NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
DNS DoT (TLS / HTTPS)
Hi Community Using the SXR80 OrbiPro6 quite new and realize there is no DNS DoT available. Either via TLS or HTTPS. The NETGEAR support line is completely overwhelmed and unable, in case any issu...
Well, neither is WPA3, since so many devices donøt support it - yet.
DoH and DoT is the most privacy oriented features a router vendor can offer. I don't understand why this is not a feature yet. Both CLoudFlare, Google(!!) and quad9 supports both DoH and DoT, and it's really up to us all wether we will use it or not.
I don't hope Netgear has a business model where they need resolver data for resell...
By the why ..and while at it....why not enable HTTPS for the admin interface as the default AND update the the valid certificate.....??
DoH isn't all the security it's cracked up to be, you are essentially deciding that you would rather have CloudFlare or Google sell your DNS query data instead of your ISP. Not to mention if you were to administrate an organization the DNS traffic would run on port 443 and you would have no way to implement a content filter in your organization outside of completely deciding that internally there is no access to the internet and everything would have to run through a proxy.
No.
I would never use any resolvers from neither Google or CloudFlare.
But you could broaden your perspective a bit. I use resolvers at quad9 (9.9.9.9), based in Swiss and operating under Swiss data protection laws like Protonm and there is a larger number of resolvers offering DoH/DoT. And true, there is a lot of things DoH/DOT does not do, for example protecting the sessions established post resolving. I use VPN's for masking my source IP, and that's fine for me and my risk model.
True I'm not administrating a larger enterprise domain, and I expect most netgear customers aren't, in this context. Wether we can use context filters or not is not about DoH, but more about https.
Still, this was about the support for DoH/DoT and wether is usable. I think it is, and Netgear should definitly use have support for it, IMO. It works just fine from a client, it also supported on both Windows and macOS, Linux disties.
https://dnsprivacy.org/public_resolvers/
-m
sendintheclones wrote:
Still, this was about the support for DoH/DoT and wether is usable. I think it is, and Netgear should definitly use have support for it, IMO. It works just fine from a client, it also supported on both Windows and macOS, Linux disties.
Not everything available on an OS and-point is ready to deploy into the network infrastructure. On one hand (and I'm repeating this here), the discovery methods for DoH/DoT are not IETF agreed yet (there is much more than just a set of IP addresses to be submitted by the ISP DHCP resp the DHCP server on the NAT router to configure the clients automatically). On the other hand, there is no way to break-up DoH as required for many different management reasons in a home, SMB, and enterprise network. Last, if you deploy DoH on all your systems, the usage for DNS on the router is limited to it's own usage only.
To me, the typical example of a pre-mature release is done by Apple with their mostly useless security warnings on their devices. Of course, Apple is not in the business of routers, of business networking, or end-user CPEs - so it's not their problem....the world should make it happen. Similar garbage is this default random MAC to avoid that private or public WiFi providers are not able to track their users. At the same time, the users have their mobile WWAN up looooool. Mobile network operators know your device IMEI, and it's not darned difficult to find the IMEI on air in the area. In a business network, and even in a home network there are admins want to stay in control, they will require their users to use the device MAC. So the feature I would like to see on a router is revoking random MAC addresses and bring these devices into a closed network showing this requirement on a captured page.
You mentioned the Swiss data protection law. So explain me why I should not use my Swiss ISP DNS in the plain DNS methods? There might be areas of the world where governments and the like don't care much about their citizen privacy. So yes, I have some understanding why certain people, or people in certain areas, are keen for added privacy. But then having all Internet traffic flowing over some VPN provider ... hmmmm, if I'm calculating the bandwidth these VPN-privacy-providers would require to have the many symmetric 1G and 10G home Internet connections ... so yes, must be a fun business (or a nightmare for the tin hats). Here again, this can't be the practical solution. Seems to be Switzerland is not just one the biggest exporter for coffee (considering there are not many coffee plants here, we just have Nespresso plus some more), and it will become an even bigger dealer for Internet traffic. The data center density - alone in the Zurich-North area - is already exploding. A rough idea is the sum of power required: We can talk of about 200 MW power (from the grid) and again 200 MW in from backup sources. It's a controversial discussion ....
There are multiple providers of secure DNS whose business model is enhancing your privacy and security by shielding your DNS queries from the prying eyes of your ISP, and filtering out known bad actors, for a fee. Their privacy policies clearly state that they neither log no keep records of your queries. At the very least, using DoH or DoT, prevents MITM attacks.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
