NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
DNS DoT (TLS / HTTPS)
Hi Community Using the SXR80 OrbiPro6 quite new and realize there is no DNS DoT available. Either via TLS or HTTPS. The NETGEAR support line is completely overwhelmed and unable, in case any issu...
Jochen79 ,
Both DoT and DoH are simply not ready for prime time today. The related Discovery of Designated Resolvers draft-ietf-add-ddr-04 is still in the stars. Configuring both DoT and DoH requires much more than just an IP address, DoH for requires a template in addition to knowing the IP address of the resolver. If only the DoH template is known, the domain name from the template must first be resolved (likely over plain-text DNS) before the DoH server can be used. To avoid the potential for attack ... ROFL ... some fixed IP must be used, e.g. when you look into the experimental DoH implementation on Windows 11 today.
Just allowing the config of DoT or DoH alone is not sufficient. The ISPs need - to offer a reasonable replacement resp. addition to their reasonable secure (think it's just on your Internet connection link to the ISP and it's infrastructure - so the attack vector is relatively small) ISP DNS infrastructure.
Once these processes are ready for prime time, one the majority of ISPs are ready (before you start stating there are a hand full public providers I want to remind you that many government require the ability to restrict the access to certain domains or services), then Netgear can start implementing a recursive DNS resolver capability, handling the Internet side in DoH/DoT, in a way the Netgear support can assist customers from all around the world, and offering some relay or transition services for systems without DoT/DoH aware resolvers can make use of it.
This will be a longer way - not just for Netgear.
Regards,
-Kurt
Hi Kurt
Thank you for your great response.
I´m aware the DNS DoT topic is still not final. Even though some router manufacturer (AVM) and also some Internet provider offers encrypted DNS server addresses already. Like google, Cloudflare, etc.
Even, the protocol is not final and as you said, "This will be a longer way - not just for Netgear." But, as much as I know, the existing DNS over TLS or HTTPS protocol, provides an higher standard then the regular DNS communication. The question must me asked, if it not better using the "not final" but improved DNS communication already today?
Thanks for your insides!
Jochen
So do your homework: What are the effective risks for you? Who should "play" with your DNS queries between your home or SOHO router and the ISP DNS?
The problem spans much wider. Several applications and browser makers had the "brilliant" idea to implement one or both of these protocols. Now neiter your local security software, your ISP, your DNS provider with enahnced filtering services will be able act. In reality, DoT and DoH had been already abused by malware. And several more. It's not the worlds best idea....
Plenty more constraints ... it's not even an end-to-end encryption for example.
Hi Kurt
I don´t know who you are or what you think you are allowed to tell me; I have to do my homework! This very impolite and rude from you and not acceptable in a community. This should be the place to ask questions. If not or if that end like in that reaction of you, the purpose of the community is being questioned.
Please consider what you are posting.
Thank you.
Maybe, you can answer my question? Because you just played around the topic and asked more than really answered.
Is it not better using the "not final" but improved DNS communication already today?
Yes, thanks to Kurt´s post, DoT and DoH had been abused my malware too. But is the today existing DoT/DoH protocol equal, worst or improved in comparison to what is being used (non-encrypted, e.g. default DNS by ISP provider)?
Well, neither is WPA3, since so many devices donøt support it - yet.
DoH and DoT is the most privacy oriented features a router vendor can offer. I don't understand why this is not a feature yet. Both CLoudFlare, Google(!!) and quad9 supports both DoH and DoT, and it's really up to us all wether we will use it or not.
I don't hope Netgear has a business model where they need resolver data for resell...
By the why ..and while at it....why not enable HTTPS for the admin interface as the default AND update the the valid certificate.....??
DoH isn't all the security it's cracked up to be, you are essentially deciding that you would rather have CloudFlare or Google sell your DNS query data instead of your ISP. Not to mention if you were to administrate an organization the DNS traffic would run on port 443 and you would have no way to implement a content filter in your organization outside of completely deciding that internally there is no access to the internet and everything would have to run through a proxy.
No.
I would never use any resolvers from neither Google or CloudFlare.
But you could broaden your perspective a bit. I use resolvers at quad9 (9.9.9.9), based in Swiss and operating under Swiss data protection laws like Protonm and there is a larger number of resolvers offering DoH/DoT. And true, there is a lot of things DoH/DOT does not do, for example protecting the sessions established post resolving. I use VPN's for masking my source IP, and that's fine for me and my risk model.
True I'm not administrating a larger enterprise domain, and I expect most netgear customers aren't, in this context. Wether we can use context filters or not is not about DoH, but more about https.
Still, this was about the support for DoH/DoT and wether is usable. I think it is, and Netgear should definitly use have support for it, IMO. It works just fine from a client, it also supported on both Windows and macOS, Linux disties.
https://dnsprivacy.org/public_resolvers/
-m
sendintheclones wrote:
...why not enable HTTPS for the admin interface as the default ....??
Have your own DNS, ideally a split-DNS, a dedicated name for each of of your devices offering https? Sigh, we need the ability to generate CSRs, to import certificates and private key, for automatically maintaining the certificates (by industry standard CMP, and some popular free/open CA's like Let's Encrypt). Oh of course also for LE you need a unique DNS name for each device....
sendintheclones wrote:
... AND update the the valid certificate.....??
A shared certificate, being earlier the Entrust CS signed ones Netgear had in place, with the orbilogin.blah name, or the now self-signed ones in place - both can NEVER be considered a trusted certificate.
Or you might have the magic idea on how to bring the (shared) private key to all these Orbi Pro devices? The moment you share the private key, your beloved privacy is gone.
-Kurt (who is an engineer, so has no idea about anything, but have participated with the design and implementation of the biggest private CAs 25 years ago - long before the CA know-how became commodity)
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
