DNS over HTTP on Asus Merlin

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Authority

Senior Member
I am using DoH on my RT-AC68 with NextDNS and it works GREAT. I was wondering when it will be natively supported?
 

SomeWhereOverTheRainBow

Very Senior Member
I would not hold my breath. RMerlin has often opined how he dislikes DoH is because it masks DNS behind normal HTTPS traffic, making network management more difficult. I'm not expecting him to encourage its adoption in any way.
Besides, he would easily argue that he has implemented DoT, which provides adequate dns "protection & security" to the end user. If users want true privacy, use unbound.
 

Authority

Senior Member
I would not hold my breath. RMerlin has often opined how he dislikes DoH is because it masks DNS behind normal HTTPS traffic, making network management more difficult. I'm not expecting him to encourage its adoption in any way.
So NextDNS is the only way for now? I would have thought RMerlin would want to support user choice. Thanks for the reply!
 

SomeWhereOverTheRainBow

Very Senior Member
Why does it seem the whole world (Google, Microsoft, Apple, Firefox, etc.) is going DoH vs. DoT?
Well from a privacy stand point, there is no real privacy since you are still sharing your information with whatever server you are using. In this respect, someone knows something. DoH v.s. DoT is not really an issue in my opinion. One offers DNS security with a false hope of DNS traffic being hidden, while the other offers same level security with no false hope of dns traffic being hidden since it is managed using an exclusive port.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
So NextDNS is the only way for now? I would have thought RMerlin would want to support user choice. Thanks for the reply!
Ask the stubby developers to implement DoH then. All existing DoH solutions at this time are massive bloatware, stubby+dnsmasq was the solution decided upon. I don't want to add an extra 4-5 MB of code to the firmware images to support different types of DNS solutions. Stubby is nice because it's a native C solution, so it's very lean.
 

Authority

Senior Member
Last edited:

SomeWhereOverTheRainBow

Very Senior Member

Authority

Senior Member
Well from a privacy stand point, there is no real privacy since you are still sharing your information with whatever server you are using. In this respect, someone knows something. DoH v.s. DoT is not really an issue in my opinion. One offers DNS security with a false hope of DNS traffic being hidden, while the other offers same level security with no false hope of dns traffic being hidden since it is managed using an exclusive port.
I don't think it's a "false hope of being hidden". DoH is TCP traffic and just looks like all other HTTPS traffic so it can't be blocked by port like DoT making it easier to implement and trouble shoot... you never have to wonder if your HTTPS is being blocked right?
 

SomeWhereOverTheRainBow

Very Senior Member
I don't think it's a "false hope of being hidden". DoH is TCP traffic and just looks like all other HTTPS traffic so it can't be blocked by port like DoT making it easier to implement and trouble shoot... you never have to wonder if your HTTPS is being blocked right?
Just because https cannot be block'd doesn't mean there isn't imminent risk or danger lurking hidden inside all that https traffic waiting for your traffic.
 

Authority

Senior Member
What I mean is , DoT encrypts your traffic exclusively inside a tunnel downright encrypting the dns traffic itself, while DoH only tries to mask your traffic inside HTTPS traffic where other risk or vulnerabilities may lie waiting.
But "other risk or vulnerabilities may lie waiting" whether or not you're using DoH.
 

Authority

Senior Member
The arguement is the risk for that is greater while you are using DoH since your dns traffic is not exclusively encrypted. While the risk for using DoT is that your port may get blocked.
Sorry I am still not following. Are you saying that there's a risk inherant in DoH because it's not "exclusively encrypted"? What is the risk? Do you have a source for this?
 

SomeWhereOverTheRainBow

Very Senior Member
The risk is that while your traffic is masked with all the other https traffic, it is still not exclusively encrypted between you and the server you are using. Yes Https traffic has encryption, but the dns within is not encrypted from the rest of the traffic. These are just facts.
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top