Community discussions

 
NetworkMeister
just joined
Topic Author
Posts: 13
Joined: Thu Feb 12, 2015 8:59 pm

Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 4:57 pm

Add DNS over HTTPS (DoH) client to RouterOS. This will significantly improve the privacy of network users and devices (especially when RouterOS device serves as DNS cache/recursive resolver).

https://developers.google.com/speed/pub ... over-https
https://developers.cloudflare.com/1.1.1 ... ver-https/

While experimental protocol, the infrastructure is already provided by 2 of the biggest 4 recursive DNS providers and provides significant benefits in practice.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 883
Joined: Sun Oct 01, 2006 11:44 pm

Re: Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 6:18 pm

DNSCrypt support would also be welcome, to avoid the overhead of wrapping all DNS requests in HTTP / TCP.
 
Sob
Forum Guru
Forum Guru
Posts: 4527
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 6:47 pm

There's also DNS over TLS (RFC7858).

But when you look how much attention MikroTik gave to DNS in the past (there's nothing over basic functionality and one could argue that even some basics are missing), I don't see any of this happening anytime soon.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
msatter
Forum Guru
Forum Guru
Posts: 1198
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Add DNS over HTTPS (DoH) support

Mon Apr 02, 2018 9:24 pm

Add DNS over HTTPS (DoH) client to RouterOS. This will significantly improve the privacy of network users and devices (especially when RouterOS device serves as DNS cache/recursive resolver).

https://developers.google.com/speed/pub ... over-https
https://developers.cloudflare.com/1.1.1 ... ver-https/

While experimental protocol, the infrastructure is already provided by 2 of the biggest 4 recursive DNS providers and provides significant benefits in practice.
viewtopic.php?f=2&t=132678
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.2
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
hardtik
just joined
Posts: 7
Joined: Sat Apr 15, 2017 11:00 pm

Re: Add DNS over HTTPS (DoH) support

Wed Feb 13, 2019 11:09 am

+1

Can anybody from MikroTik reply on this thread?
 
dave864
just joined
Posts: 21
Joined: Fri Mar 11, 2016 2:37 pm

Re: Add DNS over HTTPS (DoH) support

Sun Apr 07, 2019 12:32 am

+1
About time DNSCrypt or DNS over TLS was implemented.
 
anav
Forum Guru
Forum Guru
Posts: 2936
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Add DNS over HTTPS (DoH) support

Sun Apr 07, 2019 4:45 pm

RPI apparently has the ability to do this and is very inexpensive, now that I have ad block working I might give this a try.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
MtHoodlum
just joined
Posts: 12
Joined: Fri Sep 07, 2012 2:09 am

Re: Add DNS over HTTPS (DoH) support

Sun Jul 07, 2019 8:10 am

also interested in encrypted DNS. +1
 
jplr
just joined
Posts: 1
Joined: Tue Jul 16, 2019 11:09 am

Re: Add DNS over HTTPS (DoH) support

Tue Jul 16, 2019 11:11 am

also interested in encrypted DNS. +1
 
khaverblad
newbie
Posts: 37
Joined: Sat Mar 08, 2014 12:32 am
Location: Sweden
Contact:

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 2:58 pm

@Mikrotik are you considering implementation of DNS over HTTPS or DNSCrypt? Would be great with an update on this topic.
--
Member of Mikrotik Sweden Telegram Group
 
pe1chl
Forum Guru
Forum Guru
Posts: 5700
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 4:26 pm

This is something that (when you want to have it at all) should be implemented in the client, not in the router.
And of course MikroTIk already supports DNS over HTTPS done by the client.
(and you will lose the possibility of controlling access to sites, shaping bandwidth to certain sites, etc. but that is what it is all about)
 
khaverblad
newbie
Posts: 37
Joined: Sat Mar 08, 2014 12:32 am
Location: Sweden
Contact:

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 4:49 pm

And that is my point, if Mikrotik implemented it, it wouldn't break anything as it would if enabled on the client side.
--
Member of Mikrotik Sweden Telegram Group
 
pe1chl
Forum Guru
Forum Guru
Posts: 5700
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 5:06 pm

But then it also does not bring the advantages that the client side implementers think it will bring!
So they will work around it even when you implement it in the router.
It appears that some implementations allow a switchoff (lookup a DNS name which should return NXDOMAIN) but MikroTik DNS does not support static names which return NXDOMAIN, and experience shows that this kind of switches is removed or made possible to override in no-time.
 
khaverblad
newbie
Posts: 37
Joined: Sat Mar 08, 2014 12:32 am
Location: Sweden
Contact:

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 5:12 pm

Well, doesn't necessary have to be the client side who wants to implement it :-)
--
Member of Mikrotik Sweden Telegram Group
 
Sob
Forum Guru
Forum Guru
Posts: 4527
Joined: Mon Apr 20, 2009 9:11 pm

Re: Add DNS over HTTPS (DoH) support

Mon Sep 09, 2019 9:16 pm

"Funny" thing is that implementation in browser (as Mozilla is pushing now; or generally per-application) makes the least sense of all. Either I want to protect whole network, so I need it on router. Or I want to protect computer (better for mobile devices, because with them I don't always have control over network) and then I need system-wide solution there. Not only browsers use DNS.

And the idea with canary domain and ability to tell browser this way to not use DoH, it's not hard to predict how it will go, is it? If I'm the bad guy who wants to mess with users' DNS, of course I will use that.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
davidg
just joined
Posts: 3
Joined: Fri Jul 14, 2017 9:20 am
Location: Transylvania, Ro

Re: Add DNS over HTTPS (DoH) support

Thu Sep 12, 2019 1:10 pm

And the idea with canary domain and ability to tell browser this way to not use DoH, it's not hard to predict how it will go, is it? If I'm the bad guy who wants to mess with users' DNS, of course I will use that.
I'm actually reading this post because I was wondering if routerOS had any way to NXDOMAIN a given address, in order to implement the canary domain as per https://support.mozilla.org/en-US/kb/co ... over-https. I don't want traffic on our (SOHO) network that skips DNS-based filtering or tells google/cloudflare everything.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5700
Joined: Mon Jun 08, 2015 12:09 pm

Re: Add DNS over HTTPS (DoH) support

Thu Sep 12, 2019 4:26 pm

Yes that is why there is some discussion about this.
However, be warned that this "canary domain", as Sob already writes too, is likely to go away in the future once hackers who want to play man-in-the-middle on DNS see this, implement the canary domain, Mozilla finds out about that, and decides to disable that feature (at least by default).

You should prepare for the situation that you get less and less control over what happens on your network!
All wellknown ways of peeking in traffic to implement policies (like website blocking, or QoS implementations that e.g. try to set a lower priority for some traffic) are going to be taken away from you by those browser developers.

It is not only DNS over HTTPS. Firefox will also start to do all web browsing traffic over a "VPN" between the browser and some Cloudflare service, running over HTTPS.
So no way to block sites by IP address anymore! (or to put lower priority on some websites)
You will only see a lot of sessions to a single HTTPS service and no more way to get insight in what is happening over those sessions.

Who is online

Users browsing this forum: No registered users and 81 guests