Community discussions

MikroTik App
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 203
Joined: Sat Aug 02, 2014 1:13 am

CloudFlare DNS over TLS

Mon Apr 02, 2018 2:30 pm

Hi,

Last days CloudFlare has annouced new DNS service.
This includes also secured DNS
- DNS over HTTPS
- DNS over TLS
https://developers.cloudflare.com/1.1.1 ... structure/

Please advice me if secured DNS can be implemented in Mikrotik.
I know that other DNS technology DNSCrypt is still not implemented.

CloudFlare is one of the best dns
http://www.dnsperf.com/


Thanks in advance.
Last edited by MikroTikFan on Sun Apr 08, 2018 6:24 pm, edited 1 time in total.
 
User avatar
Xtreme512
Member Candidate
Member Candidate
Posts: 119
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: CloudFlare DNS over TLS

Mon Apr 02, 2018 8:53 pm

I want that too, but it's not compatible with RouterOS, just like the advanced OpenVPN setup. Needless to say, I'm using an ad-blocking DNS (Adguard DNS) blocks malware sites as well. 1.1.1.1 DNS seems real good (need to see the malware results compare to other alternatives), hope they also implement ad-blocking feature.
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: CloudFlare DNS over TLS

Mon Apr 02, 2018 9:20 pm

Why would you trust your metadata to a third party else than where you sent you internet traffic through!?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: CloudFlare DNS over TLS

Mon Apr 02, 2018 9:43 pm

1.1.1.1 DNS seems real good (need to see the malware results compare to other alternatives), hope they also implement ad-blocking feature.
I see no claims at all about filtering malware or ads. It is just a DNS resolver.
Why would you trust your metadata to a third party else than where you sent you internet traffic through!?
In some cases the ISP DNS resolver has "additional features" that some people may not like, including returning false IP addresses for
certain domains or returning a false IP address for every lookup of a nonexisting domain.
Using an independent resolver may fix that.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: CloudFlare DNS over TLS

Tue Apr 03, 2018 12:56 am

It will help with filtering, at least for now. It won't do that much for privacy, because everything moves to https and SNI is happy to tell anyone on the way what domain you access.

The part about filtering I'm worried about, is that current DNS filtering is great. When someone wants to censor something (governments just love that), DNS filtering is the first thing they try. In most simple case, when it's done on ISP's resolvers, it sort of works, at least for regular user who uses network config provided by ISP. And surprisingly, censors are often satisfied with that. For ISP, it's not hard to set up either. And every user who doesn't like that, simply uses different resolvers. In the end, everyone is happy. But the more these "uncensorable" ways are going to be used, the sooner will the censors want to do something about it. It's not really an argument against these new secure ways, because the idea that "if we want to censor something, it should actually work" will come to them sooner or later anyway...
 
netbus
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Mon Sep 04, 2017 12:42 pm

Re: CloudFlare DNS over TLS

Wed Apr 04, 2018 9:24 am

+1
I want it too
 
marianob85
just joined
Posts: 20
Joined: Wed Feb 08, 2017 9:47 pm

Re: CloudFlare DNS over TLS

Wed Apr 04, 2018 9:32 am

Me too
+1
 
User avatar
Vanta
just joined
Posts: 7
Joined: Mon Nov 29, 2010 5:24 pm

Re: CloudFlare DNS over TLS

Wed Apr 04, 2018 1:22 pm

Same for me. +1
 
anavds
newbie
Posts: 36
Joined: Wed Apr 04, 2018 2:47 pm

Re: CloudFlare DNS over TLS

Wed Apr 04, 2018 2:49 pm

+1, I'm not paranoid but I'm sure SOB is tracking my DNS! ;-)
 
User avatar
baragoon
Member
Member
Posts: 384
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: CloudFlare DNS over TLS

Wed Apr 04, 2018 2:54 pm

Will be implemented in ROS v7 :D
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 203
Joined: Sat Aug 02, 2014 1:13 am

Re: CloudFlare DNS over TLS

Sun Apr 08, 2018 6:25 pm

Will be implemented in ROS v7 :D

This is hope or you know something more ?

I just wondering which solution became more popular :
- DNS over HTTPS
- DNS over TLS
?
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: CloudFlare DNS over TLS

Sun Apr 08, 2018 7:13 pm

It's not hope or knowing more, it's cruel joke. Have you heard about ROS v7 before, right? :)

On topic, DNS over TLS has head start, it's already RFC. On the other hand, it uses "unusual" port 853 by default, and it's going to be problem in some places. If I'd want to guess, DNS over HTTPS has better chance. Not that I'd be too excited by this "make everything on internet HTTPS" movement.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12982
Joined: Thu Mar 03, 2016 10:23 pm

Re: CloudFlare DNS over TLS

Sun Apr 08, 2018 7:21 pm

Considering that HTTPS is HTTP over TLS (nowadays), then DNS over HTTP does sound stupid, doesn't it?

Not much worse than becoming XML compliant by pushing binary blob MIME64 encoded into XML file. Our favourite RAN vendor does it :roll:
 
pssara
just joined
Posts: 24
Joined: Thu Oct 28, 2010 9:54 am

Re: CloudFlare DNS over TLS

Wed Apr 11, 2018 3:13 pm

I was looking for that as well.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: CloudFlare DNS over TLS

Wed Apr 11, 2018 3:36 pm

Why is everyone suddenly looking for this?
The performance will be dreadful compared to normal DNS, isn't it?
You would probably only want this when there is really no other way of having unfiltered DNS.
In most cases the use of a VPN to some unfiltered site is way more practical.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12982
Joined: Thu Mar 03, 2016 10:23 pm

Re: CloudFlare DNS over TLS

Wed Apr 11, 2018 4:18 pm

I guess that's desperate folks trying to access some content where internet is not as free as elsewhere. And cross-border VPN is blocked as well. These days HTTP over SSL is allowed almost everywhere while many other encrypted protocols are not, therefore everybody got idea to piggy-back other protocols on top of HTTPS.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: CloudFlare DNS over TLS

Wed Apr 11, 2018 4:52 pm

Then piggy-back a VPN on top of TLS (e.g. SSTP or OpenVPN) and work from there...
 
Rudde
just joined
Posts: 4
Joined: Mon Mar 16, 2015 1:24 pm

Re: CloudFlare DNS over TLS

Wed Apr 11, 2018 5:05 pm

I'm also interested in this feature.

And maybe not everyone want to or have the resources to redirect ALL their traffic outside of a country to accommodate, what .4% of their requests? Or they don't want the performance penalty?
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: CloudFlare DNS over TLS

Wed Apr 11, 2018 6:58 pm

The explanation is simple. People are suddenly looking into this, because they've seen news about Cloudflare's new public resolvers. It might have opened their eyes about how DNS works and motivated them to want more privacy. Or they just wanted to check if RouterOS supported it, in case they would need it one day. VPN is good too, but VPN's don't grow on trees. Technically, neither do DNS resolvers, but in terms of accessibility it's like if they were, they are free for everyone, unlike VPNs.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: CloudFlare DNS over TLS

Wed Apr 11, 2018 7:40 pm

You should understand that encrypting your DNS for the sole purpose of "websurfing" does not yield any privacy because the ISP can still look into the https session startups and see the SNI (which was added to allow https on shared hosting). So when you really want privacy, you need to tunnel all your traffic to an external VPN.
(this of course only gives you privacy against the ISP and your local government, now the VPN provider can see everything you do)

Securing only DNS and not the actual traffic brings very little. It could be a workaround against polluted DNS (some answers modified, maybe a default answer instead of "not found"), but is only required when the ISP does some dst-nat to capture all standard DNS traffic (so you can't simply use 1.1.1.1 or 8.8.8.8 instead of your ISP's DNS forwarders), even on nonstandard ports like 5353 which are provided to work around such things.

When you still want DNS over TLS, a better solution would be to setup an SSTP or OpenVPN connection to some service that allows you to send DNS queries (in UDP) over such a VPN to their resolvers. The DNS queries go over that VPN, the other traffic is sent directly. This will be way more efficient than DNS over TLS, as setting up a TLS connection has a lot of overhead. (the connection could be kept alive for multiple queries but apparently nobody does that)
 
jaymemaurice
just joined
Posts: 5
Joined: Thu May 19, 2011 9:28 am
Location: Dubai, UAE
Contact:

Re: CloudFlare DNS over TLS

Wed Apr 11, 2018 11:51 pm

You should understand that encrypting your DNS for the sole purpose of "websurfing" does not yield any privacy because the ISP can still look into the https session startups and see the SNI (which was added to allow https on shared hosting). So when you really want privacy, you need to tunnel all your traffic to an external VPN.
I think one of us misunderstands how this is supposed to work with encrypted DNS and why it's important that RouterOS's DNS server is revamped:
https://tools.ietf.org/id/draft-schwart ... ni-02.html
but is only required when the ISP does some dst-nat to capture all standard DNS traffic (so you can't simply use 1.1.1.1 or 8.8.8.8 instead of your ISP's DNS forwarders), even on nonstandard ports like 5353 which are provided to work around such things.
This is also incorrect. DPI can/does use DNS priming for priming protocol identification
https://patents.justia.com/patent/9887881
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: CloudFlare DNS over TLS

Thu Apr 12, 2018 2:07 am

@jaymemaurice: We're talking about slightly different SNI (well, it's the same SNI, but how it's used now vs. what the linked draft suggests). And that draft is strange, it looks like recipe for really overcomplicated hide & seek game to me.

According to it, if I want to connect to https://badforbiddenstuff.tld, browser will get the new DNS SNI record, which will tell it to send worldofkittens.tld as server name instead of badforbiddenstuff.tld. Server will still send back certificate valid for badforbiddenstuff.tld and client will verify that. It will do any good only with TLS 1.3 which can send certificates encrypted (I didn't know that, that's interesting news) and so attacker won't be able to get anything from it. Good so far, and I do believe that it could help against passive attacker. But I'm more worried about attackers who are less passive, who want to block stuff. And they will of course know that badforbiddenstuff.tld exists and that it has DNS SNI record with worldofkittens.tld. So unless worldofkittens.tld is real existing site sharing the same IP address with badforbiddenstuff.tld, it can be easily blocked. And worst case, when they really can't tell one from another, worldofkittens.tld will simply go as collateral damage. And I also have hard time to believe that browsers will actually implement this, because it means sending extra DNS query for every single hostname. So it's likely to end up like SRV records for HTTP(S), i.e. not supported because the extra queries could slow things down, it would be bad for user experience and it's just not worth it, because it would be used only by tiny fraction of sites anyway.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 203
Joined: Sat Aug 02, 2014 1:13 am

Re: CloudFlare DNS over TLS

Sun Apr 15, 2018 9:43 pm

Hi,

Is there any chance that somebody from Mikrotik Team will comment this post/request ?

...
 
OhJeez
just joined
Posts: 4
Joined: Sun Apr 09, 2017 9:31 pm

Re: CloudFlare DNS over TLS

Sun Apr 22, 2018 4:21 pm

I also want this feature.
 
User avatar
SirPrikol
newbie
Posts: 28
Joined: Wed Oct 11, 2017 12:36 pm

Re: CloudFlare DNS over TLS

Mon Apr 23, 2018 2:00 pm

Me too need this
 
levicki
newbie
Posts: 32
Joined: Mon Apr 30, 2018 12:22 pm
Location: Belgrade, Serbia
Contact:

Re: CloudFlare DNS over TLS

Mon Apr 30, 2018 12:30 pm

Hello, new MikroTik owner here.

I'd also like to see DNS over HTTPS support.

I am not sure if the forum will let me post a link but I will try anyway. This is the source code of cloudflared (daemon) which can act as DNS over HTTPS proxy. It is written in Go language, it should be straightforward to port.
https://github.com/cloudflare/cloudflared
 
levicki
newbie
Posts: 32
Joined: Mon Apr 30, 2018 12:22 pm
Location: Belgrade, Serbia
Contact:

Re: CloudFlare DNS over TLS

Tue May 01, 2018 11:33 am

Cloudflared (daemon for cloudflare services including DNS over HTTPS) is open-source and written in Go language, you can find it on GitHub and port to MikroTik.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: CloudFlare DNS over TLS

Tue May 01, 2018 5:08 pm

Cloudflared (daemon for cloudflare services including DNS over HTTPS) is open-source and written in Go language, you can find it on GitHub and port to MikroTik.
But there are 1000 things you can find on GitHub and port to MikroTIk, and after having completed that there will be still more requests for new things to add....
 
blackzero
newbie
Posts: 25
Joined: Tue Aug 09, 2011 3:40 pm

Re: CloudFlare DNS over TLS

Sun Jul 22, 2018 2:54 am

Why would you trust your metadata to a third party else than where you sent you internet traffic through!?
Irrelevant. We're requesting TLS and HTTPS (for DNS) support.

---

Please Mikrotik team, do this. DNS hijacking/redirection is a real issue.
 
MikroRouter
just joined
Posts: 12
Joined: Wed Nov 02, 2011 11:00 am

Re: CloudFlare DNS over TLS

Thu Oct 04, 2018 11:41 am

Hope this feature can be implemented soon, this is the last piece before we can go full encrypted
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: CloudFlare DNS over TLS

Thu Oct 04, 2018 12:15 pm

Hope this feature can be implemented soon, this is the last piece before we can go full encrypted
You can already go full encrypted by setting up a VPN link to a router "in the cloud" (your own CHR running on a VPS host or one of the many VPN services) and route your DNS traffic over that.
(RouterOS is powerful enough to route only your DNS traffic and maybe your http traffic over the VPN, while still routing https traffic directly)
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: CloudFlare DNS over TLS

Thu Oct 04, 2018 6:08 pm

But if your only problem is ISP messing with DNS, then VPN/VPS route is relatively complicated, with extra costs, while you don't really need any of that.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: CloudFlare DNS over TLS

Thu Oct 04, 2018 8:51 pm

Pity that "DNS over TLS" was implemented as a new standard. They could just have used existing VPN technology and tunneled standard DNS over that.
So services like CloudFlare could simply offer VPN access to their resolvers. Would be more efficient too.
And best of all, router manufacturers would not have to implement new things (and customers would not have to beg and wait for it).
 
rea1ity
newbie
Posts: 25
Joined: Mon Jun 24, 2013 10:24 am

Re: CloudFlare DNS over TLS

Sat Oct 20, 2018 11:20 pm

I hope, DOH(DNS Over Https) supported on Mikrotiks soon.
And hope also following URL can help you.
https://dnsprivacy.org
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: CloudFlare DNS over TLS

Mon Oct 22, 2018 1:06 am

I've got DNS over TLS working on my hEX! If you've rooted your device (don't contact MT for support if you do this!) it's quite straightforward to install. Since cloudflared is written in Go, it's easy to cross-compile and the only thing it needs to operate is a ca-certificates.crt bundle which I copied over from Debian. I then use a dst-nat REDIRECT rule to point all port 53 traffic to cloudflared running on port 5353:

Image

Unfortunately Go binaries are statically compiled, making them very large. The mipsle cloudflared is 15 MB so it doesn't fit on the flash on the device, it needs downloading to RAM on startup. The 16 MB flash is definitely limiting what you can do when it comes to installing your own software. Cross-compiling one of the DoH implementations written in C will probably result in a more manageable binary size, but this is of course much more complicated.
 
User avatar
shuum
newbie
Posts: 31
Joined: Fri Nov 29, 2013 9:50 am
Location: Novosibirsk

Re: CloudFlare DNS over TLS

Sun Oct 28, 2018 5:03 am

Me too
+1
 
Miracle
Member Candidate
Member Candidate
Posts: 106
Joined: Fri Sep 11, 2015 9:04 am

Re: CloudFlare DNS over TLS

Sun Oct 28, 2018 5:49 am

I've got DNS over TLS working on my hEX! If you've rooted your device (don't contact MT for support if you do this!) it's quite straightforward to install. Since cloudflared is written in Go, it's easy to cross-compile and the only thing it needs to operate is a ca-certificates.crt bundle which I copied over from Debian. I then use a dst-nat REDIRECT rule to point all port 53 traffic to cloudflared running on port 5353:

Image

Unfortunately Go binaries are statically compiled, making them very large. The mipsle cloudflared is 15 MB so it doesn't fit on the flash on the device, it needs downloading to RAM on startup. The 16 MB flash is definitely limiting what you can do when it comes to installing your own software. Cross-compiling one of the DoH implementations written in C will probably result in a more manageable binary size, but this is of course much more complicated.
Do we have rooted after update ros to new version ?
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: CloudFlare DNS over TLS

Sun Oct 28, 2018 3:24 pm

Not sure, supposedly the update process wipes out any non-standard files so I'm not going to update until I have a very good reason to. I imagine Mikrotik will silently patch the jailbreak so I don't know how long this will be possible.
 
inframe
just joined
Posts: 10
Joined: Tue May 13, 2014 10:20 am

Re: CloudFlare DNS over TLS

Tue Nov 13, 2018 2:15 pm

relevant thing for the conference! Waiting for a new feature :roll:
 
itscris
just joined
Posts: 4
Joined: Mon Jan 07, 2019 1:39 pm

Re: CloudFlare DNS over TLS

Sun Jan 13, 2019 11:50 am

Needed very much +1 .,, ISP is sniffing and redirecting DNS traffic.. Even when using SOCKS5 over SSH and forget to direct DNS traffic through the tunnel too (that's how I found out)
 
hardtik
just joined
Posts: 17
Joined: Sat Apr 15, 2017 11:00 pm

Re: CloudFlare DNS over TLS

Wed Feb 13, 2019 11:08 am

+1

Can anybody from MikroTik reply on this thread?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: CloudFlare DNS over TLS

Wed Feb 13, 2019 11:18 am

Who is online

Users browsing this forum: No registered users and 21 guests