I have heard that port 53 is normal for DNS queries, I do wonder do I need to force-open 853 for DNS over TLS with Quad9. Also should I set Quad9 DNS manually for each computer or manually on router or manually for each computer and on router? Would using different DNS on router and different DNS set for computer matter?
Not inbound, but just setting up Quad9 as DNS will not make it work via TLS, you still need a software for it, like simplednscrypt, otherwise it will just run via port 53 as any other DNS.
I've been using normal DNSCrypt-proxy for long time, I see that SimpleDNSCrypt is mainly GUI for it but I don't see any entry for Quad9 on their resolver list: https://github.com/dyne/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv Seems that there's bit of confusion: https://github.com/jedisct1/dnscrypt-proxy/issues/68 Anyway, do you know how to set Quad9 to work over TLS with SimpleDNSCrypt or other software(or maybe without any extra software)?
Firefox Nightly is currently the only software I know capable of DoH (DNS over HTTPs), but I was not able to get it working. You could try it for testing. Code: https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/ Bad example, sorry, I just meant, that DoH does not work simply by entering DNS servers. Quad9 merely supports DoH, but you need to find a software capable of using it. Like my browser supports dnscrypt (UDP only), so I am using SecureDNS via UDP port 5353, but the rest of the system is using normal DNS over 53, like Quad9 for example.
for what? Browser? Windows? where? Firewall? router? we need the details otherwise this ends up in a questionairy. dns over https in firefox is not recommended. firefox also has its own dns cache. anyhow running dns request the should ne filled into the routers formular for outbound dns servers, not in windows. thus makes the original question futile because a router has no port limitation.
Currently I have one computer with Windows set to use Quad9 DNS, it's set in System>Networking for both IPv4 and IPv6. Browser and router are using default values. I have read on Quad9 website that their "DNS over TLS" requires port 853 open, I don't know if it defaults to this because from my understanding normal DNS port for Windows is 53. So I want to know should I: 1. Set also Quad9 DNS in router or will Windows setting take priority(it worked like that for me usually). 2. Open port 853 for Quad9 "DNS over TLS" on my Windows Firewall(global system port) 3. For browser, currently I have my browser in Firewall allowed application list, so I wonder does it also mean that if it needs port 853 it will open it for browser session.
As clearly stated on the dnscrypt-proxy github site, only DNSCrypt and DNS-over-HTTPS are supported - and not DNS-over-TLS (which makes sense because - as jedisctl1 himself says in that issue - DoH has benefits over DoT and is therefore the most promising protocol to be used in the coming years). There is a list of servers that support DNDCrypt and DoH. I suggest that your dnscrypt-proxy.toml file contains: Code: # Use servers implementing the DNSCrypt protocol dnscrypt_servers = true # Use servers implementing the DNS-over-HTTPS protocol doh_servers = true You might enable more switches: Code: ## Require servers defined by remote sources to satisfy specific properties # Server must support DNS security extensions (DNSSEC) require_dnssec = true # Server must not log user queries (declarative) require_nolog = true # Server must not enforce its own blacklist (for parental control, ads blocking...) require_nofilter = true For load balancing 'p2' is probably the best option: Code: ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' lb_strategy = 'p2' More details here.
That's okay, I do use dnscrypt-proxy on one of my computers but I am wondering about Quad9 "DNS over TLS" specifically here.
As mentioned, you can not use it with dnscrypt-proxy (it's only used as a non-encrypted fallback resolver). But perhaps Quad9 will support DoH before long? Regarding opening port 853: I had used it with unbound on Fedora Linux and it was not necessary to specifically open that port. I guess it's not different on Windows.
Strange, I have checked firewall logs and they show that 9.9.9.9 and 149.112.112.112 are trying to connect to my computer on variety of ports. Those are Quad9 DNS services. This is normal? Is there any way of verifying that Quad9 "DNS over TLS" is working properly on my computer?
I'm not sure how this is an answer as all those requests are blocked but everything works fine. I am talking about hundreds of connections.
As allready stated, you CANT use DNS OVER TLS (doT) with dnscrypt/proxy. You would have to use stubby for example, it can do DNS ovér TLS. I myself use Stubby with DoT and DNSSEC Validation ON. But im using teh unicast.uncensoreddns.org server for it instead of Quad9. There are good tutorials to get it running: https://chefkochblog.wordpress.com/2018/01/13/working-with-stubby-under-windows/ To see if what you are doing is working in the end, you should use Wireshark, that will tell you if everything is in order. Heres an Example of my Wireshark in wich you can see that my DNS requests are over TLS 1.2 and are Fully encrypted. Screen: https://i.imgur.com/tzYDCGj.png I tested DNScrypt before, but wasnt pleased with it, also DoT is more secure then DoH, so i ended up with stubby and im happy..it works like it should.. cheers EDIT: i did not have had to open my port on the Router for this to work.
