Community discussions

 
ibeeby
newbie
Topic Author
Posts: 45
Joined: Tue Dec 12, 2006 8:49 am
Location: Matlock, England
Contact:

Feature request - DNSCrypt support...

Mon Jan 30, 2012 7:55 am

I'd be grateful if Mikrotik could consider adding DNSCrypt _urgently_ to the current and future versions of ROS.

DNSCrypt has been released by DYNDNS.org as open-source code and allows users to effectively wrap DNS requests to DYNDNS servers in an SSL layer. This significantly improves security for users in public networks but should also add security for businesses against eavesdropping and man-in-the-middle attacks.

Currently the only client support for DNSCrypt is an OS-X release from DYNDNS.org but as they have published the source code, it _must_ be straightforward for Mikrotik to add this as a package option.

All of my WAN facing Mikrotik routers use DYNDNS.org as their DNS servers as this allows free and effective filtering to avoid phishing sites and illegal content (which is flexibly adjustable by the user/manager).

Best Regards

Ian Beeby
 
User avatar
vetusa2
Member Candidate
Member Candidate
Posts: 122
Joined: Sat Jun 18, 2011 8:24 pm

Re: Feature request - DNSCrypt support...

Sun Feb 26, 2012 6:07 pm

i add my request too
 
dmitrik
just joined
Posts: 3
Joined: Sun Jan 06, 2013 1:37 pm

Re: Feature request - DNSCrypt support...

Sun Jul 14, 2013 7:28 am

I vote for DNSCrypt.
OpenDNS supports DNSCrypt. I use Mikrotik as DNS proxy to OpenDNS.
 
Shnatsel
just joined
Posts: 2
Joined: Tue Jan 21, 2014 5:43 pm

Re: Feature request - DNSCrypt support...

Tue Jan 21, 2014 5:48 pm

I'd also love RouterOS to support DNSCrypt!
Right now I have to run it locally on every machine on the network and reconfigure the network settings on every machine for every connection - which tedious and it's easy to miss a connection or a machine and then DNS goes in the clear again... EWWW.

If I could just get it on the router as a package all that hassle wouldn't be necessary!
 
Shnatsel
just joined
Posts: 2
Joined: Tue Jan 21, 2014 5:43 pm

Re: Feature request - DNSCrypt support...

Tue Jan 21, 2014 5:50 pm

I'd also love RouterOS to support DNSCrypt!
Right now I have to run it locally on every machine on the network and reconfigure the network settings on every machine for every connection - which tedious and it's easy to miss a connection or a machine and then DNS goes in the clear again... EWWW.

If I could just get it on the router as a package I could get rid of all that hassle with manually editing every single connection on every single machine!
 
chrismfz
just joined
Posts: 14
Joined: Sat Apr 07, 2007 6:27 am
Contact:

Re: Feature request - DNSCrypt support...

Sat Feb 22, 2014 3:29 pm

That's old but hey.. never give up!

It should be great. Selecting already existing DNSes like cloudns or dnscrypt.eu or opendns
(or adding ours) would be great too. :D
spending power and $ to have always-on an old hardware server only for dns or running the dnscrypt-proxy anywhere when we got mikrotik it's a torture.

(Especially when there are devices that can't support it like cellphones, or in points which you offer wifi / internet and you want all dns traffic forced to dnscrypt)
 
nosovk
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Wed Jan 25, 2012 11:25 am
Location: Ukraine
Contact:

Re: Feature request - DNSCrypt support...

Sat Mar 01, 2014 9:23 pm

it would be nice option :)
Аренда Програмного обеспечения
https://www.CloudZZ.com
Микротики на Украине оптом
mikrotik.kharkov.ua
 
pdf
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Sun Feb 12, 2006 11:56 pm

Re: Feature request - DNSCrypt support...

Wed Mar 26, 2014 1:59 pm

I agree it would be nice to have it somewhere in the future
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Feature request - DNSCrypt support...

Thu May 22, 2014 10:25 pm

Add me to the list. Right now I keep a little 1U Atom box just for running things like DNSCrypt. I'd love to move that to my CCR1016
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
tweetyspn
just joined
Posts: 14
Joined: Wed Jul 13, 2011 10:48 pm

Re: Feature request - DNSCrypt support...

Sat Jun 28, 2014 1:41 pm

Totally agree, nice feature!
 
andryan
newbie
Posts: 33
Joined: Fri Nov 30, 2007 10:33 pm
Location: Jakarta, Indonesia
Contact:

Re: Feature request - DNSCrypt support...

Thu Oct 09, 2014 9:49 am

+1

Would be really useful to bypass DNS-based censorship
 
kurlais
just joined
Posts: 1
Joined: Thu Oct 09, 2014 10:52 am

Re: Feature request - DNSCrypt support...

Thu Oct 09, 2014 10:56 am

be fine, if version 7 will support ikev2 vpn.

that is to use blackberry z10
 
alexkuzko
just joined
Posts: 3
Joined: Wed Oct 29, 2014 1:35 pm

Re: Feature request - DNSCrypt support...

Sun Dec 07, 2014 11:43 pm

Vote for this as well! Currently there is no proper method and using metarouter is too complex/heavy.
 
Solaris
Member Candidate
Member Candidate
Posts: 100
Joined: Thu Apr 29, 2010 5:05 pm

Re: Feature request - DNSCrypt support...

Sun Apr 12, 2015 1:10 am

+1 for dnscrypt!
 
bloodroses
just joined
Posts: 2
Joined: Sun May 17, 2015 11:37 am

Re: Feature request - DNSCrypt support...

Sun May 17, 2015 11:38 am

+i it should have, security at first position !
 
shaneau
just joined
Posts: 12
Joined: Sun Jul 04, 2010 6:31 am

Re: Feature request - DNSCrypt support...

Fri Jun 19, 2015 10:26 am

Would be a welcome addition to routeros.
 
nemke
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Jul 31, 2014 2:52 am

Re: Feature request - DNSCrypt support...

Mon Jun 22, 2015 1:35 am

+1 for dnscrypt!
 
etm7469
just joined
Posts: 6
Joined: Wed Apr 22, 2015 10:28 pm
Location: Poland

Re: Feature request - DNSCrypt support...

Sat Aug 08, 2015 9:55 pm

+1 for dnscrypt!
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 958
Joined: Fri May 26, 2006 1:25 am

Re: Feature request - DNSCrypt support...

Fri Aug 14, 2015 6:13 pm

this would be Amazing if ROS supported DNSCrypt. would really open up alot of potentail buyers to ROS just for this one feature in a home router that doesnt require alot of linux+setup.

tks
:beep :beep :beep
 
nemke
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Jul 31, 2014 2:52 am

Re: Feature request - DNSCrypt support...

Sat Aug 15, 2015 7:17 pm

+1 for DNSCrypt support...
 
bhorrock
just joined
Posts: 3
Joined: Sun Jun 10, 2012 6:47 pm

Re: Feature request - DNSCrypt support...

Fri Aug 21, 2015 3:53 pm

+1 for DNSCrypt !!
 
minjun
just joined
Posts: 3
Joined: Tue Jul 07, 2015 9:17 am

Re: Feature request - DNSCrypt support...

Fri Sep 04, 2015 9:59 am

+1 for DNSCrypt.
 
User avatar
michaeln416
just joined
Posts: 14
Joined: Mon Dec 01, 2014 5:03 am
Location: Ontario, Canada

Fri Sep 04, 2015 2:48 pm

+1 for DNSCrypt !!

Sent from my Nexus 5 using Tapatalk
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Feature request - DNSCrypt support...

Tue Sep 08, 2015 4:23 pm

do its better than DNSCurve ?
or just another, proprietary implementation/port of ?
 
MikroTikFan
Member Candidate
Member Candidate
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Feature request - DNSCrypt support...

Mon Nov 09, 2015 12:56 pm

+1 for DNSCrypt.

When ?
 
pidybi
just joined
Posts: 2
Joined: Wed Nov 25, 2015 11:02 pm

Re: Feature request - DNSCrypt support...

Wed Nov 25, 2015 11:10 pm

+1 for DNSCrypt
+1 ;)

currently I'm using dnscrypt-proxy by Cisco on Tomato and my log is:
Nov 24 00:03:12 | daemon.notice dnscrypt-proxy[1099]: Starting dnscrypt-proxy 1.4.1
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1099]: Initializing libsodium for optimal performance
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1099]: Generating a new key pair
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: Server certificate #143xxx4751 received
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: This certificate looks valid
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: Chosen certificate #143xxx4751 is valid from [2015-07-03] to [2016-07-02]
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: Server key fingerprint is xxx9:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:Fxxx
Nov 24 00:03:12 | daemon.notice dnscrypt-proxy[1097]: Proxying from 127.0.0.1:40 to 208.67.220.220:443
:)
pd
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Feature request - DNSCrypt support...

Mon Dec 28, 2015 8:42 pm

+1 for DNSCrypt
)
i think you missed whole point of suggested by OP,changes/features, ie ability to do it Without tunnels of Any kind.
otherwise you can "anything over VPN" around Globe, anyway, but its eventually consume Lot more resources and attract Lot more /unwanted/redundant/ attention.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Feature request - DNSCrypt support...

Tue Dec 29, 2015 9:05 am

i think you missed whole point of suggested by OP,changes/features, ie ability to do it Without tunnels of Any kind.
otherwise you can "anything over VPN" around Globe, anyway, but its eventually consume Lot more resources and attract Lot more /unwanted/redundant/ attention.
No one said anything about tunnels or VPN. He said that he was using DNSCrypt-Proxy on tomato for his DNS. Just as many of us are. The whole point of DNSCrypt is to send the DNS through an encrypted tunnel.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Feature request - DNSCrypt support...

Tue Dec 29, 2015 10:05 pm

i think you missed whole point of suggested by OP,changes/features, ie ability to do it Without tunnels of Any kind.
otherwise you can "anything over VPN" around Globe, anyway, but its eventually consume Lot more resources and attract Lot more /unwanted/redundant/ attention.
No one said anything about tunnels or VPN. He said that he was using DNSCrypt-Proxy on tomato for his DNS. Just as many of us are. The whole point of DNSCrypt is to send the DNS through an encrypted tunnel.
yes, but low-overhead "embedded" implementation. similarly - nobody would call SSH "tunnel" instead of serious VPN's or atleast IPIP, EOIP, despite similarity.
 
MikroTikFan
Member Candidate
Member Candidate
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Feature request - DNSCrypt support...

Thu Jan 07, 2016 12:37 am

Please consider that DSNCrypt can use a lot of resolvers in different part of the World without establishing payed commercial VPN.

https://github.com/jedisct1/dnscrypt-pr ... olvers.csv

Please keep in mind also that for some solutions with big traffic you don't need to use VPN which is quite heavy traffic for you router instead of this using just only DNSCrypt.

I think that this feature will be very usefull and rest of routers solutions support DNSCrypt ;-)
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Feature request - DNSCrypt support...

Tue Jan 12, 2016 2:55 am

I think that this feature will be very usefull and rest of routers solutions support DNSCrypt
i think too.
aswell as "next-gen" things in that area, that already emerged and ought to replace DNSCrypt. aside mentioned above DNSCurve - there some other code, but somewhat unstable, yet in 1/3 of.
but what i don't think its this features - shouldn't be part of "default config" of DNS services(either MT implement it as part of Main DNS service or separate package).
 
prd0000
just joined
Posts: 6
Joined: Tue Apr 02, 2013 6:53 am

Re: Feature request - DNSCrypt support...

Tue Feb 02, 2016 9:31 pm

+1 this.
I would like DNS crypt too. Right now we maintain VPN connection to our headquarter across the globe just to get our DNS addresses securely. other option is to install a "heavy" 128MB RAM 8GB linux built solely for DnsCrypt. I would like to cut that and maintain our own secure DNS resolver, but spending unnecessary resource for that tiny function seems beyond logic.
 
User avatar
колбаскин
newbie
Posts: 37
Joined: Tue Mar 29, 2016 6:36 pm
Location: Ukraine Zaporozhye
Contact:

Re: Feature request - DNSCrypt support...

Wed Mar 30, 2016 4:09 pm

+1 please add DNSCrypt support :)
Кое что для Mikrotik | hd.zp.ua - Запорожье ITшное.
 
arxont
just joined
Posts: 9
Joined: Fri Nov 02, 2012 11:45 am

Re: Feature request - DNSCrypt support...

Mon Apr 04, 2016 5:17 am

+1 vote to DNSCrypt
 
Micat
newbie
Posts: 30
Joined: Fri Jun 12, 2015 11:01 am

Re: Feature request - DNSCrypt support...

Fri May 20, 2016 1:31 pm

I vote for DNSCrypt
 
Dok
just joined
Posts: 4
Joined: Thu Jun 04, 2015 12:00 pm

Re: Feature request - DNSCrypt support...

Thu May 26, 2016 1:42 pm

+1 for DNSCrypt
 
thevoidnn
just joined
Posts: 1
Joined: Thu May 26, 2016 4:27 am

Re: Feature request - DNSCrypt support...

Wed Jun 01, 2016 10:00 am

+1 for DNSCrypt
 
flexus
just joined
Posts: 22
Joined: Wed Feb 16, 2011 11:35 pm
Location: Ukraine

Re: Feature request - DNSCrypt support...

Sat Jun 18, 2016 11:18 pm

+1, vote for dnscrypt.

This already supports Tomato and OpenWRT! Need it in RoS :)

https://dnscrypt.org/#dnscrypt-routers
 
irghost
Member Candidate
Member Candidate
Posts: 281
Joined: Sun Feb 21, 2016 1:49 pm

Re: Feature request - DNSCrypt support...

Sun Jun 19, 2016 12:53 am

+1, vote for dnscrypt.
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: Feature request - DNSCrypt support...

Mon Jul 11, 2016 12:11 am

Wow, this thread was started years ago and still mikrotik hasnt implemented this. +1 for this feature to overcome ISP DNS hijacking as this has been an issue for me. Please implemented as soon as possible, the implementation is already available from github so all that remains is for mikrotik to adapt it to routerOS.

I know mikrotik is focused on being a good router but DNScript is a network related feature that is very beneficial so please add this. Im not expecting an all in one router from mikrotik but i want all in one when it comes to network features, i want snort and an antivirus on routerOS as well.
 
ChangzhouC
just joined
Posts: 3
Joined: Sat Jul 16, 2016 6:29 pm

Re: Feature request - DNSCrypt support...

Sat Jul 16, 2016 6:31 pm

+1 for DNSCrypt
 
wirSeefahrer
just joined
Posts: 12
Joined: Tue Jul 26, 2016 12:52 pm

Re: Feature request - DNSCrypt support...

Tue Jul 26, 2016 12:59 pm

+1 for DNSCrypt

That would be a really great feature to have even in countries like Sweden. :-)
 
Jacquesvw
just joined
Posts: 7
Joined: Fri Jun 03, 2011 5:21 pm

Re: Feature request - DNSCrypt support...

Thu Aug 18, 2016 6:53 am

+1 for DNScrypt
 
User avatar
chebedewel
just joined
Posts: 5
Joined: Tue Feb 02, 2016 6:41 am
Location: Noumea
Contact:

Re: Feature request - DNSCrypt support...

Wed Sep 21, 2016 1:03 am

A nice feature indeed, it could be added along with DNSSec support
Bertrand Cherrier
MTCNA - MTCTCE
_______________________________________________________
MikroTik Consultant & Distributor for New Caledonia
 
chrisk8er
just joined
Posts: 1
Joined: Sun Nov 13, 2016 3:08 pm

Re: Feature request - DNSCrypt support...

Sun Nov 13, 2016 3:11 pm

+1 for DNScrypt 8)
 
User avatar
agix
just joined
Posts: 2
Joined: Mon Aug 17, 2015 2:46 am
Location: Indonesia

Re: Feature request - DNSCrypt support...

Sun Nov 13, 2016 3:41 pm

Vote for DNSCrypt yeaa...!!!
 
SaeedYa
just joined
Posts: 17
Joined: Fri Jan 14, 2011 9:01 am

Re: Feature request - DNSCrypt support...

Thu Nov 24, 2016 10:45 am

+1 for Dns crypt
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24264
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature request - DNSCrypt support...

Thu Nov 24, 2016 10:48 am

Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC
No answer to your question? How to write posts
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Mon Dec 05, 2016 11:19 am

Re: Feature request - DNSCrypt support...

Sun Dec 18, 2016 11:05 pm

Thanks, this is the first time ive seen this RFC being mentioned. Thank you.

I was about to say +1 for adding this feature but to also to allow for custom dnscrypt installs (i.e support custom provider-key, provider-name and providor address) as a lot of us don't use OpenDNS or any other open public server(s). Some of us run our own dns inferstructure which we also have dnscrypt support.

However now that I know they are working on something, I will start investigating when bind/unbound etc will get this support (out of the box). Hopefully soon, meanwhile I would say that dnscrypt support would really help many of us to add to your existing products as a lot of customers use this and with the new laws recently announced, more and more will be jumping onto the boat to use encryption everywhere.

FYI: https://github.com/jedisct1/dnscrypt-proxy is the source(s) you need.

This is all you need (client wise), so if mikrotik had this support as in binary/package, it would solve our issues or we are forced to run additional hardware to support this in our networks i.e. rpi, nas etc assuming soho user here.

Thanks for the heads up btw.

Regards.
 
User avatar
mtivi
Trainer
Trainer
Posts: 7
Joined: Mon Oct 03, 2016 5:54 pm
Location: Russia, Perm
Contact:

Re: Feature request - DNSCrypt support...

Sat Jan 07, 2017 11:49 pm

+1
Would be very usefull in Russia, for example
Network engineer in big ISP. GNU/Linux user. MikroTik TRAINER
 
strn
just joined
Posts: 10
Joined: Tue Jan 17, 2017 11:19 pm

Re: Feature request - DNSCrypt support...

Tue Jan 17, 2017 11:32 pm

I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work :)
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: Feature request - DNSCrypt support...

Tue Feb 14, 2017 5:31 pm

Not many would use a raspberry pi to supplement what their routers cant do. Even i run cups and xsane on raspberry pi as well.

This feature is an absolute must because of the DNS proxy/hijacking done by ISPs and is a big problem for me and other people as my DDNS domain is blacklisted by many ISPs only because of the domain it is under which makes it harder for me.

Plenty of other reasons such as for businesses that want to implement their own domain system and to use DNScrypt as routerOS cannot first form a tunnel to the DNS server without a static IP so which not only resolves the issue of ISPs handling your DNS by force but also to secure your DNS so that it does not get attacked by hackers and such.
 
ab0tj
just joined
Posts: 9
Joined: Thu Jun 14, 2007 1:05 am

Re: Feature request - DNSCrypt support...

Tue Mar 07, 2017 8:33 pm

I would also like to add my vote for DNScrypt support! I currently run a separate server for this.
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Mon Dec 05, 2016 11:19 am

Re: Feature request - DNSCrypt support...

Tue Mar 07, 2017 8:36 pm

I would also like to add my vote for DNScrypt support! I currently run a separate server for this.
likewise.
 
MikroTikFan
Member Candidate
Member Candidate
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Feature request - DNSCrypt support...

Mon Mar 20, 2017 1:25 am

+1 for DNSCrypt - again, again and again ...

Mikrotik developers how long we should wait ?

Customer feedback is this days something important for You ?
 
td32
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Nov 18, 2016 5:55 am

Re: Feature request - DNSCrypt support...

Mon Mar 20, 2017 2:10 am

its 2017 and this must be a priority feature.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 904
Joined: Sun Oct 01, 2006 11:44 pm

Re: Feature request - DNSCrypt support...

Wed Mar 29, 2017 1:23 am

With the US pushing an agenda that erodes privacy, DNSCrypt support is going to become essential to prevent ISPs from being able to monitor and monetize your browsing habits. Hope to see this in a release sooner rather than later.

https://www.washingtonpost.com/news/the ... otections/
 
teodorch
just joined
Posts: 13
Joined: Sun Jun 07, 2015 9:24 am

Re: Feature request - DNSCrypt support...

Mon Apr 03, 2017 1:20 am

+1

Sent from my Nexus 5 using Tapatalk
 
teodorch
just joined
Posts: 13
Joined: Sun Jun 07, 2015 9:24 am

Re: Feature request - DNSCrypt support...

Mon Apr 03, 2017 1:21 am

+1

Sent from my Nexus 5 using Tapatalk
 
teodorch
just joined
Posts: 13
Joined: Sun Jun 07, 2015 9:24 am

Re: Feature request - DNSCrypt support...

Mon Apr 03, 2017 1:21 am

+1

Sent from my Nexus 5 using Tapatalk
 
ryz
just joined
Posts: 13
Joined: Sun May 27, 2007 5:10 pm

Re: Feature request - DNSCrypt support...

Mon Apr 03, 2017 3:11 pm

+1

Wysłane z mojego GT-I9195 przy użyciu Tapatalka
 
actck
just joined
Posts: 1
Joined: Sun Apr 16, 2017 10:13 am

Re: Feature request - DNSCrypt support...

Sun Apr 16, 2017 10:20 am

+1 is very helpful with dns poisoning.

We need this feature and request another feature: custom the dns server port in "IP -> DNS Settings"
 
vaah
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Sun Mar 11, 2012 7:34 pm
Location: Surabaya

Re: Feature request - DNSCrypt support...

Mon Apr 17, 2017 2:24 pm

+1
I'd like to see DNScrypt be implemented into RouterOS, I currently use tomato router to get the DNScrypt working.
 
User avatar
GreySer
just joined
Posts: 19
Joined: Thu Apr 21, 2016 9:38 am
Location: Cheboksary

Re: Feature request - DNSCrypt support...

Mon Apr 17, 2017 2:45 pm

+1
Now using openwrt under vmware.
 
mdove
just joined
Posts: 1
Joined: Sat Apr 22, 2017 12:19 am

Re: Feature request - DNSCrypt support...

Sat Apr 22, 2017 12:22 am

+1 please.

Thanks,
Mike
 
Florian
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Sun Mar 13, 2016 9:45 am
Location: France

Re: Feature request - DNSCrypt support...

Sat Apr 22, 2017 2:03 pm

+1.
- Sorry for my english -
 
User avatar
yngndrw
just joined
Posts: 17
Joined: Sun Oct 27, 2013 12:26 am

Re: Feature request - DNSCrypt support...

Mon May 08, 2017 6:57 pm

+1, would love to see this implemented.
 
Neddy
just joined
Posts: 1
Joined: Tue May 23, 2017 7:53 am

Re: Feature request - DNSCrypt support...

Tue May 23, 2017 7:56 am

I register to post this request.

Please add support for DNScrypt on RouterOS, it protects our users privacy. I highly appreciate.
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Mon Dec 05, 2016 11:19 am

Re: Feature request - DNSCrypt support...

Thu May 25, 2017 5:09 pm

Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC
If you could add support for this, it would be great for everyone or even DNSCrypt which a lot of people use and is more common/known to them. Either would be acceptable. I kinda expect that RFC7858 would be easier to add as the support for unbound has been out quite a long time now if I recall even tho the RFC is quite young as you pointed out.

My only solution right now is to install say Softether onto the resolvers themselfs, then getting the MTK to connect to it and use it as its DNS server. Not a great solution due to if the VPN drops/dies, the DNS for the network would also fold as they would be pointed to the private IP's.
 
platitude
just joined
Posts: 2
Joined: Sat Jun 03, 2017 10:15 am

Re: Feature request - DNSCrypt support...

Sat Jun 03, 2017 10:18 am

+1 for this feature. It is highly important to implement it, especially for users and admins from countries with internet censorship (like me). Hope to see it soon. Thanks!
 
Yekver
just joined
Posts: 17
Joined: Fri Jan 31, 2014 9:47 pm

Re: Feature request - DNSCrypt support...

Sun Jun 25, 2017 9:56 pm

+100!!!!
 
User avatar
WildCat
just joined
Posts: 5
Joined: Sat Nov 30, 2013 8:45 pm
Location: RU

Re: Feature request - DNSCrypt support...

Tue Jun 27, 2017 8:38 am

+1
It's a necessity for users from Russia and other countries with a barbarous attitude to the Internet.
 
Diamond
newbie
Posts: 26
Joined: Tue Mar 19, 2013 7:11 pm
Location: RU

Re: Feature request - DNSCrypt support...

Tue Jun 27, 2017 11:15 am

+1
Necessary today feature
 
Rader
just joined
Posts: 1
Joined: Sat Jul 01, 2017 1:47 pm
Location: Saint-Petersbug, Russia

Re: Feature request - DNSCrypt support...

Sat Jul 01, 2017 1:53 pm

+1 for DNSCrypt
It is very necessary today!
 
netbus
newbie
Posts: 45
Joined: Mon Sep 04, 2017 12:42 pm

Re: Feature request - DNSCrypt support...

Fri Oct 13, 2017 9:41 am

+1
I need this
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: Feature request - DNSCrypt support...

Tue Oct 24, 2017 8:55 am

Since it is not mentioned yet... "However, just enabling "DNS over TLS" feature would not prevent your ISP to know what websites you visit. Server Name Indication (SNI) — an extension of the TLS protocol — also indicates ISPs that which hostname is being contacted by the browser at the beginning of the 'handshake' process." https://thehackernews.com/2017/10/andro ... r-tls.html
 
netbus
newbie
Posts: 45
Joined: Mon Sep 04, 2017 12:42 pm

Re: Feature request - DNSCrypt support...

Tue Oct 24, 2017 9:55 am

Since it is not mentioned yet...
We are talking about DNSCrypt not DNS over TLS
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: Feature request - DNSCrypt support...

Tue Oct 24, 2017 10:58 am

Excellent point, DNSCrypt vs DNS over TLS

However doesn't it have the same "issue"? (being a different protocol, HTTP(S) vs DNS)
AFAIK, overly simplified the only difference being "Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to explicitly trust the public signing key of the chosen provider."

btw. You intend to reference the official site https://dnscrypt.org instead of the commercial Cisco OpenDNS @ https://www.opendns.com/about/innovations/dnscrypt/
 
netbus
newbie
Posts: 45
Joined: Mon Sep 04, 2017 12:42 pm

Re: Feature request - DNSCrypt support...

Tue Oct 24, 2017 11:35 am

With this two methods, DNS Requests/Responses are encrypted. It's not fully anonymity but a step to exacerbate life for some snooper.
Only when visiting https websites "(SNI)" Problem is present.
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: Feature request - DNSCrypt support...

Tue Oct 24, 2017 12:19 pm

Well this isn't about websites, considering the current "HTTPS everywhere" movement this sounds a bit more than "only", as SNI is a TLS extension, not HTTP.

(just to elaborate how the implementation of DNSCrypt or DNS over TLS (DNSS) itself isn't much of an advancement, especially in relation to a service at the same IP and port being just as available without the hostname, unless using SNI, which is still visible. Not saying it's better than nothing but just emphasizing that it doesn't do all that much)
 
User avatar
yngndrw
just joined
Posts: 17
Joined: Sun Oct 27, 2013 12:26 am

Re: Feature request - DNSCrypt support...

Tue Oct 24, 2017 2:43 pm

DNSCrypt is not intended to provide privacy, it's intended to help prevent DNS spoofing.
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: Feature request - DNSCrypt support...

Tue Oct 24, 2017 7:45 pm

Just emphasizing as many presume one with the other.
Could you reference the intention? It's not a authentication protocol but an encryption protocol... hence the name... not that it could fix SNI but since you specified intentions...
 
User avatar
yngndrw
just joined
Posts: 17
Joined: Sun Oct 27, 2013 12:26 am

Re: Feature request - DNSCrypt support...

Tue Oct 24, 2017 8:25 pm

The best reference for the intentions would be the first paragraph of the DNSCrypt website:
DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.
There is no mention of privacy and you wouldn't expect it due to the SNI issue that you mentioned earlier.

The term "security" is quite a broad one and the security referenced in those security vs privacy articles are referring to national security and the need for surveillance, rather that security in the sense of authentication and verification. You can most certainly have security (The authentication kind) without privacy being a fundamental requirement, which is how public-private key cryptography works. (I.e. The public key is, as the name suggests, public - But knowledge of the public key does not allow a third party to impersonate the private key holder)

Unless I'm misunderstanding the scope of DNSCrypt, the primary usage of a pinned key-pair provides signing (Hence authentication of the server) rather than encryption - Encryption is just a side-effect of using SSL.
 
deathmagicmedia
just joined
Posts: 4
Joined: Fri Jul 22, 2016 5:14 pm
Location: Cape Town, South Africa
Contact:

Re: Feature request - DNSCrypt support...

Wed Oct 25, 2017 10:49 am

+1 please.
MikroTik Certified Network Associate (MTCNA)
Ubiquiti Broadband Wireless Specialist (UBWS)
Ubiquiti Broadband Wireless Admin (UBWAv2)
 
timonlio
just joined
Posts: 6
Joined: Thu Mar 09, 2017 2:35 pm

Re: Feature request - DNSCrypt support...

Thu Nov 02, 2017 3:03 pm

+1 for DNSCrypt, very useful feature
 
User avatar
Xtreme512
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: Feature request - DNSCrypt support...

Sun Nov 05, 2017 7:13 pm

hope to see it in new routeros version.
I Walk Alone
 
lapki
just joined
Posts: 1
Joined: Sat Nov 25, 2017 8:38 am

Re: Feature request - DNSCrypt support...

Sat Nov 25, 2017 8:43 am

DNScrypt ready? I would like to install it on my device :)
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: Feature request - DNSCrypt support...

Mon Dec 04, 2017 10:58 pm

+1 DNSCRYPT-PROXY support! Thank you!
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
sergeykoch
just joined
Posts: 1
Joined: Wed Nov 01, 2017 7:25 pm

Re: Feature request - DNSCrypt support...

Wed Dec 13, 2017 5:35 pm

+1 for dnscrypt support
 
m3763
just joined
Posts: 1
Joined: Fri Dec 15, 2017 11:06 pm

Re: Feature request - DNSCrypt support...

Fri Dec 15, 2017 11:08 pm

Just registered to add my +1 for support
 
User avatar
netravnen
just joined
Posts: 8
Joined: Sun Dec 31, 2017 2:48 am
Location: Capital Region, DK
Contact:

Re: Feature request - DNSCrypt support...

Sun Dec 31, 2017 3:10 am

+1

dnscrypt-proxy added as a separate npk package ?

So initially not a full-blown server. Just a forwarder.

--
have you enabled IPv6 on something today...?

Cheers,
Netravnen
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: Feature request - DNSCrypt support...

Mon Jan 08, 2018 1:05 pm

Well that problem got resolved... funny how things turn out in completely unexcpected ways... wait, no... https://www.reddit.com/r/linux/comments ... abandoned/
 
badass
just joined
Posts: 1
Joined: Thu Feb 01, 2018 12:53 pm

Re: Feature request - DNSCrypt support...

Sat Feb 17, 2018 12:13 pm

my +1 for support
 
Lion
just joined
Posts: 1
Joined: Tue Apr 03, 2018 12:07 pm

Re: Feature request - DNSCrypt support...

Tue Apr 03, 2018 12:12 pm

+1
где DNS-over-TLS и DNS-over-HTTPS ?
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Feature request - DNSCrypt support...

Sat Apr 14, 2018 9:54 pm

Well that problem got resolved... funny how things turn out in completely unexcpected ways... wait, no... https://www.reddit.com/r/linux/comments ... abandoned/
Don't look so sad there Mr Coyote......... In any case one has to follow standards, the RFC bouncing ball. :-)
By the way, I could use your sign every time I open WINBOX. ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
BioDranik
just joined
Posts: 3
Joined: Sat Apr 21, 2018 7:30 pm

Re: Feature request - DNSCrypt support...

Sat Apr 21, 2018 7:33 pm

+1 for DNSCrypt, HTTPS-DNS or TLS-DNS
 
blackzero
just joined
Posts: 21
Joined: Tue Aug 09, 2011 3:40 pm

Re: Feature request - DNSCrypt support...

Sun Apr 22, 2018 2:04 am

Please do this. Anything man, DNSCrypt or DNS over TLS. I can do with either. Just do it don't be lazy.
 
BigDT
just joined
Posts: 1
Joined: Sat May 12, 2018 12:49 am

Re: Feature request - DNSCrypt support...

Sat May 12, 2018 12:53 am

+1 For DNScrypt support. also DNS over TLS or DNS over HTTPS

Its very useful for country like Indonesia.
ISP here use Transparent DNS and cannot use the standard 53 dns port
 
xkubus
just joined
Posts: 4
Joined: Sun Dec 11, 2011 7:49 pm

Re: Feature request - DNSCrypt support...

Tue Jun 26, 2018 1:04 pm

+1, we are waiting for years to implement. Developers, please pay attention to the number of applicants.
 
msatter
Forum Guru
Forum Guru
Posts: 1285
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature request - DNSCrypt support...

Tue Jun 26, 2018 1:27 pm

In the time being you can use Unbound on RaspberryPI to have the current DNS securities.

https://unbound.net/
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
cREoz
just joined
Posts: 10
Joined: Wed Sep 04, 2013 9:51 pm

Re: Feature request - DNSCrypt support...

Sun Jul 08, 2018 8:37 pm

+1 for DNSCrypt support
 
mlenhart
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Mon Oct 30, 2017 11:30 pm

Re: Feature request - DNSCrypt support...

Sun Jul 08, 2018 10:36 pm

+1 for DNSSec/DNSCrypt
 
cavok
just joined
Posts: 9
Joined: Tue Feb 12, 2013 9:14 am

Re: Feature request - DNSCrypt support...

Mon Jul 09, 2018 2:00 am

I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work :)
Would love to get this info, please.
 
vladvalmont
just joined
Posts: 1
Joined: Tue Jul 10, 2018 6:17 pm
Location: Saint Petersburg, Russia

Re: Feature request - DNSCrypt support...

Tue Jul 10, 2018 6:23 pm

+1 for DNSCrypt support
 
foxxiu7
just joined
Posts: 5
Joined: Sun Aug 25, 2013 3:30 am

Re: Feature request - DNSCrypt support...

Wed Jul 11, 2018 2:35 am

I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work :)
Would love to get this info, please.
I'm also interested how to add DNSCrypt support on the RPi as currently I'm using two MikroTiks and RaspberryPi with pi-hole and OpenDNS.
 
User avatar
Anastasia
newbie
Posts: 33
Joined: Wed Oct 28, 2015 7:12 pm

Re: Feature request - DNSCrypt support...

Sat Sep 15, 2018 8:41 pm

+1 for DNSCrypt support
 
MikroRouter
just joined
Posts: 12
Joined: Wed Nov 02, 2011 11:00 am

Re: Feature request - DNSCrypt support...

Thu Oct 04, 2018 11:40 am

Hope this can be implemented soon...
 
thief
just joined
Posts: 2
Joined: Mon Oct 08, 2012 10:13 am

Re: Feature request - DNSCrypt support...

Mon Oct 08, 2018 7:47 am

+1 for DNSSec/DNSCrypt
 
User avatar
Kamaz
newbie
Posts: 28
Joined: Sun Apr 30, 2017 9:35 am

Re: Feature request - DNSCrypt support...

Tue Oct 09, 2018 8:39 pm

+1 for DNSSec/DNSCrypt
 
Azure
just joined
Posts: 4
Joined: Fri Dec 23, 2016 10:49 pm

Re: Feature request - DNSCrypt support...

Wed Oct 10, 2018 2:31 pm

Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC
Yes! This!
DNScrypt is great and all... But I'd like to see DNS-TLS as Quad9 supports it.
In the end, either is better than neither!

https://www.quad9.net/faq/#Does_Quad9_s ... S_over_TLS
 
skiif
just joined
Posts: 1
Joined: Thu Oct 25, 2018 9:17 am

Re: Feature request - DNSCrypt support...

Thu Oct 25, 2018 9:23 am

+1 for DNS-over-TLS as it's an IETF approved standard, but of course DNScrypt and DNS-HTTPs also will be very appreciated.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature request - DNSCrypt support...

Thu Oct 25, 2018 11:55 am

DNS over TLS is now supported both by CloudFlare (1.1.1.1) and Google (8.8.8.8), so looks like it's time =)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: Feature request - DNSCrypt support...

Thu Oct 25, 2018 12:54 pm

DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that's a no-no.
https://www.theregister.co.uk/2018/10/2 ... _standard/
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Tue Jan 14, 2014 9:09 pm

Re: Feature request - DNSCrypt support...

Sun Oct 28, 2018 2:00 pm

DNS over TLS is now supported both by CloudFlare (1.1.1.1) and Google (8.8.8.8), so looks like it's time =)
+1
 
estas
just joined
Posts: 22
Joined: Sat Nov 03, 2018 8:34 pm

Re: Feature request - DNSCrypt support...

Wed Nov 28, 2018 4:21 pm

+1 for DNS-over-TLS and DNSCrypt!
and also waiting UDP Proxy...
 
xkubus
just joined
Posts: 4
Joined: Sun Dec 11, 2011 7:49 pm

Re: Feature request - DNSCrypt support...

Mon Jan 07, 2019 10:38 am

+1 Please!
 
EvgeniyV
just joined
Posts: 5
Joined: Sun Oct 28, 2018 5:49 pm

Re: Feature request - DNSCrypt support...

Tue Jan 08, 2019 1:19 am

+1
interesting, how many people still have to write "+1" that this gave the result? :-?
 
User avatar
Kamaz
newbie
Posts: 28
Joined: Sun Apr 30, 2017 9:35 am

Re: Feature request - DNSCrypt support...

Mon Jan 14, 2019 11:30 am

Google provides DNS-over-TLS https://developers.google.com/speed/pub ... s-over-tls from January 2019,
also it provides DNS-over-HTTPS https://developers.google.com/speed/pub ... over-https from September 2018.
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: Feature request - DNSCrypt support...

Mon Jan 14, 2019 12:04 pm

+1
interesting, how many people still have to write "+1" that this gave the result? :-?
Topic started at 30 Jan 2012 09:55 ... we wait for a miracle
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: Feature request - DNSCrypt support...

Mon Jan 14, 2019 1:59 pm

Topic started at 30 Jan 2012 09:55 ... we wait for a miracle
No. It just proves how futile is the idea of implementing nonstandard or nonstable technologies - they are gone withing few years. Where is DNScrypt today? Is it massively accepted? No. If mikrotik implemented it back then, it would be enormous waste of time.
Wait for standardized solution which is widely accepted. Then ask for support and you got at least a chance...
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: Feature request - DNSCrypt support...

Mon Jan 14, 2019 9:39 pm

Topic started at 30 Jan 2012 09:55 ... we wait for a miracle
No. It just proves how futile is the idea of implementing nonstandard or nonstable technologies - they are gone withing few years. Where is DNScrypt today? Is it massively accepted? No. If mikrotik implemented it back then, it would be enormous waste of time.
Wait for standardized solution which is widely accepted. Then ask for support and you got at least a chance...
ovpn UDP support may be too "enormous waste of time"?
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 2:36 am

+10
--
poi
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 8:28 am

+10
+10 to "enormous waste of time"? :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24264
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 8:45 am

Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 1:43 pm

HTTPS gives you more security
Huh?..
inability to catch this traffic as an administrator
Well, as it was earlier - by IP address :)

But generally yes - it's harder for your ISP to block/redirect DoH than DoT as it uses shared port number (443).
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24264
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 2:24 pm

Huh? Since DNS over HTTPS uses port 443 and there is no visual difference in traffic type, admin can't intercept or block this traffic (except by destination address).
No answer to your question? How to write posts
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 3:20 pm

Huh? Since DNS over HTTPS uses port 443 and there is no visual difference in traffic type, admin can't intercept or block this traffic (except by destination address).
When will the DoH appear 😚? Когда же?
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 3:21 pm

What about SNI? :) ESNI is not on stage currently
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 3:26 pm

At home i'm mangling DNS fwd+out connections and redirect to EU OVPN (CHR VPS), but DoH = peer-to-peer encryption & we all need it (=
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24264
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 3:29 pm

No answer to your question? How to write posts
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 280
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 4:36 pm

add DNSSEC features

Sent from my C6833 using Tapatalk

 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24264
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 4:43 pm

add DNSSEC features

Sent from my C6833 using Tapatalk
What does it mean?
No answer to your question? How to write posts
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 280
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: Feature request - DNSCrypt support...

Thu Jan 17, 2019 6:35 pm

add DNSSEC features

Sent from my C6833 using Tapatalk
What does it mean?
https://en.m.wikipedia.org/wiki/Domain_ ... Extensions

Sent from my C6833 using Tapatalk

 
User avatar
anthonws
just joined
Posts: 22
Joined: Sat Jan 09, 2016 6:46 pm

Re: Feature request - DNSCrypt support...

Mon Jan 21, 2019 10:15 pm

Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?
Both would be the ideal scenario :) Naturally that I understand that there's budget/resources constrains and prioritization of features, and therefore that is not viable.

Using Mikrotik mainly as Home gear, my natural choice would be to go with DoH. But, since your main target is Enterprise then it makes sense to invest on the DoT first. I'm sure that the Home users/clients like me will be able to still use DoT.

Ultimately, one or the other will provide the additional security (with more or less controls) that the majority of your customers are looking for :)

What about SNI? :) ESNI is not on stage currently
Isn't that at the Browser level only?
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Feature request - DNSCrypt support...

Tue Jan 22, 2019 4:31 pm

At a minimum, from a practical point of view, wouldn't it matter more that juniper, cisco, fortigate, zyxel etc......... started implementing such technologies.
Further if mikrotik saw a decrease in sales and an erosion in the current base to such vendors due to technology available elsewhere, then they would be forced to move.
However, that would be too late so it is a matter of timing besides the other usual suspects, money, human resources, code stability, hardware limitations.......

.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
R1CH
Forum Veteran
Forum Veteran
Posts: 904
Joined: Sun Oct 01, 2006 11:44 pm

Re: Feature request - DNSCrypt support...

Wed Feb 13, 2019 12:41 pm

Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?
Why not both? Although DNS over HTTPS seems to be the way forward, very few providers are actually deploying DNS over TLS. As long as you maintain a persistent connection to the resolver, latency should be minimal.
 
User avatar
eworm
Member
Member
Posts: 402
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Feature request - DNSCrypt support...

Wed Feb 13, 2019 11:30 pm

At FOSDEM 2019 Daniel Stenberg (the maintainer of curl) had a talk about DNS over HTTPS - the good, the bad and the ugly. Very interesting topic and he scheds some light on DoT, DNScrypt, DNSsec & Co as well.

IMHO DoH is the way to go.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
pothi
just joined
Posts: 9
Joined: Fri Sep 14, 2018 7:48 pm
Location: Srivilliputhur, Tamil Nadu, India
Contact:

Re: Feature request - DNSCrypt support...

Sun Mar 03, 2019 9:57 am

As an administrator, I'd like to have some (or full) control over the traffic, thus favoring DNS over TLS.

As a user, I don't want any control over my internet connection, thus supporting DNS over HTTPS.

Both are better than plain text DNS query.
Love breaking things and start over!
 
kenyloveg
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Tue Jul 14, 2009 3:25 pm

Re: Feature request - DNSCrypt support...

Thu Mar 14, 2019 3:50 pm

Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
 
mutinsa
just joined
Posts: 21
Joined: Tue Feb 06, 2018 4:55 am
Location: Moscow, Russia
Contact:

Re: Feature request - DNSCrypt support...

Sun Apr 07, 2019 10:37 pm

+1.
Sergey Mutin
Certified Mikrotik Consultant
MikroTik: MTCNA, MTCRE, MTCIPv6E, MTCTCE, MTCUME, MTCINE, MTCWE | Cisco: CCNA R&S | Juniper: JNCIA-Junos | Zabbix: ZCU | Asterisk: dCAA | IPv6 Forum Certified Network Engineer (Silver) | HE.net IPv6: Sage
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Feature request - DNSCrypt support...

Mon Apr 08, 2019 12:14 am

Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
Why limit the destination address to one pubic DNS server. Why not just dstport 53 protocol udp/tcp redirect to port 5353 (sounds like dnssec for pihole).
In your rule, somebody hardcoding 8.8.8.8 or 1.1.1.1 would not get trapped.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
anthonws
just joined
Posts: 22
Joined: Sat Jan 09, 2016 6:46 pm

Re: Feature request - DNSCrypt support...

Wed Apr 10, 2019 12:46 am

DoH is no longer a "waste of time" and it's now massively used by the industry (there's even Android Apps to turn on that nowadays with CloudFare for example).

So, questions:

1. Is there an intention from Mikrotik to implement this?
2. Is there a sharable roadmap for the feature to be implemented?
3. If #1 = negative, why and what's the alternative for your users to be able to make use of such technologies?

Thanks,
anthonws.
 
kenyloveg
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Tue Jul 14, 2009 3:25 pm

Re: Feature request - DNSCrypt support...

Mon Apr 15, 2019 7:39 am

Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
Why limit the destination address to one pubic DNS server. Why not just dstport 53 protocol udp/tcp redirect to port 5353 (sounds like dnssec for pihole).
In your rule, somebody hardcoding 8.8.8.8 or 1.1.1.1 would not get trapped.
Tested this works with opendns, but failed with cloudflare or some other public dns. (assume ISP rules to intercept opendns is not created for now)
 
obesbash
just joined
Posts: 1
Joined: Mon Apr 29, 2019 12:54 pm

Re: Feature request - DNSCrypt support...

Tue Apr 30, 2019 6:00 pm

+1 for DNSSec/DNSCrypt
 
darkmanlv
newbie
Posts: 26
Joined: Thu Mar 26, 2015 3:19 pm
Location: Riga, Latvia
Contact:

Re: Feature request - DNSCrypt support...

Wed Jun 12, 2019 3:04 pm

+1 DNSCrypt, when?
 
febhost32
just joined
Posts: 2
Joined: Sat Mar 30, 2019 4:56 am

Re: Feature request - DNSCrypt support...

Sun Jun 16, 2019 7:24 am

+1 for DNSCrypt
 
User avatar
karo84
Member Candidate
Member Candidate
Posts: 194
Joined: Fri Aug 17, 2007 9:06 am

Re: Feature request - DNSCrypt support...

Fri Jun 21, 2019 4:07 pm

+10000 for DNSSec/DNSCrypt . It is a big need today to use DNSCrypt. Thanks!
 
mutinsa
just joined
Posts: 21
Joined: Tue Feb 06, 2018 4:55 am
Location: Moscow, Russia
Contact:

Re: Feature request - DNSCrypt support...

Fri Jun 28, 2019 3:26 pm

up
+1.
Sergey Mutin
Certified Mikrotik Consultant
MikroTik: MTCNA, MTCRE, MTCIPv6E, MTCTCE, MTCUME, MTCINE, MTCWE | Cisco: CCNA R&S | Juniper: JNCIA-Junos | Zabbix: ZCU | Asterisk: dCAA | IPv6 Forum Certified Network Engineer (Silver) | HE.net IPv6: Sage
 
kathampy
just joined
Posts: 3
Joined: Tue Apr 05, 2016 7:59 am

Re: Feature request - DNSCrypt support...

Wed Jul 31, 2019 8:07 pm

I would also like to see DNS over HTTPS support so I can use Cloudflare's service. Since the RouterOS DNS service is only a forwarder, DNSSEC can only be done by the upstream iterative resolver. To prevent tampering between RouterOS and the upstream resolver, DNS over HTTPS is required.
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 280
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: Feature request - DNSCrypt support...

Wed Jul 31, 2019 8:18 pm

+1M

Sent from my SM-A705FN using Tapatalk

 
konigman
just joined
Posts: 3
Joined: Mon Dec 04, 2017 10:46 pm

Re: Feature request - DNSCrypt support...

Sat Aug 03, 2019 12:16 am

Mikrotik is a business, so we have to treat this feature request as such. Not on ideological (privacy of user) or technical (DoT vs DoH) grounds.

That said, the question Mikrotik is asking themselves is obvious. Is this feature "worth it"?

Our approach should be to not only say "yes" with a sea of +1s (by the way, can there not be some annual feature request poll, annual feedback survey or something like that), but provide arguments that support this conclusion.

For example;

Which major DNS providers now offer DoT/DoH?
Which competing network hardware manufacturers provide DoT/DoH or are planning to?
Which consumer devices support DoT/DoH? The point here is that if consumers start using DoT/DoH, then they will expect to see it in the network gear in their homes, workplace, ISPs.

Now, did you expect me to provide answers to the above? Too bad. I'm Friday-lazy, but consider this me trying to get the ball rolling. :D

Ok, fine. Here's a list of DNS providers https://en.wikipedia.org/wiki/Public_re ... ame_server so it's evident Cloudflare, Google and Quad9 are leading the way.
Also, about consumer devices, we have "Private DNS" in Android 9.0, which accepts DoT.
Regarding competing firms, someone in the know could chime in.
 
WojtusW5
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Mon Oct 02, 2017 1:25 pm

Re: Feature request - DNSCrypt support...

Sat Aug 03, 2019 12:32 pm

+1 a very good idea that encrypted DNS support will be implemented in RouterOS
I invite you to visit my blog
https://mikrotikon.pl/
 
User avatar
anthonws
just joined
Posts: 22
Joined: Sat Jan 09, 2016 6:46 pm

Re: Feature request - DNSCrypt support...

Sat Aug 03, 2019 2:26 pm

Mikrotik is a business, so we have to treat this feature request as such. Not on ideological (privacy of user) or technical (DoT vs DoH) grounds.

That said, the question Mikrotik is asking themselves is obvious. Is this feature "worth it"?

Our approach should be to not only say "yes" with a sea of +1s (by the way, can there not be some annual feature request poll, annual feedback survey or something like that), but provide arguments that support this conclusion.

For example;

Which major DNS providers now offer DoT/DoH?
Which competing network hardware manufacturers provide DoT/DoH or are planning to?
Which consumer devices support DoT/DoH? The point here is that if consumers start using DoT/DoH, then they will expect to see it in the network gear in their homes, workplace, ISPs.

Now, did you expect me to provide answers to the above? Too bad. I'm Friday-lazy, but consider this me trying to get the ball rolling. :D

Ok, fine. Here's a list of DNS providers https://en.wikipedia.org/wiki/Public_re ... ame_server so it's evident Cloudflare, Google and Quad9 are leading the way.
Also, about consumer devices, we have "Private DNS" in Android 9.0, which accepts DoT.
Regarding competing firms, someone in the know could chime in.
All good points that have been indefinitely mentioned throughout the forum in numerous threads.

Just forget it. It's not going to happen.

There's no objective Customer Care/Success Unit strategy from Mikrotik, let alone someone or some Business Unit looking into these forums, other than support.

Honestly (and I'm not the only one saying this), take you're money elsewhere for your next network equipment acquisition.
 
drdedus
just joined
Posts: 14
Joined: Thu Mar 17, 2016 6:24 pm

Re: Feature request - DNSCrypt support...

Wed Sep 11, 2019 12:47 am

+1 for DNSSec/DNSCrypt
 
3dfx
just joined
Posts: 15
Joined: Sun Sep 15, 2013 6:57 pm
Location: Bulgaria

Re: Feature request - DNSCrypt support...

Thu Sep 26, 2019 12:53 am

Any updates on the topic?
 
kenyloveg
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Tue Jul 14, 2009 3:25 pm

Re: Feature request - DNSCrypt support...

Mon Oct 14, 2019 7:02 am

Never tried V7 beta, something new in the DNS section?
 
Sob
Forum Guru
Forum Guru
Posts: 4794
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature request - DNSCrypt support...

Mon Oct 14, 2019 6:42 pm

Nothing I can see. But it's early beta and the main goal is to have new kernel, not so much new features, even though there are some (not for DNS).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
kenyloveg
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Tue Jul 14, 2009 3:25 pm

Re: Feature request - DNSCrypt support...

Thu Oct 17, 2019 5:20 am

Nothing I can see. But it's early beta and the main goal is to have new kernel, not so much new features, even though there are some (not for DNS).
Thank you.

Who is online

Users browsing this forum: MSN [Bot] and 120 guests