DNS over TLS Support?
Can anyone confirm if the OpenDNS servers support DNS over TLS queries? If they don't, is there any information available on if they ever will? Unfortunately my router doesn't support DNSCrypt, only DNS over TLS.
Thanks.
-
Cisco’s blog entry 2022-02-10
https://umbrella.cisco.com/blog/enhancing-support-dns-encryption-with-dns-over-https
announces that their core resolvers now support DoT (DNS over TLS) as well as DoH (DNS over HTTPS), effective
2022-01-28. Since they list the same IP addresses as OpenDNS, and identical
DoH resolvers https://dns.opendns.com/dns-query and
https://dns.umbrella.com/dns-query, the implication is both dns.opendns.com and
dns.umbrella.com should work as DoT resolvers! Verified both DNS addresses
work for DoT on an Android 10 phone; ref.
https://support.opendns.com/hc/en-us/community/posts/4418984676756-DNS-Over-TLS-Opendns. -
To my best knowledge, DNS over TLS is not supported yet. Else it would surely be documented and advertised. And if they would come up with it, it will surely be announced.
See https://support.opendns.com/hc/en-us/articles/360038463251
-
I just came to the same realization. I'm trying to change the DNS settings on my Android 10 device and I very much have two options:
1. Set a global DNS over TLS server for all internet connections (I wonder if this would work even if connected over cell network).
2. Set individual wi-fi connections to use fixed IP, and then hope I will not run into a duplicate IP in my network as I won't bother to reserver that IP in my router.
Looking around I find several other DNS providers (granted paid services) offer something to OpenDNS with DoH and DoT.
-
Have you looked at this - https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS
-
Sadly, this is probably enough to get me to switch from OpenDNS to Cloudflare Teams.
Not that this is much threat to OpenDNS, as a free customer, it's not like I'm taking any "business".
I *could* use an additional proxy to get the local request queued into DoH, but DNS lookups are already stupid slow compared to what they would be running a purely local resolver. If I want to use a local resolver to block more ads than OpenDNS (not to mention saving ISP traffic from any queries blocked locally...), then I have to run something locally. Ph-hole, or as the OP, unbound, there's other similar choices. I could even run DNSmasq in my router. Whatever method I use, however, requires an extra step. Pi-hole would require an extra step to use DoH *or* DoT, and most of the other choices would be similar:
client -> pi-hole -> DNSCrypt -> OpenDNS
or
client -> pi-hole -> Unbound -> OpenDNS
If I instead run unbound, I can use DoT directly, and unbound runs well on the same hardware as pi-hole, so I can skip a layer:
client -> Unbound -> OpenDNS
...except that OpenDNS, for no good reason, refuses to support DoT.
I would prefer to stick with OpenDNS, I think it's a better product, and with API support for changing your registered external IP address, it solves problems Cloudflare hasn't yet, but I also don't want my ISP to be able to see my DNS traffic.
Unbound *appears* to support DoH upstream, but the config examples seem to indicate that you need the certificate file from the other end in order for unbound to trust it. If anyone has experience with this configuration, I'd love to hear from you, since I can't seem to find anything on Google about it.
-
I heard back from AVM:
"I have forwarded your enhancement request concerning DNScrypt to our product management team.
They will decide whether DNScrypt support can be implemented in a future firmware version."I don't hold out much hope. It seems to me that DNSCrypt is a bit of a niche protocol now that IETF have ratified DoT. Would be good for OpenDNS to add support for DoT
Please sign in to leave a comment.
Comments
14 comments