BirdDec 10
Max Resing

Reaching out to anyone who configured their DNS transport protocol. If you intentionally configured your home router's or your devices DNS service, what did you pick, and why?

Please retoot for reach.

#DNS #Survey #AskMastodon #AskFedi #AskInfosec #DoT #DoH #DoQ #TLS #QUIC #TCP #UDP #HTTPS

DNS-over-UDP
38.1%
DNS-over-TCP
4.8%
DoT
19%
DoH
33.3%
DoQ
4.8%
Poll ended at .
Dec 10 at 12:06pmWeb
Show threadⓂ3️⃣3️⃣ 🌌Dec 10
@resingm DoT simply seems the logical evolution 🤷‍♂️
Show threadMax ResingDec 10
@M33 - No downside? Increased latency for instance?
Show threadⓂ3️⃣3️⃣ 🌌Dec 10
@resingm anything more than a quick UDP request reply will add delay.

DoT avoid protocol stacking at least.
Show threadMax ResingDec 11
@M33 - I understand that. My question was, what your experience is. Did you not experience increased latency for instance?
Show threadⓂ3️⃣3️⃣ 🌌Dec 11
@resingm sorry maybe wasn’t clear about that : no noticeable latency increase, no user complaints
Show threadIchinin   ✅🎯🙄Dec 10

@resingm DNS choses when it talks over UDP and TCP. Default is UDP, but when the query size gets larger than 512 bytes (as per RFC) it go to TCP. Cases for TCP include IPv6 queries and IPSec packets.

And i have never seen a router that support DoT/DoH/DoQ.

Show threadMax ResingDec 10

@Ichinin - That is not really correct. a), you can still enforce DNS over TCP if you want. b), DNS over TCP is enforced when you hit rate-limits. Also many infosec folks run their own stub resolver in their network (so do I). It is trivial to configure it to use DoT for instance.

Additionally, some router software certainly supports other means than just Do53. A modern FritzBox also supports DoT out of the box, but is not enabled by default.

Show threadIchinin   ✅🎯🙄Dec 10
@resingm you cant enforce it if the configuration for settings does not support in, and most people use their router with the standard software. Most people meaning most people, not just CS people.
Show threadMax ResingDec 11
@Ichinin - Yes, and I addressed people who intentionally configured their DNS services. As the first sentence in the post says.
Show threadIchinin   ✅🎯🙄Dec 11

@resingm It still can't be done on commercial hardware/software as it doesn't support your edge case. All you get is "enter DNS server in this field" and nothing more, unless you install something that lets you do that on your router.

And with that i block you because you doesn't seem to grasp the concept of configuring DNS on standard hardware - and i question if you have ever seen a configuration screen on a router or operating system.

Show threadniallorDec 10
@resingm how to vote for more than one of the above?
Show threadMax ResingDec 10
@niallor - I disabled that option. In such a case, I am mostly interested in the setup of your home router/home network. Not interested if the browser e.g. uses DoH, as Chrome & Firefox started to enforce a while back.
Show threadniallorDec 10
@resingm I'll mark UDP so, although I expect TCP is available too.
Show threadBirdDec 10

@resingm DoQ because it gets through the firewalls I work with the most frequently while being better performance than DoH.

DoT is out for me because only certain ports are allowed here and standard TCP/UDP DNS gets hijacked so there is no point you having configured your own DNS service.

Show threadⓂ3️⃣3️⃣ 🌌Dec 13
@resingm DNS over HTTPS get the more votes after cleartext ? Seriously ? 😳
Show threadMax ResingDec 15

@M33 - I am similarly surprised that DoH is almost as popular as Do53. I can imagine that many simply took Firefox's and Chrome's advancements on enabling DoH in the browser as a chance to increase their DNS resiliency with very little effort.

Not too representative for home networks, though. Nevertheless, we mainly have responses from folks in the more tech-savvy spheres.