Disabling DNS over HTTPS (DoH) On The Router

That something that Orbi or NG routers don't feature on there products. This is handled on a browser or upstream maybe on the ISP side. 

 

---

LTheobald wrote:

Does anyone know if can disable the DNS over HTTPS (DoH) feature on an Orbi router (RBR50)? Can't spot anything in the settings myself.

From what I'm seeing, it uses a self-signed certificate for 'routerlogin.com'. I do a lot of tinkering on Raspberry Pis and self-signed certs cause a few headaches on Linux systems (as they can often be a security issue). So I'd really rather just turn it off!

---

These may be two separate issues. 

 

DoH is a complicated topic. (https://en.wikipedia.org/wiki/DNS_over_HTTPS )  I have seen no indication that the Orbi router in any way supports DoH, either as a DNS server or by using DoH to resolve DNS queries.  Browsers or operating systems (Apple since 2020, Linux Bind v9.17.10, but not Windows) using DoH will bypass the Orbi entirely to resolve URLs using DoH.

Notice how Firefox (Windows) defines DoH will use Cloudflare, rather than the DNS server specified by DHCP:

Netgear's use of a self-signed SSL certificate has been a frustrating situation since their previous SSL certificates expired on August 2, 2019. On the one hand, it was pretty "ballsy" for Netgear to get an SSL certificate claiming that the URLs router.com, router.net, routerlogin.com, routerlogin.net, orbilogin.com, orbilogin.net were part of Netgear.  So, when a customer connects a web browser to https://routerlogin.com this web server is certified to be "Netgear" in San Jose, California rather than Joe Schmo in Kansas.

I have never seen an explanation for why those certificates expired.  Maybe Netgear forgot to renew them?  Maybe the certificate authority declined to renew them. ("Hey. We can't have thousands of random web servers around the world claiming to be Netgear!") 

 

After a lot of confusion, Netgear began putting self-signed certifcates in the firmware. (I believe Dec 2019).

 

The whole thing is a mess to start with.  None of those "URLs" can be resolved by the internet.  (Try it. Point a computer at dns.google.com or any public DNS server and ask for the IP of routerlogin.com)  What happens is the DNS server inside Netgear routers intercepts those URLs and says, "Here it is.  It's ME!)

 

Web browsers have complicated the situation by forcing all connections over https if at all possible, which triggers the web browser to ask for the SSL certificate and then complain that it is self-signed.

 

So, (1) DoH cannot be turned off on the Orbi because the Orbi does not implement DoH, and (2) Nothing can be done about the self-signed certificate except (a) tell the web browser to ignore it, or (b) use the IP address instead of routerlogin.com.