Feature request - DNSCrypt support...

ibeeby · Mon Jan 30, 2012 7:55 am

I'd be grateful if Mikrotik could consider adding DNSCrypt _urgently_ to the current and future versions of ROS.

DNSCrypt has been released by DYNDNS.org as open-source code and allows users to effectively wrap DNS requests to DYNDNS servers in an SSL layer. This significantly improves security for users in public networks but should also add security for businesses against eavesdropping and man-in-the-middle attacks.

Currently the only client support for DNSCrypt is an OS-X release from DYNDNS.org but as they have published the source code, it _must_ be straightforward for Mikrotik to add this as a package option.

All of my WAN facing Mikrotik routers use DYNDNS.org as their DNS servers as this allows free and effective filtering to avoid phishing sites and illegal content (which is flexibly adjustable by the user/manager).

Best Regards

Ian Beeby

vetusa2 · Sun Feb 26, 2012 6:07 pm

i add my request too

dmitrik · Sun Jul 14, 2013 7:28 am

I vote for DNSCrypt.
OpenDNS supports DNSCrypt. I use Mikrotik as DNS proxy to OpenDNS.

Shnatsel · Tue Jan 21, 2014 5:48 pm

I'd also love RouterOS to support DNSCrypt!
Right now I have to run it locally on every machine on the network and reconfigure the network settings on every machine for every connection - which tedious and it's easy to miss a connection or a machine and then DNS goes in the clear again... EWWW.

If I could just get it on the router as a package all that hassle wouldn't be necessary!

Shnatsel · Tue Jan 21, 2014 5:50 pm

I'd also love RouterOS to support DNSCrypt!
Right now I have to run it locally on every machine on the network and reconfigure the network settings on every machine for every connection - which tedious and it's easy to miss a connection or a machine and then DNS goes in the clear again... EWWW.

If I could just get it on the router as a package I could get rid of all that hassle with manually editing every single connection on every single machine!

chrismfz · Sat Feb 22, 2014 3:29 pm

That's old but hey.. never give up!

It should be great. Selecting already existing DNSes like cloudns or dnscrypt.eu or opendns
(or adding ours) would be great too.

spending power and $ to have always-on an old hardware server only for dns or running the dnscrypt-proxy anywhere when we got mikrotik it's a torture.

(Especially when there are devices that can't support it like cellphones, or in points which you offer wifi / internet and you want all dns traffic forced to dnscrypt)

nosovk · Sat Mar 01, 2014 9:23 pm

it would be nice option

pdf · Wed Mar 26, 2014 1:59 pm

I agree it would be nice to have it somewhere in the future

IntrusDave · Thu May 22, 2014 10:25 pm

Add me to the list. Right now I keep a little 1U Atom box just for running things like DNSCrypt. I'd love to move that to my CCR1016

tweetyspn · Sat Jun 28, 2014 1:41 pm

Totally agree, nice feature!

andryan · Thu Oct 09, 2014 9:49 am

+1

Would be really useful to bypass DNS-based censorship

kurlais · Thu Oct 09, 2014 10:56 am

be fine, if version 7 will support ikev2 vpn.

that is to use blackberry z10

alexkuzko · Sun Dec 07, 2014 11:43 pm

Vote for this as well! Currently there is no proper method and using metarouter is too complex/heavy.

Solaris · Sun Apr 12, 2015 1:10 am

+1 for dnscrypt!

bloodroses · Sun May 17, 2015 11:38 am

+i it should have, security at first position !

shaneau · Fri Jun 19, 2015 10:26 am

Would be a welcome addition to routeros.

nemke · Mon Jun 22, 2015 1:35 am

+1 for dnscrypt!

etm7469 · Sat Aug 08, 2015 9:55 pm

+1 for dnscrypt!

jo2jo · Fri Aug 14, 2015 6:13 pm

this would be Amazing if ROS supported DNSCrypt. would really open up alot of potentail buyers to ROS just for this one feature in a home router that doesnt require alot of linux+setup.

tks

nemke · Sat Aug 15, 2015 7:17 pm

+1 for DNSCrypt support...

bhorrock · Fri Aug 21, 2015 3:53 pm

+1 for DNSCrypt !!

minjun · Fri Sep 04, 2015 9:59 am

+1 for DNSCrypt.

michaeln416 · Fri Sep 04, 2015 2:48 pm

+1 for DNSCrypt !!

Sent from my Nexus 5 using Tapatalk

Zorro · Tue Sep 08, 2015 4:23 pm

do its better than DNSCurve ?
or just another, proprietary implementation/port of ?

MikroTikFan · Mon Nov 09, 2015 12:56 pm

+1 for DNSCrypt.

When ?

pidybi · Wed Nov 25, 2015 11:10 pm

+1 for DNSCrypt

+1 ;)

currently I'm using dnscrypt-proxy by Cisco on Tomato and my log is:

Nov 24 00:03:12 | daemon.notice dnscrypt-proxy[1099]: Starting dnscrypt-proxy 1.4.1
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1099]: Initializing libsodium for optimal performance
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1099]: Generating a new key pair
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: Server certificate #143xxx4751 received
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: This certificate looks valid
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: Chosen certificate #143xxx4751 is valid from [2015-07-03] to [2016-07-02]
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: Server key fingerprint is xxx9:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:Fxxx
Nov 24 00:03:12 | daemon.notice dnscrypt-proxy[1097]: Proxying from 127.0.0.1:40 to 208.67.220.220:443

:)

Zorro · Mon Dec 28, 2015 8:42 pm

+1 for DNSCrypt
)

i think you missed whole point of suggested by OP,changes/features, ie ability to do it Without tunnels of Any kind.
otherwise you can "anything over VPN" around Globe, anyway, but its eventually consume Lot more resources and attract Lot more /unwanted/redundant/ attention.

IntrusDave · Tue Dec 29, 2015 9:05 am

i think you missed whole point of suggested by OP,changes/features, ie ability to do it Without tunnels of Any kind.
otherwise you can "anything over VPN" around Globe, anyway, but its eventually consume Lot more resources and attract Lot more /unwanted/redundant/ attention.

No one said anything about tunnels or VPN. He said that he was using DNSCrypt-Proxy on tomato for his DNS. Just as many of us are. The whole point of DNSCrypt is to send the DNS through an encrypted tunnel.

Zorro · Tue Dec 29, 2015 10:05 pm

i think you missed whole point of suggested by OP,changes/features, ie ability to do it Without tunnels of Any kind.
otherwise you can "anything over VPN" around Globe, anyway, but its eventually consume Lot more resources and attract Lot more /unwanted/redundant/ attention.
No one said anything about tunnels or VPN. He said that he was using DNSCrypt-Proxy on tomato for his DNS. Just as many of us are. The whole point of DNSCrypt is to send the DNS through an encrypted tunnel.

yes, but low-overhead "embedded" implementation. similarly - nobody would call SSH "tunnel" instead of serious VPN's or atleast IPIP, EOIP, despite similarity.

MikroTikFan · Thu Jan 07, 2016 12:37 am

Please consider that DSNCrypt can use a lot of resolvers in different part of the World without establishing payed commercial VPN.

https://github.com/jedisct1/dnscrypt-pr ... olvers.csv

Please keep in mind also that for some solutions with big traffic you don't need to use VPN which is quite heavy traffic for you router instead of this using just only DNSCrypt.

I think that this feature will be very usefull and rest of routers solutions support DNSCrypt

Zorro · Tue Jan 12, 2016 2:55 am

I think that this feature will be very usefull and rest of routers solutions support DNSCrypt

i think too.
aswell as "next-gen" things in that area, that already emerged and ought to replace DNSCrypt. aside mentioned above DNSCurve - there some other code, but somewhat unstable, yet in 1/3 of.
but what i don't think its this features - shouldn't be part of "default config" of DNS services(either MT implement it as part of Main DNS service or separate package).

prd0000 · Tue Feb 02, 2016 9:31 pm

+1 this.
I would like DNS crypt too. Right now we maintain VPN connection to our headquarter across the globe just to get our DNS addresses securely. other option is to install a "heavy" 128MB RAM 8GB linux built solely for DnsCrypt. I would like to cut that and maintain our own secure DNS resolver, but spending unnecessary resource for that tiny function seems beyond logic.

колбаскин · Wed Mar 30, 2016 4:09 pm

+1 please add DNSCrypt support

arxont · Mon Apr 04, 2016 5:17 am

+1 vote to DNSCrypt

Micat · Fri May 20, 2016 1:31 pm

I vote for DNSCrypt

Dok · Thu May 26, 2016 1:42 pm

+1 for DNSCrypt

thevoidnn · Wed Jun 01, 2016 10:00 am

+1 for DNSCrypt

flexus · Sat Jun 18, 2016 11:18 pm

+1, vote for dnscrypt.

This already supports Tomato and OpenWRT! Need it in RoS

https://dnscrypt.org/#dnscrypt-routers

irghost · Sun Jun 19, 2016 12:53 am

+1, vote for dnscrypt.

SystemErrorMessage · Mon Jul 11, 2016 12:11 am

Wow, this thread was started years ago and still mikrotik hasnt implemented this. +1 for this feature to overcome ISP DNS hijacking as this has been an issue for me. Please implemented as soon as possible, the implementation is already available from github so all that remains is for mikrotik to adapt it to routerOS.

I know mikrotik is focused on being a good router but DNScript is a network related feature that is very beneficial so please add this. Im not expecting an all in one router from mikrotik but i want all in one when it comes to network features, i want snort and an antivirus on routerOS as well.

ChangzhouC · Sat Jul 16, 2016 6:31 pm

+1 for DNSCrypt

wirSeefahrer · Tue Jul 26, 2016 12:59 pm

+1 for DNSCrypt

That would be a really great feature to have even in countries like Sweden.

Jacquesvw · Thu Aug 18, 2016 6:53 am

+1 for DNScrypt

chebedewel · Wed Sep 21, 2016 1:03 am

A nice feature indeed, it could be added along with DNSSec support

chrisk8er · Sun Nov 13, 2016 3:11 pm

+1 for DNScrypt

agix · Sun Nov 13, 2016 3:41 pm

Vote for DNSCrypt yeaa...!!!

SaeedYa · Thu Nov 24, 2016 10:45 am

+1 for Dns crypt

Thu Nov 24, 2016 10:48 am

Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC

majestic · Sun Dec 18, 2016 11:05 pm

Thanks, this is the first time ive seen this RFC being mentioned. Thank you.

I was about to say +1 for adding this feature but to also to allow for custom dnscrypt installs (i.e support custom provider-key, provider-name and providor address) as a lot of us don't use OpenDNS or any other open public server(s). Some of us run our own dns inferstructure which we also have dnscrypt support.

However now that I know they are working on something, I will start investigating when bind/unbound etc will get this support (out of the box). Hopefully soon, meanwhile I would say that dnscrypt support would really help many of us to add to your existing products as a lot of customers use this and with the new laws recently announced, more and more will be jumping onto the boat to use encryption everywhere.

FYI: https://github.com/jedisct1/dnscrypt-proxy is the source(s) you need.

This is all you need (client wise), so if mikrotik had this support as in binary/package, it would solve our issues or we are forced to run additional hardware to support this in our networks i.e. rpi, nas etc assuming soho user here.

Thanks for the heads up btw.

Regards.

mtivi · Sat Jan 07, 2017 11:49 pm

+1
Would be very usefull in Russia, for example

strn · Tue Jan 17, 2017 11:32 pm

I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work

SystemErrorMessage · Tue Feb 14, 2017 5:31 pm

Not many would use a raspberry pi to supplement what their routers cant do. Even i run cups and xsane on raspberry pi as well.

This feature is an absolute must because of the DNS proxy/hijacking done by ISPs and is a big problem for me and other people as my DDNS domain is blacklisted by many ISPs only because of the domain it is under which makes it harder for me.

Plenty of other reasons such as for businesses that want to implement their own domain system and to use DNScrypt as routerOS cannot first form a tunnel to the DNS server without a static IP so which not only resolves the issue of ISPs handling your DNS by force but also to secure your DNS so that it does not get attacked by hackers and such.

ab0tj · Tue Mar 07, 2017 8:33 pm

I would also like to add my vote for DNScrypt support! I currently run a separate server for this.

majestic · Tue Mar 07, 2017 8:36 pm

I would also like to add my vote for DNScrypt support! I currently run a separate server for this.

likewise.

MikroTikFan · Mon Mar 20, 2017 1:25 am

+1 for DNSCrypt - again, again and again ...

Mikrotik developers how long we should wait ?

Customer feedback is this days something important for You ?

td32 · Mon Mar 20, 2017 2:10 am

its 2017 and this must be a priority feature.

R1CH · Wed Mar 29, 2017 1:23 am

With the US pushing an agenda that erodes privacy, DNSCrypt support is going to become essential to prevent ISPs from being able to monitor and monetize your browsing habits. Hope to see this in a release sooner rather than later.

https://www.washingtonpost.com/news/the ... otections/

teodorch · Mon Apr 03, 2017 1:20 am

+1

Sent from my Nexus 5 using Tapatalk

teodorch · Mon Apr 03, 2017 1:21 am

+1

Sent from my Nexus 5 using Tapatalk

teodorch · Mon Apr 03, 2017 1:21 am

+1

Sent from my Nexus 5 using Tapatalk

ryz · Mon Apr 03, 2017 3:11 pm

+1

Wysłane z mojego GT-I9195 przy użyciu Tapatalka

actck · Sun Apr 16, 2017 10:20 am

+1 is very helpful with dns poisoning.

We need this feature and request another feature: custom the dns server port in "IP -> DNS Settings"

vaah · Mon Apr 17, 2017 2:24 pm

+1
I'd like to see DNScrypt be implemented into RouterOS, I currently use tomato router to get the DNScrypt working.

GreySer · Mon Apr 17, 2017 2:45 pm

+1
Now using openwrt under vmware.

mdove · Sat Apr 22, 2017 12:22 am

+1 please.

Thanks,
Mike

Florian · Sat Apr 22, 2017 2:03 pm

yngndrw · Mon May 08, 2017 6:57 pm

+1, would love to see this implemented.

Neddy · Tue May 23, 2017 7:56 am

I register to post this request.

Please add support for DNScrypt on RouterOS, it protects our users privacy. I highly appreciate.

majestic · Thu May 25, 2017 5:09 pm

Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC

If you could add support for this, it would be great for everyone or even DNSCrypt which a lot of people use and is more common/known to them. Either would be acceptable. I kinda expect that RFC7858 would be easier to add as the support for unbound has been out quite a long time now if I recall even tho the RFC is quite young as you pointed out.

My only solution right now is to install say Softether onto the resolvers themselfs, then getting the MTK to connect to it and use it as its DNS server. Not a great solution due to if the VPN drops/dies, the DNS for the network would also fold as they would be pointed to the private IP's.

platitude · Sat Jun 03, 2017 10:18 am

+1 for this feature. It is highly important to implement it, especially for users and admins from countries with internet censorship (like me). Hope to see it soon. Thanks!

Yekver · Sun Jun 25, 2017 9:56 pm

+100!!!!

WildCat · Tue Jun 27, 2017 8:38 am

+1
It's a necessity for users from Russia and other countries with a barbarous attitude to the Internet.

Diamond · Tue Jun 27, 2017 11:15 am

+1
Necessary today feature

Rader · Sat Jul 01, 2017 1:53 pm

+1 for DNSCrypt
It is very necessary today!

netbus · Fri Oct 13, 2017 9:41 am

+1
I need this

Joni · Tue Oct 24, 2017 8:55 am

Since it is not mentioned yet... "However, just enabling "DNS over TLS" feature would not prevent your ISP to know what websites you visit. Server Name Indication (SNI) — an extension of the TLS protocol — also indicates ISPs that which hostname is being contacted by the browser at the beginning of the 'handshake' process." https://thehackernews.com/2017/10/andro ... r-tls.html

netbus · Tue Oct 24, 2017 9:55 am

Since it is not mentioned yet...

We are talking about DNSCrypt not DNS over TLS

Joni · Tue Oct 24, 2017 10:58 am

Excellent point, DNSCrypt vs DNS over TLS

However doesn't it have the same "issue"? (being a different protocol, HTTP(S) vs DNS)
AFAIK, overly simplified the only difference being "Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to explicitly trust the public signing key of the chosen provider."

btw. You intend to reference the official site https://dnscrypt.org instead of the commercial Cisco OpenDNS @ https://www.opendns.com/about/innovations/dnscrypt/

netbus · Tue Oct 24, 2017 11:35 am

With this two methods, DNS Requests/Responses are encrypted. It's not fully anonymity but a step to exacerbate life for some snooper.
Only when visiting https websites "(SNI)" Problem is present.

Joni · Tue Oct 24, 2017 12:19 pm

Well this isn't about websites, considering the current "HTTPS everywhere" movement this sounds a bit more than "only", as SNI is a TLS extension, not HTTP.

(just to elaborate how the implementation of DNSCrypt or DNS over TLS (DNSS) itself isn't much of an advancement, especially in relation to a service at the same IP and port being just as available without the hostname, unless using SNI, which is still visible. Not saying it's better than nothing but just emphasizing that it doesn't do all that much)

yngndrw · Tue Oct 24, 2017 2:43 pm

DNSCrypt is not intended to provide privacy, it's intended to help prevent DNS spoofing.

Joni · Tue Oct 24, 2017 7:45 pm

Just emphasizing as many presume one with the other.
Could you reference the intention? It's not a authentication protocol but an encryption protocol... hence the name... not that it could fix SNI but since you specified intentions...

yngndrw · Tue Oct 24, 2017 8:25 pm

The best reference for the intentions would be the first paragraph of the DNSCrypt website:

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

There is no mention of privacy and you wouldn't expect it due to the SNI issue that you mentioned earlier.

The term "security" is quite a broad one and the security referenced in those security vs privacy articles are referring to national security and the need for surveillance, rather that security in the sense of authentication and verification. You can most certainly have security (The authentication kind) without privacy being a fundamental requirement, which is how public-private key cryptography works. (I.e. The public key is, as the name suggests, public - But knowledge of the public key does not allow a third party to impersonate the private key holder)

Unless I'm misunderstanding the scope of DNSCrypt, the primary usage of a pinned key-pair provides signing (Hence authentication of the server) rather than encryption - Encryption is just a side-effect of using SSL.

deathmagicmedia · Wed Oct 25, 2017 10:49 am

+1 please.

timonlio · Thu Nov 02, 2017 3:03 pm

+1 for DNSCrypt, very useful feature

Xtreme512 · Sun Nov 05, 2017 7:13 pm

hope to see it in new routeros version.

lapki · Sat Nov 25, 2017 8:43 am

DNScrypt ready? I would like to install it on my device

cgood · Mon Dec 04, 2017 10:58 pm

+1 DNSCRYPT-PROXY support! Thank you!

sergeykoch · Wed Dec 13, 2017 5:35 pm

+1 for dnscrypt support

m3763 · Fri Dec 15, 2017 11:08 pm

Just registered to add my +1 for support

netravnen · Sun Dec 31, 2017 3:10 am

+1

dnscrypt-proxy added as a separate npk package ?

So initially not a full-blown server. Just a forwarder.

Joni · Mon Jan 08, 2018 1:05 pm

Well that problem got resolved... funny how things turn out in completely unexcpected ways... wait, no... https://www.reddit.com/r/linux/comments ... abandoned/

badass · Sat Feb 17, 2018 12:13 pm

my +1 for support

Lion · Tue Apr 03, 2018 12:12 pm

+1
где DNS-over-TLS и DNS-over-HTTPS ?

anav · Sat Apr 14, 2018 9:54 pm

Well that problem got resolved... funny how things turn out in completely unexcpected ways... wait, no... https://www.reddit.com/r/linux/comments ... abandoned/

Don't look so sad there Mr Coyote......... In any case one has to follow standards, the RFC bouncing ball.

By the way, I could use your sign every time I open WINBOX.

BioDranik · Sat Apr 21, 2018 7:33 pm

+1 for DNSCrypt, HTTPS-DNS or TLS-DNS

blackzero · Sun Apr 22, 2018 2:04 am

Please do this. Anything man, DNSCrypt or DNS over TLS. I can do with either. Just do it don't be lazy.

BigDT · Sat May 12, 2018 12:53 am

+1 For DNScrypt support. also DNS over TLS or DNS over HTTPS

Its very useful for country like Indonesia.
ISP here use Transparent DNS and cannot use the standard 53 dns port

xkubus · Tue Jun 26, 2018 1:04 pm

+1, we are waiting for years to implement. Developers, please pay attention to the number of applicants.

msatter · Tue Jun 26, 2018 1:27 pm

In the time being you can use Unbound on RaspberryPI to have the current DNS securities.

https://unbound.net/

cREoz · Sun Jul 08, 2018 8:37 pm

+1 for DNSCrypt support

mlenhart · Sun Jul 08, 2018 10:36 pm

+1 for DNSSec/DNSCrypt

cavok · Mon Jul 09, 2018 2:00 am

I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work

Would love to get this info, please.

vladvalmont · Tue Jul 10, 2018 6:23 pm

+1 for DNSCrypt support

foxxiu7 · Wed Jul 11, 2018 2:35 am

I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work
Would love to get this info, please.

I'm also interested how to add DNSCrypt support on the RPi as currently I'm using two MikroTiks and RaspberryPi with pi-hole and OpenDNS.

Anastasia · Sat Sep 15, 2018 8:41 pm

+1 for DNSCrypt support

MikroRouter · Thu Oct 04, 2018 11:40 am

Hope this can be implemented soon...

thief · Mon Oct 08, 2018 7:47 am

+1 for DNSSec/DNSCrypt

Kamaz · Tue Oct 09, 2018 8:39 pm

+1 for DNSSec/DNSCrypt

Azure · Wed Oct 10, 2018 2:31 pm

Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC

Yes! This!
DNScrypt is great and all... But I'd like to see DNS-TLS as Quad9 supports it.
In the end, either is better than neither!

https://www.quad9.net/faq/#Does_Quad9_s ... S_over_TLS

skiif · Thu Oct 25, 2018 9:23 am

+1 for DNS-over-TLS as it's an IETF approved standard, but of course DNScrypt and DNS-HTTPs also will be very appreciated.

Chupaka · Thu Oct 25, 2018 11:55 am

DNS over TLS is now supported both by CloudFlare (1.1.1.1) and Google (8.8.8.8), so looks like it's time =)

Joni · Thu Oct 25, 2018 12:54 pm

DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that's a no-no.

https://www.theregister.co.uk/2018/10/2 ... _standard/

nimbo78 · Sun Oct 28, 2018 2:00 pm

DNS over TLS is now supported both by CloudFlare (1.1.1.1) and Google (8.8.8.8), so looks like it's time =)

+1

estas · Wed Nov 28, 2018 4:21 pm

+1 for DNS-over-TLS and DNSCrypt!
and also waiting UDP Proxy...

xkubus · Mon Jan 07, 2019 10:38 am

+1 Please!

EvgeniyV · Tue Jan 08, 2019 1:19 am

+1
interesting, how many people still have to write "+1" that this gave the result?

Kamaz · Mon Jan 14, 2019 11:30 am

Google provides DNS-over-TLS https://developers.google.com/speed/pub ... s-over-tls from January 2019,
also it provides DNS-over-HTTPS https://developers.google.com/speed/pub ... over-https from September 2018.

cgood · Mon Jan 14, 2019 12:04 pm

+1
interesting, how many people still have to write "+1" that this gave the result?

Topic started at 30 Jan 2012 09:55 ... we wait for a miracle

vecernik87 · Mon Jan 14, 2019 1:59 pm

Topic started at 30 Jan 2012 09:55 ... we wait for a miracle

No. It just proves how futile is the idea of implementing nonstandard or nonstable technologies - they are gone withing few years. Where is DNScrypt today? Is it massively accepted? No. If mikrotik implemented it back then, it would be enormous waste of time.
Wait for standardized solution which is widely accepted. Then ask for support and you got at least a chance...

cgood · Mon Jan 14, 2019 9:39 pm

Topic started at 30 Jan 2012 09:55 ... we wait for a miracle
No. It just proves how futile is the idea of implementing nonstandard or nonstable technologies - they are gone withing few years. Where is DNScrypt today? Is it massively accepted? No. If mikrotik implemented it back then, it would be enormous waste of time.
Wait for standardized solution which is widely accepted. Then ask for support and you got at least a chance...

ovpn UDP support may be too "enormous waste of time"?

poizzon · Thu Jan 17, 2019 2:36 am

Chupaka · Thu Jan 17, 2019 8:28 am

+10

+10 to "enormous waste of time"?

Thu Jan 17, 2019 8:45 am

Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?

Chupaka · Thu Jan 17, 2019 1:43 pm

HTTPS gives you more security

Huh?..

inability to catch this traffic as an administrator

Well, as it was earlier - by IP address

But generally yes - it's harder for your ISP to block/redirect DoH than DoT as it uses shared port number (443).

Thu Jan 17, 2019 2:24 pm

Huh? Since DNS over HTTPS uses port 443 and there is no visual difference in traffic type, admin can't intercept or block this traffic (except by destination address).

cgood · Thu Jan 17, 2019 3:20 pm

Huh? Since DNS over HTTPS uses port 443 and there is no visual difference in traffic type, admin can't intercept or block this traffic (except by destination address).

When will the DoH appear

? Когда же?

Chupaka · Thu Jan 17, 2019 3:21 pm

What about SNI?

ESNI is not on stage currently

cgood · Thu Jan 17, 2019 3:26 pm

At home i'm mangling DNS fwd+out connections and redirect to EU OVPN (CHR VPS), but DoH = peer-to-peer encryption & we all need it (=

Thu Jan 17, 2019 3:29 pm

? https://blog.cloudflare.com/esni/

ErfanDL · Thu Jan 17, 2019 4:36 pm

add DNSSEC features

Sent from my C6833 using Tapatalk

Thu Jan 17, 2019 4:43 pm

add DNSSEC features

Sent from my C6833 using Tapatalk

What does it mean?

ErfanDL · Thu Jan 17, 2019 6:35 pm

add DNSSEC features

Sent from my C6833 using Tapatalk
What does it mean?

https://en.m.wikipedia.org/wiki/Domain_ ... Extensions

Sent from my C6833 using Tapatalk

anthonws · Mon Jan 21, 2019 10:15 pm

Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?

Both would be the ideal scenario

Naturally that I understand that there's budget/resources constrains and prioritization of features, and therefore that is not viable.

Using Mikrotik mainly as Home gear, my natural choice would be to go with DoH. But, since your main target is Enterprise then it makes sense to invest on the DoT first. I'm sure that the Home users/clients like me will be able to still use DoT.

Ultimately, one or the other will provide the additional security (with more or less controls) that the majority of your customers are looking for

What about SNI? ESNI is not on stage currently

Isn't that at the Browser level only?

anav · Tue Jan 22, 2019 4:31 pm

At a minimum, from a practical point of view, wouldn't it matter more that juniper, cisco, fortigate, zyxel etc......... started implementing such technologies.
Further if mikrotik saw a decrease in sales and an erosion in the current base to such vendors due to technology available elsewhere, then they would be forced to move.
However, that would be too late so it is a matter of timing besides the other usual suspects, money, human resources, code stability, hardware limitations.......

.

R1CH · Wed Feb 13, 2019 12:41 pm

Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?

Why not both? Although DNS over HTTPS seems to be the way forward, very few providers are actually deploying DNS over TLS. As long as you maintain a persistent connection to the resolver, latency should be minimal.

eworm · Wed Feb 13, 2019 11:30 pm

At FOSDEM 2019 Daniel Stenberg (the maintainer of curl) had a talk about DNS over HTTPS - the good, the bad and the ugly. Very interesting topic and he scheds some light on DoT, DNScrypt, DNSsec & Co as well.

IMHO DoH is the way to go.

pothi · Sun Mar 03, 2019 9:57 am

As an administrator, I'd like to have some (or full) control over the traffic, thus favoring DNS over TLS.

As a user, I don't want any control over my internet connection, thus supporting DNS over HTTPS.

Both are better than plain text DNS query.

kenyloveg · Thu Mar 14, 2019 3:50 pm

Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.

add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353

mutinsa · Sun Apr 07, 2019 10:37 pm

anav · Mon Apr 08, 2019 12:14 am

Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
Code: Select all
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353

Why limit the destination address to one pubic DNS server. Why not just dstport 53 protocol udp/tcp redirect to port 5353 (sounds like dnssec for pihole).
In your rule, somebody hardcoding 8.8.8.8 or 1.1.1.1 would not get trapped.

anthonws · Wed Apr 10, 2019 12:46 am

DoH is no longer a "waste of time" and it's now massively used by the industry (there's even Android Apps to turn on that nowadays with CloudFare for example).

So, questions:

1. Is there an intention from Mikrotik to implement this?
2. Is there a sharable roadmap for the feature to be implemented?
3. If #1 = negative, why and what's the alternative for your users to be able to make use of such technologies?

Thanks,
anthonws.

kenyloveg · Mon Apr 15, 2019 7:39 am

Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
Code: Select all
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
Why limit the destination address to one pubic DNS server. Why not just dstport 53 protocol udp/tcp redirect to port 5353 (sounds like dnssec for pihole).
In your rule, somebody hardcoding 8.8.8.8 or 1.1.1.1 would not get trapped.

Tested this works with opendns, but failed with cloudflare or some other public dns. (assume ISP rules to intercept opendns is not created for now)

obesbash · Tue Apr 30, 2019 6:00 pm

+1 for DNSSec/DNSCrypt

darkmanlv · Wed Jun 12, 2019 3:04 pm

+1 DNSCrypt, when?

febhost32 · Sun Jun 16, 2019 7:24 am

+1 for DNSCrypt

karo84 · Fri Jun 21, 2019 4:07 pm

+10000 for DNSSec/DNSCrypt . It is a big need today to use DNSCrypt. Thanks!

mutinsa · Fri Jun 28, 2019 3:26 pm

up

+1.

kathampy · Wed Jul 31, 2019 8:07 pm

I would also like to see DNS over HTTPS support so I can use Cloudflare's service. Since the RouterOS DNS service is only a forwarder, DNSSEC can only be done by the upstream iterative resolver. To prevent tampering between RouterOS and the upstream resolver, DNS over HTTPS is required.

ErfanDL · Wed Jul 31, 2019 8:18 pm

+1M

Sent from my SM-A705FN using Tapatalk

konigman · Sat Aug 03, 2019 12:16 am

Mikrotik is a business, so we have to treat this feature request as such. Not on ideological (privacy of user) or technical (DoT vs DoH) grounds.

That said, the question Mikrotik is asking themselves is obvious. Is this feature "worth it"?

Our approach should be to not only say "yes" with a sea of +1s (by the way, can there not be some annual feature request poll, annual feedback survey or something like that), but provide arguments that support this conclusion.

For example;

Which major DNS providers now offer DoT/DoH?
Which competing network hardware manufacturers provide DoT/DoH or are planning to?
Which consumer devices support DoT/DoH? The point here is that if consumers start using DoT/DoH, then they will expect to see it in the network gear in their homes, workplace, ISPs.

Now, did you expect me to provide answers to the above? Too bad. I'm Friday-lazy, but consider this me trying to get the ball rolling.

Ok, fine. Here's a list of DNS providers https://en.wikipedia.org/wiki/Public_re ... ame_server so it's evident Cloudflare, Google and Quad9 are leading the way.
Also, about consumer devices, we have "Private DNS" in Android 9.0, which accepts DoT.
Regarding competing firms, someone in the know could chime in.

WojtusW5 · Sat Aug 03, 2019 12:32 pm

+1 a very good idea that encrypted DNS support will be implemented in RouterOS

anthonws · Sat Aug 03, 2019 2:26 pm

Mikrotik is a business, so we have to treat this feature request as such. Not on ideological (privacy of user) or technical (DoT vs DoH) grounds.

That said, the question Mikrotik is asking themselves is obvious. Is this feature "worth it"?

Our approach should be to not only say "yes" with a sea of +1s (by the way, can there not be some annual feature request poll, annual feedback survey or something like that), but provide arguments that support this conclusion.

For example;

Which major DNS providers now offer DoT/DoH?
Which competing network hardware manufacturers provide DoT/DoH or are planning to?
Which consumer devices support DoT/DoH? The point here is that if consumers start using DoT/DoH, then they will expect to see it in the network gear in their homes, workplace, ISPs.

Now, did you expect me to provide answers to the above? Too bad. I'm Friday-lazy, but consider this me trying to get the ball rolling.

Ok, fine. Here's a list of DNS providers https://en.wikipedia.org/wiki/Public_re ... ame_server so it's evident Cloudflare, Google and Quad9 are leading the way.
Also, about consumer devices, we have "Private DNS" in Android 9.0, which accepts DoT.
Regarding competing firms, someone in the know could chime in.

All good points that have been indefinitely mentioned throughout the forum in numerous threads.

Just forget it. It's not going to happen.

There's no objective Customer Care/Success Unit strategy from Mikrotik, let alone someone or some Business Unit looking into these forums, other than support.

Honestly (and I'm not the only one saying this), take you're money elsewhere for your next network equipment acquisition.

drdedus · Wed Sep 11, 2019 12:47 am

+1 for DNSSec/DNSCrypt

3dfx · Thu Sep 26, 2019 12:53 am

Any updates on the topic?

kenyloveg · Mon Oct 14, 2019 7:02 am

Never tried V7 beta, something new in the DNS section?

Sob · Mon Oct 14, 2019 6:42 pm

Nothing I can see. But it's early beta and the main goal is to have new kernel, not so much new features, even though there are some (not for DNS).

kenyloveg · Thu Oct 17, 2019 5:20 am

Nothing I can see. But it's early beta and the main goal is to have new kernel, not so much new features, even though there are some (not for DNS).

Thank you.

JmJ17 · Wed Nov 20, 2019 3:23 pm

+1 for this request.

TheDoctor · Wed Dec 18, 2019 10:56 am

+1 for sure.
Are there any news ?

misterx11 · Tue Dec 31, 2019 8:19 pm

+1 for this request as well.
Hoping we see it implemented soon.

arusi · Thu Jan 02, 2020 3:55 am

+1 for DNS over HTTPS

anakin475 · Wed Jan 15, 2020 10:03 am

+1 for DNSCrypt!!!

gorec2005 · Tue Feb 04, 2020 8:05 am

+1 for DNS over HTTPS

msatter · Tue Feb 04, 2020 2:48 pm

-1 for DNS support over HTTPS (DoH)
+1 for DNS support over TLS (DoT)

DNSCrypt is an extra encrypting then.

TheDoctor · Tue May 26, 2020 12:42 am

And one more time topic up.
+1 for DoT.

Kamaz · Thu May 28, 2020 12:44 pm

+1 for DoT.

Thu May 28, 2020 12:45 pm

What is the reason to support DoT if you already have DoH?
You want DNS entryption that is easy to be blocked by the ISP? Why?

Chupaka · Thu May 28, 2020 1:11 pm

You want DNS entryption that is easy to be blocked by the ISP? Why?

Probably because they are ISP

Thu May 28, 2020 1:54 pm

awwww

zabullet · Thu Jun 04, 2020 10:38 pm

https://wiki.mikrotik.com/wiki/Manual:I ... over_HTTPS

YAY!?

0bit · Tue Jul 14, 2020 1:56 am

As alternative is good to have DoT.
+1 for DoT

syborg · Thu Mar 31, 2022 8:53 pm

I second this.

curzondax · Sat Oct 08, 2022 8:50 pm

Seriously, thank you to MT for implementing DoH at least.

+1 for DoT though, as they are both different and have their own strengths and weaknesses. As DoH is already implemented, it should be trivial to implement DoT, especially with how well-documented and well-supported it is by most of the world.

DoT is not trivial to implement. DoH is much easier to implement.

If Mikrotik wanted to deploy DoT, they would likely have to choose between an existing daemon (Stubby?), or make their own, which requires a lot of performance and behavioral considerations.

Supporting DoH3 (DNS over HTTPS/3 or QUIC) is probably the natural next step.