F5F Stay Refreshed Power Users Networks Implement DNS using TLS in a router setup Secure DNS communication via TLS protocol on network devices

Implement DNS using TLS in a router setup Secure DNS communication via TLS protocol on network devices

Implement DNS using TLS in a router setup Secure DNS communication via TLS protocol on network devices

J
jjsoini
Posting Freak
Find
809
09-29-2020, 05:41 AM
#1
Hi everyone, I moved to Cloudflare some time ago and recently discovered that DNS requests aren't automatically encrypted. I checked my Asus RT-AC87U router, which doesn’t support encrypted DNS out of the box. However, I found that Merlin offers DNS over TLS, but it appears the version available for my router is outdated compared to the latest updates from Asus. I’m unsure whether it’s better to stick with the official software for security or switch to Merlin for TLS support. The firmware updates from Asus last addressed a security flaw and a DoS issue—though I’m not sure if those are enough reasons to change.

Regarding your question, if DNS over TLS is enabled on the router, it means all DNS traffic passes through it, which would encrypt those requests. But since I’m using Merlin, I wonder if each device handles its own DNS independently, making the router’s settings irrelevant.
Reply
Reply
J
jjsoini
09-29-2020, 05:41 AM #1

Hi everyone, I moved to Cloudflare some time ago and recently discovered that DNS requests aren't automatically encrypted. I checked my Asus RT-AC87U router, which doesn’t support encrypted DNS out of the box. However, I found that Merlin offers DNS over TLS, but it appears the version available for my router is outdated compared to the latest updates from Asus. I’m unsure whether it’s better to stick with the official software for security or switch to Merlin for TLS support. The firmware updates from Asus last addressed a security flaw and a DoS issue—though I’m not sure if those are enough reasons to change.

Regarding your question, if DNS over TLS is enabled on the router, it means all DNS traffic passes through it, which would encrypt those requests. But since I’m using Merlin, I wonder if each device handles its own DNS independently, making the router’s settings irrelevant.

Reply
Reply
S
SivTheGreat
Member
Find
209
09-29-2020, 08:03 AM
#2
Sometimes certain apps, like Android, can skip your router's DNS settings. On pfSense I set up a rule to block all unencrypted DNS traffic and send them back through the router. However, if a device uses DNS over TLS/HTTPS directly, redirecting it becomes difficult because the certificate won't match. This security feature actually lets specific programs set their own DNS server and bypass your local one. The key advantage is preventing your ISP from tracking your DNS queries.
Reply
Reply
S
SivTheGreat
09-29-2020, 08:03 AM #2

Sometimes certain apps, like Android, can skip your router's DNS settings. On pfSense I set up a rule to block all unencrypted DNS traffic and send them back through the router. However, if a device uses DNS over TLS/HTTPS directly, redirecting it becomes difficult because the certificate won't match. This security feature actually lets specific programs set their own DNS server and bypass your local one. The key advantage is preventing your ISP from tracking your DNS queries.

Reply
Reply
R
Rizzex
Member
Find
54
09-30-2020, 09:25 PM
#3
I removed the support for RT-AC87 from a few years back, so it’s out of the question if you need DNS over TLS. This device has also reached its end-of-life from Asus for a long time now. https://www.asus.com/event/network/EOL-product/ Using Asuswrt-Merlin, DNS over TLS requests are handled by the router, and usually your LAN clients rely on it as their DNS provider—then they’ll also use DoT. Some devices come with pre-set DNS servers (for example, the Netflix Android app). The solution with Asuswrt-Merlin is to turn on DNSFilter and make sure all clients connect through the router for standard DNS queries. You might also disable automatic DoH promotion that newer Windows and Firefox clients support; anything that picks DoH randomly won’t be blocked by the router. But keep in mind, this approach needs a more recent router model.
Reply
Reply
R
Rizzex
09-30-2020, 09:25 PM #3

I removed the support for RT-AC87 from a few years back, so it’s out of the question if you need DNS over TLS. This device has also reached its end-of-life from Asus for a long time now. https://www.asus.com/event/network/EOL-product/ Using Asuswrt-Merlin, DNS over TLS requests are handled by the router, and usually your LAN clients rely on it as their DNS provider—then they’ll also use DoT. Some devices come with pre-set DNS servers (for example, the Netflix Android app). The solution with Asuswrt-Merlin is to turn on DNSFilter and make sure all clients connect through the router for standard DNS queries. You might also disable automatic DoH promotion that newer Windows and Firefox clients support; anything that picks DoH randomly won’t be blocked by the router. But keep in mind, this approach needs a more recent router model.

Reply
Reply
L
Letrix122
Junior Member
Find
2
10-01-2020, 02:25 AM
#4
Sure, I've managed my own DNS server for a while now. The cost is almost nothing, and it's also a solid method to block unwanted software and apps. I even identified an ISP redirecting BIND requests, contacted tech support by email, and the redirection stopped without any response—remember, being cautious doesn't mean they're targeting your data.
Reply
Reply
L
Letrix122
10-01-2020, 02:25 AM #4

Sure, I've managed my own DNS server for a while now. The cost is almost nothing, and it's also a solid method to block unwanted software and apps. I even identified an ISP redirecting BIND requests, contacted tech support by email, and the redirection stopped without any response—remember, being cautious doesn't mean they're targeting your data.

Reply
Reply