DNS over TLS Support?

Comments

12 comments

  • Avatar
    rotblitz (Edited )

    To my best knowledge, DNS over TLS is not supported yet. Else it would surely be documented and advertised. And if they would come up with it, it will surely be announced.

    See https://support.opendns.com/hc/en-us/articles/360038463251

    0
    Comment actions Permalink
  • Avatar
    kage1

    If past threads are any indication OpenDNS, now owned by Cisco, does not plan on supporting DNS over TLS even though it's getting pretty close to being the industry standard.

    0
    Comment actions Permalink
  • Avatar
    adkw.co

    I just came to the same realization. I'm trying to change the DNS settings on my Android 10 device and I very much have two options:

    1. Set a global DNS over TLS server for all internet connections (I wonder if this would work even if connected over cell network).

    2. Set individual wi-fi connections to use fixed IP, and then hope I will not run into a duplicate IP in my network as I won't bother to reserver that IP in my router.

    Looking around I find several other DNS providers (granted paid services) offer something to OpenDNS with DoH and DoT.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    OpenDNS offer DoH and DNSCrypt.

    0
    Comment actions Permalink
  • Avatar
    adkw.co

    Unfortunately Android 9 and later seems to only accept DNS over TLS (DoT). I tried the DoH address for OpenDNS, but got error saying it "couldn't connect".

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    As I understand this, DoH needs to be configured in the browser, not in the OS.

    0
    Comment actions Permalink
  • Avatar
    wiyadi

    Please opendns add the DNS over TLS, I wish I can use on my PFsense (unbound) and my Android 10 mobile phone.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Yes, this is what I linked to above already.

    0
    Comment actions Permalink
  • Avatar
    mupi

    Sadly, this is probably enough to get me to switch from OpenDNS to Cloudflare Teams.

     

    Not that this is much threat to OpenDNS, as a free customer, it's not like I'm taking any "business". 

     

    I *could* use an additional proxy to get the local request queued into DoH, but DNS lookups are already stupid slow compared to what they would be running a purely local resolver.  If I want to use a local resolver to block more ads than OpenDNS (not to mention saving ISP traffic from any queries blocked locally...), then I have to run something locally.  Ph-hole, or as the OP, unbound, there's other similar choices.  I could even run DNSmasq in my router.  Whatever method I use, however, requires an extra step.  Pi-hole would require an extra step to use DoH *or* DoT, and most of the other choices would be similar:

    client -> pi-hole -> DNSCrypt -> OpenDNS

    or

    client -> pi-hole -> Unbound -> OpenDNS

    If I instead run unbound, I can use DoT directly, and unbound runs well on the same hardware as pi-hole, so I can skip a layer:

    client -> Unbound -> OpenDNS

    ...except that OpenDNS, for no good reason, refuses to support DoT.

     

    I would prefer to stick with OpenDNS, I think it's a better product, and with API support for changing your registered external IP address, it solves problems Cloudflare hasn't yet, but I also don't want my ISP to be able to see my DNS traffic.

     

    Unbound *appears* to support DoH upstream, but the config examples seem to indicate that you need the certificate file from the other end in order for unbound to trust it.  If anyone has experience with this configuration, I'd love to hear from you, since I can't seem to find anything on Google about it.

    0
    Comment actions Permalink
  • Avatar
    filbert42 (Edited )

    I have a Fritzbox router that only seems to support Dot. I'll raise a query with AVM (the makers) to see what they say about adding DNSCrypt.

    0
    Comment actions Permalink
  • Avatar
    filbert42

    I heard back from AVM:

    "I have forwarded your enhancement request concerning DNScrypt to our product management team.
    They will decide whether DNScrypt support can be implemented in a future firmware version."

    I don't hold out  much hope. It seems to  me that DNSCrypt is a bit of a niche protocol now that IETF have ratified DoT. Would  be good for OpenDNS to add support for  DoT

    0
    Comment actions Permalink

Please sign in to leave a comment.