Hi All,
I was trying to understand if in TO5 the DNS-Over-TLS is configured and active by default while e.g. Cloudflare is selected as forwarders. I’m asking because I’ve tried to use this site Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy. to check if TLS is enabled and it seems not, but I’m not sure if the test is reliable
Thanks for any help/suggestion
Thanks
Astrakan
I can’t see how a web test could tell you this, at least not reliably.
By default, recent OS on Omnia and MOX will serve DNS-over-TLS. (port 853 on the router’s IP addresses used for DNS) That default is with “untrustworthy” certificate, so we could call that opportunistic security, working only against passive attackers.
Then independently of that, there’s the segment from router towards the internet. There’s no TLS by default. In DNS tab of (re)Foris you can select forwarding over TLS to some provider, a few predefined or any custom one. There the certificate will be checked (unless you explicitly disable that).
Thank you vcunat for the clarification, so the test is somehow unreliable and my configuration is in fact as I want to be
Thanks again
Astrakan
Some (cloud) DNS provides offer web tests telling you if you’re using their DNS and perhaps even some parameters of that connection (on the last segment before their servers). That can be done reliably.
Once you properly configured “forwarding” to one of the DoT supporting dns servers such as Google dns or Cloudflare dns
then you can verify by capturing outgoing packets from wan interface
tcpdump -v -n -i eth2 dst port 853
Also to cross check if something goes out plain
tcpdump -v -n -i eth2 dst port 53
Btw I have a question why KnotResolver listens on 853 as well, is there any usecase?
Androids use it, even by default.
Maybe others as well, but from my point of view it’s more about missing reasons not to serve DoT.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.