Hi Community Using the SXR80 OrbiPro6 quite new and realize there is no DNS DoT available. Either via TLS or HTTPS. The NETGEAR support line is completely overwhelmed and unable, in case any issue more than just "have you restarted the router"- guidance’s, therefore the question in that forum: Does the SXR80 Router support any encrypted protocols like DNS over TLS or HTTPS? https://en.wikipedia.org/wiki/DNS_over_TLSHappy to get a profound answer! If there is no support yet, maybe somebody from NETGEAR can give an outlook when this feature will be implementet? Thank you in advance,Jochen

Jochen79 , Both DoT and DoH are simply not ready for prime time today. The related Discovery of Designated Resolvers draft-ietf-add-ddr-04 is still in the stars. Configuring both DoT and DoH requires much more than just an IP address, DoH for requires a template in addition to knowing the IP address of the resolver. If only the DoH template is known, the domain name from the template must first be resolved (likely over plain-text DNS) before the DoH server can be used. To avoid the potential for attack ... ROFL ... some fixed IP must be used, e.g. when you look into the experimental DoH implementation on Windows 11 today. Just allowing the config of DoT or DoH alone is not sufficient. The ISPs need - to offer a reasonable replacement resp. addition to their reasonable secure (think it's just on your Internet connection link to the ISP and it's infrastructure - so the attack vector is relatively small) ISP DNS infrastructure. Once these processes are ready for prime time, one the majority of ISPs are ready (before you start stating there are a hand full public providers I want to remind you that many government require the ability to restrict the access to certain domains or services), then Netgear can start implementing a recursive DNS resolver capability, handling the Internet side in DoH/DoT, in a way the Netgear support can assist customers from all around the world, and offering some relay or transition services for systems without DoT/DoH aware resolvers can make use of it. This will be a longer way - not just for Netgear. Regards, -Kurt

So do your homework: What are the effective risks for you? Who should "play" with your DNS queries between your home or SOHO router and the ISP DNS? The problem spans much wider. Several applications and browser makers had the "brilliant" idea to implement one or both of these protocols. Now neiter your local security software, your ISP, your DNS provider with enahnced filtering services will be able act. In reality, DoT and DoH had been already abused by malware. And several more. It's not the worlds best idea.... Plenty more constraints ... it's not even an end-to-end encryption for example.

Well, neither is WPA3, since so many devices donøt support it - yet. DoH and DoT is the most privacy oriented features a router vendor can offer. I don't understand why this is not a feature yet. Both CLoudFlare, Google(!!) and quad9 supports both DoH and DoT, and it's really up to us all wether we will use it or not. I don't hope Netgear has a business model where they need resolver data for resell... By the why ..and while at it....why not enable HTTPS for the admin interface as the default AND update the the valid certificate.....??

Hi Jochen79, Welcome to the community! :) Does the SXR80 Router support any encrypted protocols like DNS over TLS or HTTPS? The SXR80 does NOT support encrypted protocols like DNS over TLS or HTTPS. You may want to post this as feature request on the Ideas Exchange for Business Board here. In this way, the development team can see what feature does Orbi Pro WiFi 6 users wanted to be added to the functionality of the product. Be reminded that the more kudos given by community members to your feature request will help as the development team will be reviewing the post that has the most kudos and might get implemented. Regards, DaneA NETGEAR Community Team

Hi Kurt Thank you for your great response.I´m aware the DNS DoT topic is still not final. Even though some router manufacturer (AVM) and also some Internet provider offers encrypted DNS server addresses already. Like google, Cloudflare, etc. Even, the protocol is not final and as you said, "This will be a longer way - not just for Netgear." But, as much as I know, the existing DNS over TLS or HTTPS protocol, provides an higher standard then the regular DNS communication. The question must me asked, if it not better using the "not final" but improved DNS communication already today? Thanks for your insides!Jochen

DNS DoT (TLS / HTTPS) | NETGEAR Communities

15 Replies

DaneA
NETGEAR Employee Retired
Jan 12, 2022
Hi Jochen79,

Welcome to the community! :)

Does the SXR80 Router support any encrypted protocols like DNS over TLS or HTTPS?

The SXR80 does NOT support encrypted protocols like DNS over TLS or HTTPS.

You may want to post this as feature request on the Ideas Exchange for Business Board here. In this way, the development team can see what feature does Orbi Pro WiFi 6 users wanted to be added to the functionality of the product. Be reminded that the more kudos given by community members to your feature request will help as the development team will be reviewing the post that has the most kudos and might get implemented.

Regards,

DaneA

NETGEAR Community Team
- Jochen79
  Aspirant
  Mar 24, 2022
  Hi DaneA , dear all
  I started that threat some months ago with the hope of getting valued info about my initial question. It turns out more into a **bleep**-talk manly forced and driven by schumaku.
  I was hoping somebody from Netgear would respond to that important topic. But, it seems Netgear is not supporting its own Community with fundamental knowledge. Especially since we are not talking about trivial questions like the color of any button within the software. This is an essential topic, and I'm pretty disappointed about the lack of commitment from Netgear.
  
  Greetings,
  Jochen
schumaku
Guru - Experienced User
Jan 12, 2022
Jochen79 ,

Both DoT and DoH are simply not ready for prime time today. The related Discovery of Designated Resolvers draft-ietf-add-ddr-04 is still in the stars. Configuring both DoT and DoH requires much more than just an IP address, DoH for requires a template in addition to knowing the IP address of the resolver. If only the DoH template is known, the domain name from the template must first be resolved (likely over plain-text DNS) before the DoH server can be used. To avoid the potential for attack ... ROFL ... some fixed IP must be used, e.g. when you look into the experimental DoH implementation on Windows 11 today.

Just allowing the config of DoT or DoH alone is not sufficient. The ISPs need - to offer a reasonable replacement resp. addition to their reasonable secure (think it's just on your Internet connection link to the ISP and it's infrastructure - so the attack vector is relatively small) ISP DNS infrastructure.

Once these processes are ready for prime time, one the majority of ISPs are ready (before you start stating there are a hand full public providers I want to remind you that many government require the ability to restrict the access to certain domains or services), then Netgear can start implementing a recursive DNS resolver capability, handling the Internet side in DoH/DoT, in a way the Netgear support can assist customers from all around the world, and offering some relay or transition services for systems without DoT/DoH aware resolvers can make use of it.

This will be a longer way - not just for Netgear.

Regards,

-Kurt
- Jochen79
  Aspirant
  Jan 12, 2022
  Hi Kurt
  Thank you for your great response.
  I´m aware the DNS DoT topic is still not final. Even though some router manufacturer (AVM) and also some Internet provider offers encrypted DNS server addresses already. Like google, Cloudflare, etc.
  
  Even, the protocol is not final and as you said, "This will be a longer way - not just for Netgear." But, as much as I know, the existing DNS over TLS or HTTPS protocol, provides an higher standard then the regular DNS communication. The question must me asked, if it not better using the "not final" but improved DNS communication already today?
  
  Thanks for your insides!
  Jochen
  - schumaku
    Guru - Experienced User
    Jan 12, 2022
    So do your homework: What are the effective risks for you? Who should "play" with your DNS queries between your home or SOHO router and the ISP DNS?
    
    The problem spans much wider. Several applications and browser makers had the "brilliant" idea to implement one or both of these protocols. Now neiter your local security software, your ISP, your DNS provider with enahnced filtering services will be able act. In reality, DoT and DoH had been already abused by malware. And several more. It's not the worlds best idea....
    
    Plenty more constraints ... it's not even an end-to-end encryption for example.
- sendintheclones
  Initiate
  Feb 17, 2022
  Well, neither is WPA3, since so many devices donøt support it - yet.
  
  DoH and DoT is the most privacy oriented features a router vendor can offer. I don't understand why this is not a feature yet. Both CLoudFlare, Google(!!) and quad9 supports both DoH and DoT, and it's really up to us all wether we will use it or not.
  
  I don't hope Netgear has a business model where they need resolver data for resell...
  
  By the why ..and while at it....why not enable HTTPS for the admin interface as the default AND update the the valid certificate.....??
  - MR_Foles
    Aspirant
    Feb 22, 2022
    DoH isn't all the security it's cracked up to be, you are essentially deciding that you would rather have CloudFlare or Google sell your DNS query data instead of your ISP. Not to mention if you were to administrate an organization the DNS traffic would run on port 443 and you would have no way to implement a content filter in your organization outside of completely deciding that internally there is no access to the internet and everything would have to run through a proxy.
FURRYe38
Guru - Experienced User
Mar 25, 2022
NG does not support these DNS features on there products. I have seen these features on browsers. If you need DNS Dot, look into some browsers that may support this.
- schumaku
  Guru - Experienced User
  Mar 25, 2022
  FURRYe38 wrote:
  
  NG does not support these DNS features on there products. I have seen these features on browsers. If you need DNS Dot, look into some browsers that may support this.
  
  Recent Os Are Also come DNS resolvers supporting DoT and DoH.
  
  Regardless, as of today, in absence of industry standards which go beyond of the university ideas, each system must be configured manually (or for the sake by using domain policies on an AD).
  
  Neither any fancy router (nor for the sake the ISP) can provide a complete config for the current network clients. If the router does support it, it can secure it's own DNS requests. Any other DNS traffic from the local network clients are travelling under the horizon. No way for supporting a local internal DNS, no way to filter known bad domain names (by local security software, network policies, by government requirements, ....).
  
  Not a single question was answered by the OP on how he would expect the hypothetical DNS implementation is expected to work. That much about "Bleep" B.S.