0

DNS over TLS, HTTPS verification

I'm trying to verify whether DNS over TLS and DNS over HTTPS is working in my browser on my laptop, on my phone and on my router. I have an ASUS router that I installed the latest Merlin firmware on it and setup DNS over TLS as instructed and when I use the Cloudflare Encrypted SNI test, It tells me that Secure DNS is not setup. I have tried several browsers on my laptop and get the same message. I also get the same message on my phone, when I have the Private DNS setting enabled. I have tried using the NextDNS mobile app and also get the same message. When I check the my.nextdns.io website, I get the "All good" message, but no indication of whether secure DNS is being used.

Any help with this is appreciated.

11 replies

null
    • losnad
    • 2 yrs ago
    • Reported - view

    https://test.nextdns.io looks at what "protocol" it says. If it says DoH or DoT you are fine.

    Look at the difference between encrypted DoH or DoT and unencrypted in details in Logs.

      • colbycc1100
      • 2 yrs ago
      • Reported - view

      losnad Thanks for the info. I didn't know I could check it on that page. It looks to be working as intended after all. I appreciate the help.

    • Angelo_Restrepo
    • 1 yr ago
    • Reported - view

    When I look at the logs I see DNS over TLS locked on. When I click on the link it gives me status,"ok". Protocol, "DOT", but the last comment shows,"unknown_dot" so I am not sure if it works. 

    https://test.nextdns.io

    When I do the https://tenta.com/test it says that TLS is not enabled. Any suggestions?

      • R_P_M
      • 1 yr ago
      • Reported - view

      Angelo Restrepo If you are getting "ok" & "DOT" on test.nextdns.io then there's no problems.

      "unknown dot" just means that the software you are using isn't specifically identified by NextDNS and you can safely ignore it for testing purposes.

      • Angelo_Restrepo
      • 1 yr ago
      • Reported - view

      R P M I believe I know now why tents.com/test doesn't work is because it's a different provider correct?

      • R_P_M
      • 1 yr ago
      • Reported - view

      Angelo Restrepo Well yes they are a different provider but as to how they get their TLS enabled status results is not clear. It maybe is simply probing the DNS IP addresses for TLS connections but not finding anything because it’s under NextDNS’s name. 
      Either way, the results can not be counted on. 

      • Angelo_Restrepo
      • 1 yr ago
      • Reported - view

      R P M Last question, on my setup I have nextdns on port 853 and I can see under sensei (Zenarmor) The traffic and see encrypted. Sensei uses port 443 which is Dns over HTTPS and I can see blocks in there from them. Should I be in any way concern that I have both DOH and DOT enabled on opnsense as I can see I have a pretty decent protection buffer while not loosing much speed in the process. 

      • R_P_M
      • 1 yr ago
      • Reported - view

      Angelo Restrepo DoH does use port 443 but it’s not the only thing. All secure web traffic uses port 443, so it could be anything with https. 
      If you have not specifically set up DoH on the router then it is unlikely to be active. 

      • Angelo_Restrepo
      • 1 yr ago
      • Reported - view

      R P M sensei an application in opnsense does this automatically for what I can see. I also see nextdns logs and see that it noticed both their 443 traffic and Nextdns traffic as encrypted. When I turn off nextdns I get Ad blocks along with other threats that come around. I wanted a dual process that would provide max protection without much load/speed loss. The AI threat management is that sort of a zero day protection like you can get from Snort? If that's the case then I would say I overprotected on the network side so my antivirus on my laptops Bitdefender shouldn't see much action. 

      • Angelo_Restrepo
      • 1 yr ago
      • Reported - view

      Angelo Restrepo they might not be doing DNS over https they do however manage filtering of ads, malware and other options. When I look at the log of block items by them I see them on port 443 which made me think that it's related to DNS over https. I've emailed them for clarification, but either way looks like a have some serious protection going on including privacy. Just paid for the annual cost. I was looking into ControlD, but tested a little they appear to be less organized although they do have some interesting Spoof options, but did not see any AI Threat management which I been looking online to see what that actually means in Nextdns. Thanks for your replies. Your replies are the key reasons why I bought the service.

      • Angelo_Restrepo
      • 1 yr ago
      • Reported - view

      R P M Thanks no DOT nor DOH from sensei, but they do filtering so the combination of Nextdns gives me the protection that even some small businesses probably don't have. 

Content aside

  • 1 yr agoLast active
  • 11Replies
  • 2332Views
  • 3 Following