NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Jochen79's avatar
Jochen79
Aspirant
Jan 12, 2022

DNS DoT (TLS / HTTPS)

Hi Community   Using the SXR80 OrbiPro6 quite new and realize there is no DNS DoT available. Either via TLS or HTTPS. The NETGEAR support line is completely overwhelmed and unable, in case any issu...
schumaku's avatar
schumaku
Guru - Experienced User
Jan 12, 2022

Jochen79 ,

 

Both DoT and DoH are simply not ready for prime time today. The related Discovery of Designated Resolvers draft-ietf-add-ddr-04  is still in the stars. Configuring both DoT and DoH requires much more than just an IP address, DoH for requires a template in addition to knowing the IP address of the resolver. If only the DoH template is known, the domain name from the template must first be resolved (likely over plain-text DNS) before the DoH server can be used. To avoid the potential for attack ... ROFL ... some fixed IP must be used, e.g. when you look into the experimental DoH implementation on Windows 11 today.

 

Just allowing the config of DoT or DoH alone is not sufficient. The ISPs need - to offer a reasonable replacement resp. addition to their reasonable secure (think it's just on your Internet connection link to the ISP and it's infrastructure - so the attack vector is relatively small) ISP DNS infrastructure.

 

Once these processes are ready for prime time, one the majority of ISPs are ready (before you start stating there are a hand full public providers I want to remind you that many government require the ability to restrict the access to certain domains or services), then Netgear can start implementing a recursive DNS resolver capability, handling the Internet side in DoH/DoT, in a way the Netgear support can assist customers from all around the world, and offering some relay or transition services for systems without DoT/DoH aware resolvers can make use of it.

 

This will be a longer way - not just for Netgear.

 

Regards,

-Kurt 

Jochen79's avatar
Jochen79
Aspirant
Jan 12, 2022

Hi Kurt 

Thank you for your great response.

I´m aware the DNS DoT topic is still not final. Even though some router manufacturer (AVM) and also some Internet provider offers encrypted DNS server addresses already. Like google, Cloudflare, etc. 

 

Even, the protocol is not final and as you said, "This will be a longer way - not just for Netgear." But, as much as I know, the existing DNS over TLS or HTTPS protocol, provides an higher standard then the regular DNS communication. The question must me asked, if it not better using the "not final" but improved DNS communication already today? 

 

Thanks for your insides!

Jochen

  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Jan 12, 2022

    So do your homework: What are the effective risks for you? Who should "play" with your DNS queries between your home or SOHO router and the ISP DNS?

     

    The problem spans much wider. Several applications and browser makers had the "brilliant" idea to implement one or both of these protocols. Now neiter your local security software, your ISP, your DNS provider with enahnced filtering services will be able act. In reality, DoT and DoH had been already abused by malware. And several more. It's not the worlds best idea....

     

    Plenty more constraints ... it's not even an end-to-end encryption for example. 

    • Jochen79's avatar
      Jochen79
      Aspirant
      Jan 13, 2022

      Hi Kurt

      I don´t know who you are or what you think you are allowed to tell me; I have to do my homework! This very impolite and rude from you and not acceptable in a community. This should be the place to ask questions. If not or if that end like in that reaction of you, the purpose of the community is being questioned.  

      Please consider what you are posting.

      Thank you.

       

      Maybe, you can answer my question? Because you just played around the topic and asked more than really answered.

      Is it not better using the "not final" but improved DNS communication already today? 

      Yes, thanks to Kurt´s post, DoT and DoH had been abused my malware too. But is the today existing DoT/DoH protocol equal, worst or improved in comparison to what is being used (non-encrypted, e.g. default DNS by ISP provider)?

      • schumaku's avatar
        schumaku
        Guru - Experienced User
        Jan 13, 2022

        Dann erkläre mir bitte in wenigen Worten wo Du das Problem mit der aktuellen und nach wie vor weit verbreiteten (lies: normalen, aktuellen, ...) DNS-Implementation - und für die meisten ISPs - das sind jeweils die welche die jeweiligen Anschlüsse zu uns nach Hause bringen - und nicht irgendwelche Dritten.

         

        Wo das Risiko real besteht, dass Deine DNA-Abfragen unterwegs verändert werden, sagen wir zum Beispiel meine.postbank.de eine die eine falsche IP-Adresse untergejubelt wird wo man versucht Deine Login-Daten zu stehlen, so ist das Problem so weit real. Nur sind die Möglichkeiten zwischen Deinem Router, den DSL- oder Fiber, den wenigen Geräten im Datenpfad zu den IP-Adresse der DNS Server Deines ISPs ziemlich überschaubar.  

         

        Warum sollen wir den Aufwand betreiben und DuX zu einem Anbieter irgendwo in der Cloud zu senden, nur dass dieser sich dann bei den normalen DNS-Ressourcen anhängt, vielleicht mit DNSSEC, vielleicht aber auch ganz normales unverschlüsseltes DNS.

         

        Wenn Du unbedingt etwas implementieren willst, bitte. Die Risikoabwägung musst Du für Dich selbst vornehmen - ich kann und will diese nicht übernehmen. Das Risiko, dass etwas auf Deinen Netzwerk- und Endgeräten passiert (Malware usw.) ist viel höher als dass Deine DNS-Abfragen auf der verhältnismässig kurzen Strecke zu Deinem ISP abgefangen und verändert werden.

         

        Es gibt zu diesem Thema viele kontroverse Debatten. Und ja, ich führe solche Gespräche und Risikoabwägungen mit meinen Kunden (Finanz, Staat, Militär, Hersteller von Business-Geräten) immer wieder. Hier bin ich bin einzig als Netgear-Kunde, nur ein netter Mensch, der hie und da gerne hilft, oder den Lesern versucht Denkanstösse zu geben. Da gibt es nichts Unfreundliches dabei sich zu erlauben Fragen zu stellen. Müssen sich auch meine Kunden ebenso anhören.

         

        Netgear hat gute Gründe warum weder DoH noch DoT auf den Routern angeboten werden. Primär geht es hier wohl im Support, und Zuverlässigkeit wie auch Einfachheit der Konfiguration für den Kunden. Und da scheitern beide DoX Varianten kläglich.

         

        ---- für unsere Englisch-lesenden-Freunde ---

         

        Then please explain to us in a few words where you see a problem with the current and still widespread (read: normal, current, ...) DNS implementation - and for most ISPs - these are the ones which the respective connections to bring our home - and not some third party.

         

        Where there is a real risk that your DNA queries will be changed on the way, let's say, for example, mein.postbank.de one that is hyped a wrong IP address where someone tries to steal your login data, the problem is so far real . But the possibilities between your router, the DSL or fiber, the few devices in the data path to the IP address of the DNS server of your ISP are fairly manageable.

         

        Why should we go to the trouble of sending DuX to a provider somewhere in the cloud, only that this provider then attaches itself to the normal DNS resources, maybe with DNSSEC, but maybe also completely normal unencrypted DNS.

         

        If you really want to implement something, please go ahead. You have to weigh up the risks for yourself - I cannot and will not do this. The risk that something happens on your network and end devices (malware, etc.) is much higher than that your DNS queries are intercepted and changed on the relatively short route to your ISP.

         

        There are many controversial debates on the subject. And yes, I keep having such discussions and risk assessments with my customers (finance, government, military, manufacturers of business devices). I'm the only one here as a Netgear customer, just a nice person who likes to help here and there, or tries to give readers food for thought. There's nothing unfriendly about allowing yourself to ask questions. My customers have to listen to it too.

         

        Netgear has good reasons why neither DoH nor DoT are offered on the routers. Primarily it's about support, reliability, as well as simplicity of configuration for the customer. And here both DoX variants fail miserably.

         

        PS: And yes, I don't care much of browser makers like Mozilla have it (that's not the full truth, we have to push out policies that this s**t is relaibly disabled),  Apple or Microsoft does offer certain simple DoX resolvers (again, a lot of effort to prohibit this on business networks!).

         

        Grüsse aus der Schweiz

        -Kurt

         

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More