DNS over HTTPS (DoH) support

It would be cool if PepLink could support the new DNS over HTTPS provided by https://1.1.1.1 and other providers.

6 Likes

I would use this in my org. I’m currently using a Rube Goldberg setup to get this functionality for all of my users.

I agree that DNS over HTTPS (DoH) support would be very beneficial. Since this request was made in April 2018, RFC 8484 was created (in Oct 2018) as discussed here. Additionally, Mozilla has added DoH to Firefox making web browsing more secure and private. Android Pie (and later) has DNS over TLS as an option for all network traffic. Thus adding the option for encrypted DNS queries are an industry trend. It would be great to see Peplink be on the forefront of this trend and offer the increased privacy and security for all network traffic that FireFox is now offering for web browsing.

4 Likes

I too would like to see DoH support added to PepLink routers. Firefox will begin slow rollout of DNS-over-HTTPS by default by the end of September 2019.

2 Likes

Agreed, DoH will be great option

2 Likes

Enigneering team is considering the feasibility for the DoH request. I will post again when get the news from Engineering team

3 Likes

a much needed feature yeah

I concur, DoH support would be ideal.

Almost one year since this was requested, Dev team / (@sitloongs) How is it looking on the feature priority list?
https://www.quad9.net/faq/#Does_Quad9_implement_DNSSEC I would be very interested in Domain Name System Security Extensions and or DNS over TLS.

Its time for such a premium product like Peplink to have secure DNS :smiley:

2 Likes

If these are implemented, I suggest to provide enable/disable check buttons. With actual silly TTLs from akamai, office365 and others, DoH can be a serious issue when flowing thru high latency & low bandwidth WAN links.

I‘d like to vote for DoH, DNS over TLS (DOT) and DNSSEC support in Peplink products, too.

2 Likes

The router can easily detect old DNS by the destination port (UDP 53) and convert that into a NEW secure DNS connection that we configure. Fine. It can also detect DoT requests because they use TCP port 853.

However, I don’t see how the router can detect DoH requests that originate from client devices. Such requests use HTTPS on port 443 and look like all the other million such requests.

2 Likes

I don’t had deep packet inspection in mind. My suggestion focusses on the router‘s traffic to the preset DNS servers (configured via WAN settings) to be encrypted. In my NW the PL B1 router is the DNS for all clients.

Point taken, I mis-understood.

There are other routers that do offer DoH and/or DoT as an option. That said, this gets complicated when combined with a VPN and Peplink routers are VPN capable. Even more complicated with multiple WAN connections. Then too, a Peplink router can be its own DNS server, yet another issue to deal with.

And, while its tempting to use an ad-blocking encrypted DNS provider (such as NextDNS) the real-life problem has to do with the inevitable mistakes when it blocks something that is needed. If that happens in one browser, no big deal, but if it happens to all router clients, it is a big deal. So, doing this right, is complicated.

I have not seen, first-hand, how other routers deal with these encrypted DNS issues.

2 Likes

I have very good success with my current productive installation and nextdnds.io . I defined a dns profile for every WAN of my Balance One router and rolled out Profiles for all Apple devices. As the support detailed logging incl. raw data I could easily track problems and solve them by whitelisting.
Even my Dial-in OpenVPN from external via the Balance one to our intranet works fine.
As I have a lot SmartHome Devices and the assigned VLAN is configured to use the B1 as Nameserver, I‘d be very happy if it could use DoH or DoT to ensure privacy and unspoofed dns.

I too am a big fan of Nextdns. Still, any DNS blacklisting system will always need updates to the whitelist. You may be happy to do this, but not everyone will.

1 Like

This really does need to get added. Peplink is there any progress or plans to support secure DNS any time in the near future for your products?

DoH is what we plan to support on the next release. Which DoH service you would be using? It would help us to understand more.

1 Like

great news!

That’s good to hear. To be honest with you, I have not used DoH before. I’ve been using DoT on a couple of my devices through Quad9. But I see they also support DoH.

How exactly do you plan on implementing DoH? Will there just be a list of DoH resolvers to pick from or will you be able to type in any URL for the resolver that you want? Hopefully it’s the latter.

Are there any plans on adding DoT as a secondary option and DNSSEC as well after this is added? If you’re unsure at this time or don’t wanna answer I understand. Just thought I would ask, since I know some people prefer using DoT instead.

Thank you.