viewtopic.php?f=2&t=132678Add DNS over HTTPS (DoH) client to RouterOS. This will significantly improve the privacy of network users and devices (especially when RouterOS device serves as DNS cache/recursive resolver).
https://developers.google.com/speed/pub ... over-https
https://developers.cloudflare.com/1.1.1 ... ver-https/
While experimental protocol, the infrastructure is already provided by 2 of the biggest 4 recursive DNS providers and provides significant benefits in practice.
I'm actually reading this post because I was wondering if routerOS had any way to NXDOMAIN a given address, in order to implement the canary domain as per https://support.mozilla.org/en-US/kb/co ... over-https. I don't want traffic on our (SOHO) network that skips DNS-based filtering or tells google/cloudflare everything.And the idea with canary domain and ability to tell browser this way to not use DoH, it's not hard to predict how it will go, is it? If I'm the bad guy who wants to mess with users' DNS, of course I will use that.
DoH uses HTTPS as a transport, so transparent redirects are not gonna be possible.The only way I see is for RoS to intoduce DoH support and transparently resolve using DoH enabled DNS servers.
DoH has nothing to do with security. Really nothing. Some believe it has something to do with confidentiality (which is not the same as security), though this statement is also arguable.[*]DNS requests are not secure.
It would be transparent to the client devices which are still using vanilla DNS requests - not the router.DoH uses HTTPS as a transport, so transparent redirects are not gonna be possible.The only way I see is for RoS to intoduce DoH support and transparently resolve using DoH enabled DNS servers.
How would you call preventing your ISP and all servers in between to sniff and log your DNS queries then?DoH has nothing to do with security. Really nothing. Some believe it has something to do with confidentiality (which is not the same as security), though this statement is also arguable.[*]DNS requests are not secure.
You transfer the possibility for your ISP (a party you selected yourself and probably know well, and who you pay for your internet service) to sniff the DNS traffic to another party who you do not know, you do not know where they are located, and you do not pay them money for the service directly (so they have to earn money from your requests in a different way).How would you call preventing your ISP and all servers in between to sniff and log your DNS queries then?DoH has nothing to do with security. Really nothing. Some believe it has something to do with confidentiality (which is not the same as security), though this statement is also arguable.[*]DNS requests are not secure.
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.
So developing ESNI (encrypted SNI) does not make sense because usual DNS leaks the information anyway?If you want to keep DNS queries secret, there's currently no point, because you'll most likely use them to connect to some website and SNI will tell anyone on the way to which one.
Even with IPv6, SNI is normally used because it often is an extra burden to assign multiple IPv6 addresses to the same webserver for the purpose of serving different domains.With IPv6 you don't need SNI anymore because you have huge numbers of unique IPv6 address available.
Why use a webserver. I don't want DoH go through a webserver then a proxy and finally arrive at the DNS server and the has to the way back.Even with IPv6, SNI is normally used because it often is an extra burden to assign multiple IPv6 addresses to the same webserver for the purpose of serving different domains.With IPv6 you don't need SNI anymore because you have huge numbers of unique IPv6 address available.
This is not about DoH, this is about SNI. SNI is required when serving websites for multiple domains on a single server (or at least a single address).Why use a webserver. I don't want DoH go through a webserver then a proxy and finally arrive at the DNS server and the has to the way back.Even with IPv6, SNI is normally used because it often is an extra burden to assign multiple IPv6 addresses to the same webserver for the purpose of serving different domains.With IPv6 you don't need SNI anymore because you have huge numbers of unique IPv6 address available.
YOU ARE JUST NOT GETTING IT!!!! The SNI is NOT RELATED to the use of DoH.A DoH proxy or loadbalancers for DNS do not serve websites so have don't a requirement to be using a SNI.
Agreed, DOH is BULL.I might be a minority here, but all this DNS over https/TLS,etc, in my opinion, has nothing to do with user's privacy at all, but it has everything to do with making ad blocking and corporate filtering obsolete.
What does it have to do with Google? In Firefox you can enter any DOH server you want.2- ensures no one besides google will have visibility on DNS-query statistics (google collects its data chrome, that's why they pledge no data collection server-side. they already have all the data they want from chrome.).
More interesting is that it breaks local DNS server functions e.g. setting static names in your MikroTik router for e.g. the local printer or another local service.Agreed, DOH is BULL.I might be a minority here, but all this DNS over https/TLS,etc, in my opinion, has nothing to do with user's privacy at all, but it has everything to do with making ad blocking and corporate filtering obsolete.
The only things it archieves are:
1- completely breaks local caching, therefore causing problems in networks with high latency. (basically everyone on radio.)
I might be a minority here, but all this DNS over https/TLS,etc, in my opinion, has nothing to do with user's privacy at all, but it has everything to do with making ad blocking and corporate filtering obsolete.
But the privacy/restriction problem will only move from the ISP resolver to the DoH resolver chosen. Whether that is an improvement, depends on the local situation.There are many places in the world where the Internet is restricted and tools like this help users in those regions to browse privately. There are other use cases as well but increased privacy and encryption for the end user is a trend that will continue IMO.
But the privacy/restriction problem will only move from the ISP resolver to the DoH resolver chosen. Whether that is an improvement, depends on the local situation.
The question is: will the user have a choice or Google will use its own DNS no matter what the users chooses?but at least the user has the choice of which DNS resolver to trust and it's obscured to the transit providers.But the privacy/restriction problem will only move from the ISP resolver to the DoH resolver chosen. Whether that is an improvement, depends on the local situation.
Sorry to read that and I think you had problems with DHCP. First I setup it without being it also a DHCP server and just get it resolving DNS locally. Then look if a client can resolve by using dig miktotik.com @192.168.88.X and the IP is from the pi-hole.This entire thread is way over my head, but smatter........ I tried DNS over pihole and all it got me was grief from the family as the internet would work intermittently or not at all.
There is no clean implementation path I could discern using pihole (how to set it up without effing up my router configuration or creating a monster mess). Obviously beyond my capabilities so I ditched the effort.
Just trying to keep it real, in terms of supporting extra capabilities when deemed, by the angry red bird, to be of sufficient practicality and purpose by adding said functionality to the router!!!!
What does it have to do with Google? In Firefox you can enter any DOH server you want.2- ensures no one besides google will have visibility on DNS-query statistics (google collects its data chrome, that's why they pledge no data collection server-side. they already have all the data they want from chrome.).
Or just limit the whole connection and stop trying to get fancy. If you can't serve 20mbps then dont try to for some things and not others. I really don't care if my Gmail runs at full speed but u can't watch a YouTube video on your WiFi, the end result is the feeling that it's broken.Of course when these techniques become universally implemented, we need to make a sticky topic for the many users that come here with requests like:
- I need to block some specific website (Youtube/Facebook/whatever)
- I need to allow access to only one specific website (externally hosted company site)
- I need to limit the use of bandwidth by this or that service, e.g. operating system updates
etc. There can be a simple cooked reply stating that these things are no longer possible, and that all recipes those people find that claim to solve it do no longer work.
And also that despite information they have read elsewhere, other manufacturer's equipment cannot do it either.
At first sight it may seem that this privacy is a good thing, but of course it will cause some things to collapse, like free Wifi for visitors and limited-bandwidth wireless internet connectivity with purposely limited usage.
Current DNS/DOT:
1.1.1.1
8.8.4.4
8.8.8.8
4.2.2.2
4.2.2.1
14.215.150.17
14.215.155.156
14.215.155.170
14.215.155.203
42.120.214.1
58.247.212.48
58.247.212.36
58.247.212.119
61.129.8.159
61.151.180.44
61.215.150.17
101.226.220.16
111.161.57.77
111.161.57.81
121.161.220.16
121.51.128.164
149.112.112.112
151.51.1.151
180.76.76.76
180.163.19.5
182.140.167.188
182.140.167.166
216.239.35.0/24
223.5.5.5
Added block-doh:
9.9.9.9
9.9.9.10
45.32.105.4
45.32.253.116
45.77.124.64
47.96.179.163
104.16.248.249
104.16.249.249
104.236.178.232
104.28.0.106
104.28.1.106
108.61.201.119
116.203.35.255
116.203.70.156
118.89.110.78
136.144.215.158
139.59.48.222
146.185.167.43
149.112.112.10
149.112.112.9
185.228.168.10
185.228.168.168
Current DNS/DOT:
2001:4860:4860::8844
2001:4860:4860::8888
2620:fe::fe
Added from block-doh:
2001:19f0:4400:7bcc:5400:1ff:fed1:8599
2001:19f0:6001:146f:45:77:124:64
2001:19f0:7001:1ded:5400:1ff:fe90:945b
2001:19f0:7001:27a2:45:32:253:116
2001:470:f324::45:77:124:64
2001:470:ff0a::45:32:253:116
2604:a880:1:20::51:f001
2606:4700:30::681c:16a
2606:4700:30::681c:6a
2606:4700::6810:f8f9
2606:4700::6810:f9f9
2620:fe::10
2620:fe::9
2620:fe::fe:10
2620:fe::fe:9
2a01:4f8:1c1c:5e77::1
2a01:4f8:1c1c:75b4::1
2a01:7c8:d002:1ef:5054:ff:fe40:3703
2a03:b0c0:0:1010::e9a:3001
$i a=dns.aa.net.uk
$i a=dns.aaflalo.me
$i a=dns-nyc.aaflalo.me
$i a=dns.adguard.com
$i a=dns-family.adguard.com
$i a=doh.dnswarden.com
$i a=ecs-doh.dnswarden.com
$i a=ads-doh.securedns.eu
$i a=dns.alekberg.net
$i a=dns.brahma.world
$i a=dns.cloudflare.com
$i a=commons.host
$i a=dns.containerpi.com
$i a=dns.digitale-gesellschaft.ch
$i a=doh.dns.sb
$i a=dns1.dnscrypt.ca
$i a=dns2.dnscrypt.ca
$i a=doh.cleanbrowsing.org
$i a=doh.crypto.sx
$i a=doh-ipv6.crypto.sx
$i a=doh-de.blahdns.com
$i a=doh.eastus.pi-dns.com
$i a=doh-fi.blahdns.com
$i a=fi.doh.dns.snopyta.org
$i a=ibksturm.synology.me
$i a=doh-jp.blahdns.com
$i a=doh.northeu.pi-dns.com
$i a=doh.westeu.pi-dns.com
$i a=doh.westus.pi-dns.com
$i a=doh.appliedprivacy.net
$i a=doh.ffmuc.net
$i a=doh.li
$i a=doh.tiarap.org
$i a=edns.233py.com
$i a=ndns.233py.com
$i a=sdns.233py.com
$i a=wdns.233py.com
$i a=dns.google
$i a=jp.gridns.xyz
$i a=doh.tiar.app
$i a=public.dns.iij.jp
$i a=jp.tiar.app
$i a=jp.tiarap.org
$i a=doh.libredns.gr
$i a=dns.nextdns.io
$i a=doh.powerdns.org
$i a=doh.seby.io
$i a=doh-2.seby.io
$i a=dns.twnic.tw
$i a=dns9.quad9.net
$i a=ea-dns.rubyfish.cn
$i a=uw-dns.rubyfish.cn
$i a=dns2.alekberg.net
$i a=doh.securedns.eu
$i a=dns.t53.de
$i a=doh.xfinity.com
DoH moves the problem of spying from the country of the user to the country of the DoH hoster. Not always an improvement!Don't forget about countries that spy on people, block information, etc. This is a whole debate with many sides.
So true - this is holy sh*t! Actually I am in fact using a doh-blocklist, but if I am not trusting this anymore the only way to go is HTTPS inspection - nothing I'd like to do either. If I cannot trust my clients anymore being shielded by PiHole I will have to. This is why I don't like DoH personally, but I don't have to deal with blocking by ISP or gov of course.Good luck blocking all the cloud providers, since anyone can host any service anywhere.
No, you are doing the blocking yourself and it is your clients who have to deal with a blocking ISPSo true - this is holy sh*t! Actually I am in fact using a doh-blocklist, but if I am not trusting this anymore the only way to go is HTTPS inspection - nothing I'd like to do either. If I cannot trust my clients anymore being shielded by PiHole I will have to. This is why I don't like DoH personally, but I don't have to deal with blocking by ISP or gov of course.Good luck blocking all the cloud providers, since anyone can host any service anywhere.
Well, in some countries people trust their local government more than they trust the USA where there can be a president like Trump.I still don't understand how you can trust your country government (which is known for blocking and filtering information), but don't trust Mozilla, Cloudflare and Google
And I don‘t understand how anyone can trust G**gle at all. In fact all US-based services are to be untrusted. I don‘t use government‘s or ISP‘s DNS services either, nonetheless my gov does not do blocking or filtering.I still don't understand how you can trust your country government (which is known for blocking and filtering information), but don't trust Mozilla, Cloudflare and Google
I see nothing from the EU jurisdiction that is similarly well-known.
How about my homepod, robotcleaner, Intelligent curtain and other smart device, and home server like unraid or freenas?For the sake of argument, can you give some examples why do you need DoH on the router, if you can use it in your browser already?
When version 6.47 is released to stable channel. There's no date for that, though.There is information when the DoH function will go from beta to release?
to use it check the manual form cloudflare at https://developers.cloudflare.com/1.1.1 ... ver-https/In 6.47 announced DoH support, but it does not working.
I tried servers 1.1.1.1, 8.8.8.8, 9.9.9.9 - no success. How to use it?
why do i need a root certificate?From other threads........
Fm Normis
Follow these steps exactly:
./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
ALso.......
https://jcutrer.com/howto/networking/mi ... over-https
Because it is not included in RouterOS.why do i need a root certificate?
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query
Because a trusted channel is completely useless when you don't validate who is at the other end...Why?
No, but neither do I think that my ISP will fiddle with DNS traffic towards 1.1.1.1 (inspecting or modifying it).Do you thing my ISP opens up the https packets and look for DNS packets?
Setting a working DoH (that will also work after reboot) is still a bit tricky with this version.I will add certificate later. This was just for testing purpose, since DoH was just released.
He simply doesn't understand us HAMS.Hi Pe1chl, (so hard just change ur nick to Pikachu
Just want to share to all people, if you want to verify the DoH server, you can go to https://1.1.1.1/dns-query using the web browser and download the the 3 certificates from the server site. Then import the 3 certificates to your router and it should be fine.I did not use any certificate, just added:
One line only for DNS and it works fine.Code: Select all/ip dns set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query
There are no webpage opening at this url.you can go to https://1.1.1.1/dns-query using the web browser
yes correct there is no page, but you can view the site certificate from the browser pad lock and download the 3 certificates from there.There are no webpage opening at this url.you can go to https://1.1.1.1/dns-query using the web browser
Only two certificates are required, use the two with "DigiCert" in name. The "cloudflare-dns.com" certificate is shipped by the server.Just want to share to all people, if you want to verify the DoH server, you can go to https://1.1.1.1/dns-query using the web browser and download the the 3 certificates from the server site.
That depends how the server is configured. It should return the intermediate certificate in the reply, but some servers do not do that.Are you sure it needs the intermediate certificate as well? It works for me with just the root certificate as well.
I completed everything that is written in the instructions, I get an error:Are you sure it needs the intermediate certificate as well? It works for me with just the root certificate as well. I have published the example on wiki as well if you have any comments:
https://wiki.mikrotik.com/wiki/Manual:I ... over_HTTPS
I think one thing is unclear here. While my DoH setup is working flawlessly I wonder what's the decision tree for DoH vs UDP. If I have DoH + normal DNS configured which one is used? Is there a fallback if DoH is inaccessible?Are you sure it needs the intermediate certificate as well? It works for me with just the root certificate as well. I have published the example on wiki as well if you have any comments:
https://wiki.mikrotik.com/wiki/Manual:I ... over_HTTPS
I did comment this as well in the 6.47 thread. There are no way to see if the router uses DoH server or the DNS, so the solution for me was to not use DNS name like this: https://1.1.1.1/dns-query instead of this https://cloudflare-dns.com/dns-query. And no static DNS added. So only DoH that respond to DNS request.If I have DoH + normal DNS configured which one is used? Is there a fallback if DoH is inaccessible?
Personally, since it's uncertain, I removed the normal DNS and set CF DoH only.
The Router did not fall back to old DNS, so if DoH is configured and does not work, it stops resolve DNS requests, even if a DNS is configured.DoH server connection error: SSL: handshake failed: error 14077410 (6)
Take the code below as an inspiration - you can run the check every now and then whenever the DoH server is disabled, and instead of put "success", re-enable the DoH in DNS configuration. Please don't ask me why the value returned by /tool fetch output=file in case of success is a semicolon and whether it will still be the case in next ROS versions.Maybe I can make a script that test if DoH resolve DNS and if not disable it. But not sure how to make it go back to DoH.
:if ([:do {tool fetch url="https://1.1.1.1/dns-query\?name=mikrotik.com%26type=A" output=file dst-path=result http-header-field=accept:application/dns-json} on-error={/ip dns set allow-remote-requests=yes servers=8.8.8.8 verify-doh-cert=yes use-doh-server=""}] = ";") do={/ip dns set allow-remote-requests=yes servers=8.8.8.8 use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes}
:if ([:do {
tool fetch url="https://1.1.1.1/dns-query\?name=mikrotik.com%26type=A" output=file dst-path=result http-header-field=accept:application/dns-json
} on-error={
/ip dns set allow-remote-requests=yes servers=8.8.8.8 verify-doh-cert=yes use-doh-server=""}] = ";") do={
/ip dns set allow-remote-requests=yes servers=8.8.8.8 use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
}
:if ([
:do {
tool fetch url="https://1.1.1.1/dns-query\?name=mikrotik.com%26type=A" output=file dst-path=result http-header-field=accept:application/dns-json
} on-error={
/ip dns set servers=8.8.8.8 use-doh-server=""}
] = ";") do={
/ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query
}
:if ([
:do {
tool fetch url="https://1.1.1.1/dns-query\?name=mikrotik.com%26type=A" output=file dst-path=result http-header-field=accept:application/dns-json
} on-error={:nothing}
] = ";") do={
/ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query
} else={
/ip dns set servers=8.8.8.8 use-doh-server=""
}
Correct, but RouterOS is quite tolerant in cases where the context is unambiguous.PS from what I get of information, you should use column in front of commands, like :put not put
{
:if ([
:do {
tool fetch url="https://1.1.1.21/dns-query\?name=mikrotik.com%26type=A" output=file dst-path=result http-header-field=accept:application/dns-json
} on-error={:nothing}
] = ";") do={
/ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query
} else={
/ip dns set servers=8.8.8.8 use-doh-server=""
}
}
Yes, you are right, I haven't tested it thoroughly enough, the output value is ";" regardless whether the command succeeds or fails. So you really have to use the on-error to learn the actual result. So it would look as follows:It seems to not work in the fail situation.
...
I see terminal replies with: status: failed
:local result yes
:do {tool fetch url="https://1.1.1.1/dns-query\?name=mikrotik.ca%26type=A" output=file dst-path=result \
http-header-field=accept:application/dns-json} on-error={:set result no}
:if $result do={
/ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query
} else={
/ip dns set servers=8.8.8.8 use-doh-server=""
}
This is an example of where the context makes a difference. :do is a command itself, and on-error is one of its parameters; do= is a parameter of an :if command. One of other symptoms of ROS' tolerance is that you may omit the parameter name for some mandatory parameters. So instead of the proper :do command={:put "this"}, you can abbreviate to :do {:put "this"}. With :if, it is the same case: the proper syntax is actually :if condition=($a=$b) do={:put "equals"}, but most people write just :if ($a=$b) do={:put "equals"}PS RouterOS mix of do { and do={ makes me some confused as well.
Good. And now please explain me the idea behind hiding where you browse from your ISP or government when you can, but cowardly reverting to plaintext DNS whenever it fails.Works perfectly
It not so much what I need, but more that I can doAnd now please explain me the idea behind hiding where you browse from your ISP or government when you can, but cowardly reverting to plaintext DNS whenever it fails.
my log filled with this... How to skip this log from script?00:01:00
Every minute.