries. But we're not there yet.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 3:24 pm

That the web would not work without is partially true if you look at only IPv4. With IPv6 you don't need SNI anymore because you have huge numbers of unique IPv6 address available. I read about ESNI and it badly supported or even not supported.

If you then put your DoH sever on a IPv6 address then you could omit the SNI in your "Client Hello" to the DoH server (proxy) when using TLS 1.3.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
eworm
Member
Member
Posts: 423
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 3:38 pm

If you want to keep DNS queries secret, there's currently no point, because you'll most likely use them to connect to some website and SNI will tell anyone on the way to which one.
So developing ESNI (encrypted SNI) does not make sense because usual DNS leaks the information anyway?

Your argument is nonsense and would stop any technical improvement. Let's start to use/implement DoH now, so ESNI is the last piece of the puzzle still missing.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 4:20 pm

With IPv6 you don't need SNI anymore because you have huge numbers of unique IPv6 address available.
Even with IPv6, SNI is normally used because it often is an extra burden to assign multiple IPv6 addresses to the same webserver for the purpose of serving different domains.
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 4:47 pm

@eworm: No, it's a misunderstanding. Currently we have two leaks, DNS and SNI. If you want privacy (not complete, but much better than what you have now), they both have to be fixed, and we do want that to happen. But since it didn't happen yet, if you as user enable DOH, it will help a little bit, but not much. It's like complaining about cold in house, when you have open both door and window. Closing only one won't save you. And sure, someone has to start, everyone can't wait on everyone else like with IPv6.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 5:13 pm

Of course when these techniques become universally implemented, we need to make a sticky topic for the many users that come here with requests like:

- I need to block some specific website (Youtube/Facebook/whatever)
- I need to allow access to only one specific website (externally hosted company site)
- I need to limit the use of bandwidth by this or that service, e.g. operating system updates

etc. There can be a simple cooked reply stating that these things are no longer possible, and that all recipes those people find that claim to solve it do no longer work.
And also that despite information they have read elsewhere, other manufacturer's equipment cannot do it either.

At first sight it may seem that this privacy is a good thing, but of course it will cause some things to collapse, like free Wifi for visitors and limited-bandwidth wireless internet connectivity with purposely limited usage.
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 7:28 pm

With IPv6 you don't need SNI anymore because you have huge numbers of unique IPv6 address available.
Even with IPv6, SNI is normally used because it often is an extra burden to assign multiple IPv6 addresses to the same webserver for the purpose of serving different domains.
Why use a webserver. I don't want DoH go through a webserver then a proxy and finally arrive at the DNS server and the has to the way back.

I don't know a DNS server that offers DoH or DoT any thr proxies or loadbalancers are used.

Do away, with we have to use SNI and just have a single certificate and one addres (IPv6)...leak three IPv6 address.

I suggested it earlier with Xs4all (ISP) that don't need a fixed address to browse on the internet.
So spread traffic from costumers over many adresses and only Xs4all knows wo have that traffic back. For every visited domain the client gets a diiferent source IP on the border of inner and outer. Needs two gateways and/or VPN so that services and have a fixed adress available.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 7:33 pm

With IPv6 you don't need SNI anymore because you have huge numbers of unique IPv6 address available.
Even with IPv6, SNI is normally used because it often is an extra burden to assign multiple IPv6 addresses to the same webserver for the purpose of serving different domains.
Why use a webserver. I don't want DoH go through a webserver then a proxy and finally arrive at the DNS server and the has to the way back.
This is not about DoH, this is about SNI. SNI is required when serving websites for multiple domains on a single server (or at least a single address).
You claimed "with IPv6 you don't need SNI anymore" which is technically correct, but in practice it isn't true because those who serve multiple domains on a single webserver are not willing to add IPv6 addresses to that server for each of the domains served.
(especially as that solution is not practical on IPv4 and so there would be two different mechanisms, name-based and address-based virtual hosting, on the same server)
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 7:39 pm

Webservers that also hosts sites, are not needed to provide DoH.

That is born from not having good proxies.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Thu Nov 28, 2019 9:23 pm

You seem to be mixing two unrelated things together. SNI is what's used when browser (as most common example) talks to a website that user wants to open. It doesn't matter what you used to resolve hostname to IP address, maybe it was completely secure way, using DoH or any other method. But when making https request to target website, browser sends (at this time unencrypted) hostname as part of request and anyone on the way can see it. Whether target webserver actually supports SNI or not is irrelevant, because browser doesn't know that when sending request. And browser has to use SNI, because if server requires it, it won't work correctly without it. If it doesn't need it, it will simply ignore it. The latter is not a problem, but the former is.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Fri Nov 29, 2019 11:24 am

A DoH proxy or loadbalancers for DNS do not serve websites so have don't a requirement to be using a SNI.

That the webservers crops up each time, is due that many used a webserver in between the client and the DNS server. This is not needed anymore now proxies can handle DoH natively.

If later we get esni makes not much difference if one block on IP addresses of yhe DoH servers.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Fri Nov 29, 2019 11:39 am

A DoH proxy or loadbalancers for DNS do not serve websites so have don't a requirement to be using a SNI.
YOU ARE JUST NOT GETTING IT!!!! The SNI is NOT RELATED to the use of DoH.
The SNI is another "leak of information" that is leaking the same information as a DNS lookup would, thus rendering the use of DoH for "privacy protection" ineffective.
When you just don't understand that, please end the discussion about that.
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Fri Nov 29, 2019 12:20 pm

DoH is using SNI after "Hello Client". Secondly, your ISP can't see which domain you are requesting for an IP address in you DoH traffic. Thirdly using a VPN, the VPN provider and every device between them and destination, knows where you are going on IP address and then SNI.

SNI is used to run many services after one IP address. Running only one service behind an IP makes SNI obsolete but makes it easier to block by IP address.

We are in the Adding HTTPS DoH topic after all.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24325
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Add DNS over HTTPS (DoH) support

Fri Nov 29, 2019 12:45 pm

For other people trying to follow this discussion, here is some nice information about ESNI https://blog.cloudflare.com/esni/
No answer to your question? How to write posts
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Fri Nov 29, 2019 8:33 pm

@msatter: Let's try once more. You want to visit https://forum.mikrotik.com. There are two steps:

1) resolve forum.mikrotik.com to numeric IP address
2) establish tcp connection to IP address from 1), negotiate encryption with server and send http request

To do 1), you have several choices. You can send traditional DNS query to port 53 and ask ISP's server or some public one (ISP can see both). You can tunnel these queries through VPN (ISP can no longer see them, but now VPN provider can). You can be sneaky, write down the correct IP address and put it in local hosts file, this way there won't be any DNS query leaving your computer and nobody will see it. Or you can use DoH and neither ISP nor VPN provider will see the query, because it will be encrypted. Whoever runs the DoH server will see it, obviously, but you probably trust them.

Now let's focus on DoH. It's DNS over HTTPS, so there's the HTTPS part and HTTPS can use SNI to indicate target hostname. Honestly, I have no idea if DoH client uses SNI or not. But it doesn't matter, because even if it does, it will contain the name of DoH server, parhaps something like dns01.someprovider.tld. So now ISP or VPN provider would know that you're using DoH resolver. But hey, good news, they can't know that you're asking about forum.mikrotik.com.

And now the problematic part. Browser already knows the correct IP address (which forum.mikrotik.com uses). Browser opens tcp connection to this address and port 443. You're still good, nobody knows anything about forum.mikrotik.com (not counting that they may already know that this IP address belongs to it, but the name is not mentioned anywhere). Now browser needs to get certificate from server, in order to verify that it's really the correct one and there's no man-in-the-middle attack going on. And bam, here comes the "bad SNI".

Browser doesn't know what websites are hosted on target address. It can be just forum.mikrotik.com, it can be other MikroTik's websites, or perhaps some employee can also host a personal blog about kittens there, blog.routersandkittens.com. And each of these sites can have different certificate. If you want to visit forum.mikrotik.com, it would be useless if server sends certificate for blog.routersandkittens.com. Technically, there could be one certificate valid for both, but it probably won't be this case. Perhaps server could send both and client could choose. It would work for two hosted websites. But it could also be more than two, thousands, no problem. Server can keep sending thousands of certificates to each client.

And that's what SNI does, as part of negotiation, client (in this case web browser) tells server "hello, I want to visit forum.mikrotik.com, would you please send me correct certificate?" And the problem is, currently used unencrypted SNI sends this greeting in readable plaintext form. So all the effort to get forum.mikrotik.com resolved secretly was for nothing, because now anyone on the way (either ISP or VPN provider) can see that you're visiting forum.mikrotik.com.

You see the problem now, right? :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Fri Nov 29, 2019 8:55 pm

I got a little carried away and it's too long, but two more points, just to be sure that there's no misundertanding:

- Yes, MikroTik should add DoH client to their TODO list, because router is the right place for it.

- Users should not see DoH as magic solution for privacy, because by itself it's not. Widespread use of encrypted SNI will help, but it's something that will happen in future (maybe). But too many servers have unique and static IP addresses and much can still be gathered from that, so if "they" (evil hackers, government, ... take your pick) are trying to get you, they probably will, even with DoH and ESNI.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Fri Nov 29, 2019 9:39 pm

To me DoH is something that belong browers or any client software that could use it. It is there, to hide traffic between other encrypted traffic. SNI still gives away, where that encrypted traffic is heading....besides the destination IP address. You can't change te destination address but you can change the source address to avoid trace back to the user source address.

DoT should be at home on routers as a replacement for current DNS.

If you make the source IP address variable as with CGNAT but then every different destination IP address has a different source IP addres and different return port. Kind of VPN with double NAT.
Governments won't like it because they can only track it in the CGNAT self and ofcourse in the devices of the users.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Sat Nov 30, 2019 1:24 am

It's slightly OT, but you're underestimating governments. They have special powers, they can cheat, they are the ones who make rules for ISPs. Your plan to use random source addresses? It would require cooperation from ISP. Or from VPN provider, but that's just different kind of ISP. If government doesn't like it, they will simply say "no, that's not allowed". There are foreign VPN providers who they can't reach, but what stops government from making a law that would make using them illegal? It would look bad if the country claims to value freedom and such, and it's not really needed (yet). That's it.

The last part is very important. For example, where I live, our enlightened government decided to protect citizens from gambling, or at least that was one story. The actual implementation of that idea is a law that forces ISPs to block access to few websites. The list currently contains a little over hundered of them and most is taken by 1xbet1.com to 1xbet110.com, which I'd say tells a lot about the whole thing. And if it wasn't absurd enough already, it's allowed to "block" access only on DNS level and only on own resolvers (or whatever is default config given to clients). Any user is free to set some other resolver like 8.8.8.8 to bypass blocking and ISP is not responsible for that. Anyone with the slightest amount of technical knowledge can immediatelly see how the whole thing is useless. But government is happy. I don't know, maybe it even works on average idiot who needs to be protected from gambling. But what will be next? Maybe the secret art of resolver changing will become too known and updated law will require to really block "bad" DNS queries, no matter what resolver is used? No problem, there's already DoH. So maybe in next version, ISPs will have to block access to few well-known DoH resolvers? Block connections to gambling sites based on SNI? There's no limit how far it can go (well, they can't probably outlaw internet completely... at least we can't imagine something like that now). And of course at some point, they will find other things to block, because once you start with something...

And about encrypted SNI, it has one major problem, at least current version of it. It's optional extension and it requires extra work (to put key in DNS). Who will bother with that? It could be enough if some big players like Cloudflare do it. And if it annoys some governments, they can't really block "half of internet" by blocking their whole network, can they? Hooray, the technology will win the fight! Erm... but for some reason my mind still brings up the famous https://xkcd.com/538/.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Sat Nov 30, 2019 11:56 am

I get 1208925819614629174706177 IP addresses from my ISP (1208925819614629174706176 of them are IPv6 and 1 is IPv4) but of course it is completely useless to vary between them because the 1208925819614629174706176 IPv6 addresses are all in a single block that is easily traceable to me.

And as I have already written: using multiple IPv6 addresses to separate websites running on the same server: not going to happen. It would have to be done by EVERY webserver in the world before SNI can be omitted on IPv6 requests, and even then the webbrowser may not even know if the request is over IPv6.
For example, on our company network the LAN is only IPv4, there is no routing to internet, there is a proxy server for web access, and it has IPv4 and IPv6 externally.
The browsers connect the proxy using IPv4, they send their "CONNECT www.example.com:443" request to the proxy, which resolves the domain name and connects it (IPv6 preferred), then the browser starts its TLS handshake over this tunnel. The browser has no way of knowing whether the connection to the website is IPv4 or IPv6, so it can only assume it has to send the SNI. Which could then be picked out by an external observer on the internet (the proxy log of course already contains de requested domainname, it does not require SNI for that).

And as Sob writes, there sometimes are "legitimate" reasons to block some site, either by law (because the visited site performs illegal activities) or by local policy (e.g. because some workplace does not want the employees to spend their time on certain activities, or because parents want to hide some content from their children).

We should understand that the ever progressing move towards privacy on the internet does not have only advantages. There sometimes are reasons to block certain things and there sometimes is a requirement to research some (past) activities that have happened on a network or user, and taking away that possibility will certainly lead to more abuse and crime. Which in turn may lead to more drastic action by frustrated governments.
 
msatter
Forum Guru
Forum Guru
Posts: 1337
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Sat Nov 30, 2019 3:43 pm

1208925819614629174706177 Is not important you need only on at your home or firm if you don't offer services.

Example you connect to example.com and your IPv6 or IPv4 is converted to source address 1.2.3.4 port 1000. At same time sob connects out and he receives source address 1.2.3.4 port 1010 and I connect also out and get source address 1.2.3.4 and port 1020. Traffic is separated and the ISP knows which client address belongs to which source address and port.

If you have spare IP addresses then you can also vary with that.

The ISP still can still block destination addresses. You can't offer services unless your ISP gives you a virtual IP or dedicated IP on IPv4. On IPv6 you are free to offer any IP in your block.

I would prefer also secure connection proxy in front of many services and SAN (alternative name) allows that with only one certificate. A webserver does only have to do what it is designed for, serving pages.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Sat Nov 30, 2019 6:58 pm

So in a way, you must like current IPv4 shortage and ISPs who use NAT to hide multiple customers behind common public address. Hundered customers, one address, and evil website tracing users doesn't know who is who (it probably does anyway because of cookies or browser fingerprinting, but not just from IP address). But nosy government is still fine, because it can simply require ISPs to keep records about who was connecting where.

And the proxy, it's what e.g. Cloudflare does. You as client are connecting to their servers and they are forwarding traffic to real servers with content. I do believe that they can make a difference, for a while at least. The local government of random country has no power over them and if you successfully hide DNS queries and they have ESNI, you're safe. Blocking their whole network would be too extreme. But it won't be one annoyed government, it will be many of them. They will eventually come together and figure something out. A global regulation, marketed as a noble cause, some variation of "we can't let criminals be anonymous". It won't be easy, but nobody really believes that they would just give up.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Google [Bot] and 63 guests