DEENFRELIDESCA
my.iacboxiacbox.cloudMeine WLAN Lösung

Encrypted DNS

IACBOX v24.2.0 introduces encrypted DNS for guests and the upstream DNS server.

What is it?

The DNS protocol is one of the oldest internet protocols and has no built-in security. The requests and responses are sent in an unencrypted, unsigned binary format, mostly via UDP on port 53. Especially in public WiFi networks this can be a security risk, as the DNS queries and responses can be intercepted and modified by attackers. If not a security risk, it’s at least a privacy issue.

To mitigate these security problems, new secure transports for DNS have been defined over the last years. With TLS we already have an established and secure transport protocol available, so it was a natural choice to tunnel DNS over TLS. In general, the secure transport ensures that the DNS queries and responses are encrypted to prevent eavesdropping and tampering.

Types of Encrypted DNS protocols

Currently there are 4 different types of encrypted DNS:

1. DoT: DNS-over-TLS (RFC7858)
2. DoQ: DNS-over-QUIC (RFC9250)
3. DoH: DNS-over-HTTP2 (RFC8484)
4. DoH3: DNS-over-HTTP3 (= DoH over HTTP3)

1.) DoT is the most widely used encrypted DNS protocol. It provides a secure and reliable way to query DNS servers over TLS with the default TCP port 853.

2.) DoQ is a newer protocol that has the same security properties as DoT, but uses the UDP-based QUIC protocol instead of TCP.

As DoT and DoQ use a dedicated port there have been privacy concerns raised, as the DNS traffic can easily be blocked or filtered, although custom ports are allowed too. The idea came up to tunnel DNS over HTTPS (DoH), which uses the same port as HTTPS (443) and can be easily proxied and routed. This makes it more difficult to block or filter.

3.) DoH encapsulates DNS traffic in HTTPS, specifically using the HTTP2 protocol. If a user focuses more on privacy than on security solely, then DoH is currently the best choice.

4.) DoH3 is like DoH, but uses HTTP3 as transport which itself relies on QUIC. This is not widely supported yet.

Why do I want that?

There are two main reasons why you might want to use encrypted DNS:

1. Security: Encrypted DNS protocols provide a secure and reliable way to query DNS servers, reducing the risk of DNS spoofing and other security threats.
2. Privacy: Encrypted DNS protocols ensure that your DNS queries and responses are encrypted, preventing eavesdropping.

How does provisioning work?

1. Manual configuration

A security/privacy aware user can configure his/her device to use an encrypted DNS protocol if the server supports it. There are also mobile Apps available that do the configuration for the user.

2. Automatic configuration via DHCP

But on corporate and guest networks, this configuration should “just work” without any additional configuration required.

There is a new DHCP option `OPTION_V4_DNR` (`162`) defined in RFC 9463 Discovery of Network-designated Resolvers (DNR) that can be used to automatically configure the device to use an encrypted DNS protocol, if the device OS supports it.

3. Automatic configuration via discovery

Another way of auto discovery is the so called DDR (RFC9462 Discovery of Designated Resolvers), which is a mechanism for discovering designated resolvers on a network. The client already has an unencrypted DNS server configured and queries this DNS server for the special domain `_dns.resolver.arpa` with the `SVCB` resource record type. If the DNS server is aware of an encrypted alternative server (maybe that’s the same DNS server, like on the IACBOX) it will respond with a SVCB record pointing to the encrypted DNS server and its type (DoT, DoH, …).

Encrypted DNS on the IACBOX

Since version 24.2.0, the IACBOX supports encrypted DNS protocols, both
– on the guest network side (Surf-LAN) DoT and DoH is supported.
– on the WAN/uplink side (Office-LAN) DoT is supported.

Guest network side

On the guest network side, DoT and DoH are enabled by default.

The IACBOX supports also both ways of auto provisioning, the DHCP option 162 as well as DDR – Auto discovery of encrypted DNS servers via DNS query (iOS devices do this a lot).

The settings can be found in WebAdmin under Network -> Surf-LAN DNS. Here you can enable or disable DoT and DoH for the Surf-LAN.

WAN/uplink side

Visit the WebAdmin menu under Network -> Settings to use an upstream DNS server that supports encrypted DNS protocols, or choose one of our predefined DNS servers.

As always stay up to date and secure with your IACBOX!

Are you an entrepreneur looking for a solution to these requirements? Or are you a service provider and advise companies on wireless or wired network solutions?

Let's start a project together

Privacy settings

We use cookies to provide social media features and to analyze traffic to our website. More information

Accept all
Save & close

Request advice