Reply

DNS DoT (TLS / HTTPS)

Jochen79
Aspirant

DNS DoT (TLS / HTTPS)

Hi Community

 

Using the SXR80 OrbiPro6 quite new and realize there is no DNS DoT available. Either via TLS or HTTPS. The NETGEAR support line is completely overwhelmed and unable, in case any issue more than just "have you restarted the router"- guidance’s, therefore the question in that forum: 

Does the SXR80 Router support any encrypted protocols like DNS over TLS or HTTPS? https://en.wikipedia.org/wiki/DNS_over_TLS
Happy to get a profound answer! If there is no support yet, maybe somebody from NETGEAR can give an outlook when this feature will be implementet? 

 

Thank you in advance,

Jochen

Model: SRK60B06|Orbi Pro Tri-Band Business WiFi System
Message 1 of 16
DaneA
NETGEAR Moderator

Re: DNS DoT (TLS / HTTPS)

Hi @Jochen79,

 

Welcome to the community! 🙂 

 

Does the SXR80 Router support any encrypted protocols like DNS over TLS or HTTPS?

The SXR80 does NOT support encrypted protocols like DNS over TLS or HTTPS.  

You may want to post this as feature request on the Ideas Exchange for Business Board here.  In this way, the development team can see what feature does Orbi Pro WiFi 6 users wanted to be added to the functionality of the product. Be reminded that the more kudos given by community members to your feature request will help as the development team will be reviewing the post that has the most kudos and might get implemented.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 16
schumaku
Guru

Re: DNS DoT (TLS / HTTPS)

@Jochen79 ,

 

Both DoT and DoH are simply not ready for prime time today. The related Discovery of Designated Resolvers draft-ietf-add-ddr-04  is still in the stars. Configuring both DoT and DoH requires much more than just an IP address, DoH for requires a template in addition to knowing the IP address of the resolver. If only the DoH template is known, the domain name from the template must first be resolved (likely over plain-text DNS) before the DoH server can be used. To avoid the potential for attack ... ROFL ... some fixed IP must be used, e.g. when you look into the experimental DoH implementation on Windows 11 today.

 

Just allowing the config of DoT or DoH alone is not sufficient. The ISPs need - to offer a reasonable replacement resp. addition to their reasonable secure (think it's just on your Internet connection link to the ISP and it's infrastructure - so the attack vector is relatively small) ISP DNS infrastructure.

 

Once these processes are ready for prime time, one the majority of ISPs are ready (before you start stating there are a hand full public providers I want to remind you that many government require the ability to restrict the access to certain domains or services), then Netgear can start implementing a recursive DNS resolver capability, handling the Internet side in DoH/DoT, in a way the Netgear support can assist customers from all around the world, and offering some relay or transition services for systems without DoT/DoH aware resolvers can make use of it.

 

This will be a longer way - not just for Netgear.

 

Regards,

-Kurt 

Message 3 of 16
Jochen79
Aspirant

Re: DNS DoT (TLS / HTTPS)

Hi Kurt 

Thank you for your great response.

I´m aware the DNS DoT topic is still not final. Even though some router manufacturer (AVM) and also some Internet provider offers encrypted DNS server addresses already. Like google, Cloudflare, etc. 

 

Even, the protocol is not final and as you said, "This will be a longer way - not just for Netgear." But, as much as I know, the existing DNS over TLS or HTTPS protocol, provides an higher standard then the regular DNS communication. The question must me asked, if it not better using the "not final" but improved DNS communication already today? 

 

Thanks for your insides!

Jochen

Message 4 of 16
schumaku
Guru

Re: DNS DoT (TLS / HTTPS)

So do your homework: What are the effective risks for you? Who should "play" with your DNS queries between your home or SOHO router and the ISP DNS?

 

The problem spans much wider. Several applications and browser makers had the "brilliant" idea to implement one or both of these protocols. Now neiter your local security software, your ISP, your DNS provider with enahnced filtering services will be able act. In reality, DoT and DoH had been already abused by malware. And several more. It's not the worlds best idea....

 

Plenty more constraints ... it's not even an end-to-end encryption for example. 

Message 5 of 16
Jochen79
Aspirant

Re: DNS DoT (TLS / HTTPS)

Hi Kurt

I don´t know who you are or what you think you are allowed to tell me; I have to do my homework! This very impolite and rude from you and not acceptable in a community. This should be the place to ask questions. If not or if that end like in that reaction of you, the purpose of the community is being questioned.  

Please consider what you are posting.

Thank you.

 

Maybe, you can answer my question? Because you just played around the topic and asked more than really answered.

Is it not better using the "not final" but improved DNS communication already today? 

Yes, thanks to Kurt´s post, DoT and DoH had been abused my malware too. But is the today existing DoT/DoH protocol equal, worst or improved in comparison to what is being used (non-encrypted, e.g. default DNS by ISP provider)?

Message 6 of 16
schumaku
Guru

Re: DNS DoT (TLS / HTTPS)

Dann erkläre mir bitte in wenigen Worten wo Du das Problem mit der aktuellen und nach wie vor weit verbreiteten (lies: normalen, aktuellen, ...) DNS-Implementation - und für die meisten ISPs - das sind jeweils die welche die jeweiligen Anschlüsse zu uns nach Hause bringen - und nicht irgendwelche Dritten.

 

Wo das Risiko real besteht, dass Deine DNA-Abfragen unterwegs verändert werden, sagen wir zum Beispiel meine.postbank.de eine die eine falsche IP-Adresse untergejubelt wird wo man versucht Deine Login-Daten zu stehlen, so ist das Problem so weit real. Nur sind die Möglichkeiten zwischen Deinem Router, den DSL- oder Fiber, den wenigen Geräten im Datenpfad zu den IP-Adresse der DNS Server Deines ISPs ziemlich überschaubar.  

 

Warum sollen wir den Aufwand betreiben und DuX zu einem Anbieter irgendwo in der Cloud zu senden, nur dass dieser sich dann bei den normalen DNS-Ressourcen anhängt, vielleicht mit DNSSEC, vielleicht aber auch ganz normales unverschlüsseltes DNS.

 

Wenn Du unbedingt etwas implementieren willst, bitte. Die Risikoabwägung musst Du für Dich selbst vornehmen - ich kann und will diese nicht übernehmen. Das Risiko, dass etwas auf Deinen Netzwerk- und Endgeräten passiert (Malware usw.) ist viel höher als dass Deine DNS-Abfragen auf der verhältnismässig kurzen Strecke zu Deinem ISP abgefangen und verändert werden.

 

Es gibt zu diesem Thema viele kontroverse Debatten. Und ja, ich führe solche Gespräche und Risikoabwägungen mit meinen Kunden (Finanz, Staat, Militär, Hersteller von Business-Geräten) immer wieder. Hier bin ich bin einzig als Netgear-Kunde, nur ein netter Mensch, der hie und da gerne hilft, oder den Lesern versucht Denkanstösse zu geben. Da gibt es nichts Unfreundliches dabei sich zu erlauben Fragen zu stellen. Müssen sich auch meine Kunden ebenso anhören.

 

Netgear hat gute Gründe warum weder DoH noch DoT auf den Routern angeboten werden. Primär geht es hier wohl im Support, und Zuverlässigkeit wie auch Einfachheit der Konfiguration für den Kunden. Und da scheitern beide DoX Varianten kläglich.

 

---- für unsere Englisch-lesenden-Freunde ---

 

Then please explain to us in a few words where you see a problem with the current and still widespread (read: normal, current, ...) DNS implementation - and for most ISPs - these are the ones which the respective connections to bring our home - and not some third party.

 

Where there is a real risk that your DNA queries will be changed on the way, let's say, for example, mein.postbank.de one that is hyped a wrong IP address where someone tries to steal your login data, the problem is so far real . But the possibilities between your router, the DSL or fiber, the few devices in the data path to the IP address of the DNS server of your ISP are fairly manageable.

 

Why should we go to the trouble of sending DuX to a provider somewhere in the cloud, only that this provider then attaches itself to the normal DNS resources, maybe with DNSSEC, but maybe also completely normal unencrypted DNS.

 

If you really want to implement something, please go ahead. You have to weigh up the risks for yourself - I cannot and will not do this. The risk that something happens on your network and end devices (malware, etc.) is much higher than that your DNS queries are intercepted and changed on the relatively short route to your ISP.

 

There are many controversial debates on the subject. And yes, I keep having such discussions and risk assessments with my customers (finance, government, military, manufacturers of business devices). I'm the only one here as a Netgear customer, just a nice person who likes to help here and there, or tries to give readers food for thought. There's nothing unfriendly about allowing yourself to ask questions. My customers have to listen to it too.

 

Netgear has good reasons why neither DoH nor DoT are offered on the routers. Primarily it's about support, reliability, as well as simplicity of configuration for the customer. And here both DoX variants fail miserably.

 

PS: And yes, I don't care much of browser makers like Mozilla have it (that's not the full truth, we have to push out policies that this s**t is relaibly disabled),  Apple or Microsoft does offer certain simple DoX resolvers (again, a lot of effort to prohibit this on business networks!).

 

Grüsse aus der Schweiz

-Kurt

 

 

Message 7 of 16
sendintheclones
Initiate

Re: DNS DoT (TLS / HTTPS)

Well, neither is WPA3, since so many devices donøt support it - yet.

 

DoH and DoT is the most privacy oriented features a router vendor can offer. I don't understand why this is not a feature yet. Both CLoudFlare, Google(!!) and quad9 supports both DoH and DoT, and it's really up to us all wether we will use it or not.

 

I don't hope Netgear has a business model where they need resolver data for resell...

 

By the why ..and while at it....why not enable HTTPS for the admin interface as the default AND update the the valid certificate.....??

 

 

Message 8 of 16
MR_Foles
Aspirant

Re: DNS DoT (TLS / HTTPS)

DoH isn't all the security it's cracked up to be, you are essentially deciding that you would rather have CloudFlare or Google sell your DNS query data instead of your ISP. Not to mention if you were to administrate an organization the DNS traffic would run on port 443 and you would have no way to implement a content filter in your organization outside of completely deciding that internally there is no access to the internet and everything would have to run through a proxy.

 

Message 9 of 16
sendintheclones
Initiate

Re: DNS DoT (TLS / HTTPS)

No.

 

I would never use any resolvers from neither Google or CloudFlare.

 

But you could broaden your perspective a bit. I use resolvers at quad9 (9.9.9.9), based in Swiss and operating under Swiss data protection laws like Protonm and there is a larger number of resolvers offering DoH/DoT. And true, there is a lot of things DoH/DOT does not do, for example protecting the sessions established post resolving. I use VPN's for masking my source IP, and that's fine for me and my risk model.

 

True I'm not administrating a larger enterprise domain, and I expect most netgear customers aren't, in this context. Wether we can use context filters or not is not about DoH, but more about https.

 

Still, this was about the support for DoH/DoT and wether is usable. I think it is, and Netgear should definitly use have support for it, IMO. It works just fine from a client, it also supported on both Windows and macOS, Linux disties.

 

https://dnsprivacy.org/public_resolvers/

 

-m

 

 

Message 10 of 16
schumaku
Guru

Re: DNS DoT (TLS / HTTPS)


@sendintheclones wrote:

Still, this was about the support for DoH/DoT and wether is usable. I think it is, and Netgear should definitly use have support for it, IMO. It works just fine from a client, it also supported on both Windows and macOS, Linux disties.

Not everything available on an OS and-point is ready to deploy into the network infrastructure. On one hand (and I'm repeating this here), the discovery methods for DoH/DoT are not IETF agreed yet (there is much more than just a set of IP addresses to be submitted by the ISP DHCP resp the DHCP server on the NAT router to configure the clients automatically). On the other hand, there is no way to break-up DoH as required for many different management reasons in a home, SMB, and enterprise network. Last, if you deploy DoH on all your systems, the usage for DNS on the router is limited to it's own usage only.

 

To me, the typical example of a pre-mature release is done by Apple with their mostly useless security warnings on their devices. Of course, Apple is not in the business of routers, of business networking, or end-user CPEs - so it's not their problem....the world should make it happen.  Similar garbage is this default random MAC to avoid that private or public WiFi providers are not able to track their users. At the same time, the users have their mobile WWAN up looooool. Mobile network operators know your device IMEI, and it's not darned difficult to find the IMEI on air in the area. In a business network, and even in a home network there are admins want to stay in control, they will require their users to use the device MAC. So the feature I would like to see on a router is revoking random MAC addresses and bring these devices into a closed network showing this requirement on a captured page.  

 

You mentioned the Swiss data protection law. So explain me why I should not use my Swiss ISP DNS in the plain DNS methods? There might be areas of the world where governments and the like don't care much about their citizen privacy. So yes, I have some understanding why certain people, or people in certain areas, are keen for added privacy. But then having all Internet traffic flowing over some VPN provider ... hmmmm, if I'm calculating the bandwidth these VPN-privacy-providers would require to have the many symmetric 1G and 10G home Internet connections ... so yes, must be a fun business (or a nightmare for the tin hats). Here again, this can't be the practical solution. Seems to be Switzerland is not just one the biggest exporter for coffee (considering there are not many coffee plants here, we just have Nespresso plus some more), and it will become an even bigger dealer for Internet traffic. The data center density - alone in the Zurich-North area - is already exploding. A rough idea is the sum of power required: We can talk of about 200 MW power (from the grid) and again 200 MW in from backup sources. It's a controversial discussion ....

Message 11 of 16
schumaku
Guru

Re: DNS DoT (TLS / HTTPS)


@sendintheclones wrote:

...why not enable HTTPS for the admin interface as the default ....??


Have your own DNS, ideally a split-DNS, a dedicated name for each of of your devices offering https? Sigh, we need the ability to generate CSRs, to import certificates and private key, for automatically maintaining the certificates (by industry standard CMP, and some popular free/open CA's like Let's Encrypt). Oh of course also for LE you need a unique DNS name for each device....

 


@sendintheclones wrote:

... AND update the the valid certificate.....??


A shared certificate, being earlier the Entrust CS signed ones Netgear had in place, with the orbilogin.blah name, or the now self-signed ones in place - both can NEVER be considered a trusted certificate.

 

Or you might have the magic idea on how to bring the (shared) private key to all these Orbi Pro devices? The moment you share the private key, your beloved privacy is gone. 

 

-Kurt (who is an engineer, so has no idea about anything, but have participated with the design and implementation of the biggest private CAs 25 years ago - long before the CA know-how became commodity)

 

 

 

 

Message 12 of 16
steklo5
Aspirant

Re: DNS DoT (TLS / HTTPS)

There are multiple providers of secure DNS whose business model is enhancing your privacy and security by shielding your DNS queries from the prying eyes of your ISP, and filtering out known bad actors, for a fee. Their privacy policies clearly state that they neither log no keep records of your queries. At the very least, using DoH or DoT, prevents MITM attacks.

Message 13 of 16
Jochen79
Aspirant

Re: DNS DoT (TLS / HTTPS)

Hi @DaneA , dear all

I started that threat some months ago with the hope of getting valued info about my initial question. It turns out more into a **bleep**-talk manly forced and driven by @schumaku

I was hoping somebody from Netgear would respond to that important topic. But, it seems Netgear is not supporting its own Community with fundamental knowledge. Especially since we are not talking about trivial questions like the color of any button within the software. This is an essential topic, and I'm pretty disappointed about the lack of commitment from Netgear. 

 

 Greetings,

Jochen

Message 14 of 16
FURRYe38
Guru

Re: DNS DoT (TLS / HTTPS)

NG does not support these DNS features on there products. I have seen these features on browsers. If you need DNS Dot, look into some browsers that may support this. 

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode |  Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR1000, EX7500/EX7700

Message 15 of 16
schumaku
Guru

Re: DNS DoT (TLS / HTTPS)


@FURRYe38 wrote:

NG does not support these DNS features on there products. I have seen these features on browsers. If you need DNS Dot, look into some browsers that may support this. 


Recent Os Are Also come DNS resolvers supporting DoT and DoH.

 

Regardless, as of today, in absence of industry standards which go beyond of the university ideas, each system must be configured manually (or for the sake by using domain policies on an AD).

 

Neither any fancy router (nor for the sake the ISP) can provide a complete config for the current network clients. If the router does support it, it can secure it's own DNS requests. Any other DNS traffic from the local network clients are travelling under the horizon. No way for supporting a local internal DNS, no way to filter known bad domain names (by local security software, network policies, by government requirements, ....).

 

Not a single question was answered by the OP on how he would expect the hypothetical DNS implementation is expected to work. That much about "Bleep" B.S.

Message 16 of 16
Discussion stats
  • 15 replies
  • 2619 views
  • 3 kudos
  • 7 in conversation
Announcements