Skip to main content

How can we help you?

Search

help Knowledge Base
forum Community
checklist Release Notes
event Events

Avoid filtering interruptions by encrypting DNS (DoT)

Minetta Gould
  • Updated

    In this article

DNSFilter supports DNS-over-TLS (DoT) in our Roaming Clients and DNS Relay, allowing for encryption and privacy of DNS traffic.  

Enabling DoT has shown to fix issues related to:

  • Roaming Clients or Relays intermittently going offline
  • When Roaming Clients or Relays are installed, no websites resolve or open
  • Filtering Policies fail to block or allow websites as expected

Once enabled, DoT sends the original client requests through a secure TLS channel on port 853 instead of the common port 53 used for unencrypted DNS communication. This prevents attackers from seeing or manipulating information about the DNS request, and creates a constant connection between DNSFilter and the device.

In the event of a failover or communication issue, the Roaming Client will resort to resolving using port 53 UDP or TCP.

The DNSFilter DNS-over-TLS hostnames are:

  • dns1.dnsfilter.com
  • dns2.dnsfilter.com

Implementation details

These featured are supported by this implementation:

  • TLS Versions 1.3
  • RFC-7828
  • TCP_FastOpen
  • TCP_FalseStart

Windows Roaming Client

  1. Install the Windows Roaming Client
  2. Create a registry key value to set tcp-tls as the preferred connection method 
    • reg add "HKLM\Software\DNSFilter\Agent" /v UpstreamOrder /d "tcp-tls,udp,tcp" /f
    • reg add "HKLM\Software\DNSAgent\Agent" /v UpstreamOrder /d "tcp-tls,udp,tcp" /f
  3. Restart the Roaming Client to apply these settings

macOS Roaming Client

  1. Open the daemon.conf file
  2. Enter this command: 
    • sudo nano /Library/Application\ Support/DNSFilter\ Agent/daemon.conf
    • sudo nano /Library/Application\ Support/DNS\ Agent/daemon.conf
  3. Set the upstream_order (snippet below) at the top of the config file
    # Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others
upstream_order = [ "tcp-tls", "udp", "tcp" ]
    #
  4. Restart the Roaming Client:

    • Stop command:

      sudo launchctl unload /Library/LaunchDaemons/com.dnsfilter.agent.macos.helper.plist

      Start command:

      sudo launchctl load -w /Library/LaunchDaemons/com.dnsfilter.agent.macos.helper.plist

    • Stop command:

      sudo launchctl unload /Library/LaunchDaemons/io.netalerts.agent.macos.helper.plist

      Start command:

      sudo launchctl load -w /Library/LaunchDaemons/io.netalerts.agent.macos.helper.plist

iOS Roaming Client

With iOS agent version 1.0.8 and higher, DoT is enabled by default, no longer requiring the end-user to configure manually.

Manually update all devices

Follow these steps for any older versions or to change this option. This enables/disables DoT on all devices that use the dnsfilter.mobileconfig file.

  1. Open the dnsfilter.mobileconfig file
  2. Set the dns_over_tls_enabled key in the <dict> section:
    <key>dns_over_tls_enabled</key>
<true/>
  3. Restart the agents to apply these changes

Manually update a single device

To disable DoT on a single device, open the Roaming Client app Settings and select/unselect Enable DNS over TLS. Restart the agent to apply the change.

DNS Relay

Set the upstream_order (snippet below) at the top of the relay.conf file. If making this update after deployment, restart the Relay to apply the change. 

# Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others
upstream_order = [ "tcp-tls", "udp", "tcp" ]
#

Single-line settings / parameters (such as upstream_order) must be placed before the [xyz] TOML Tables—it cannot be placed at the bottom of the file or it will automatically become part of the last TOML Table.

Forwarder/Stub support

A typical setup for DNS-over-TLS is to configure a LAN DNS Server to act as a forwarder, wrapping LAN queries into secure packets.

Below are some example software configurations.

Knot Resolver

Specific instructions for Knot Resolver will depend on the local configuration and operating system. See Knot Resolver’s documentation for specific instruction. This blog post might also be helpful.

To implement TLS forwarding, in the policy modules section, we use policy.TLS_FORWARD:

✍️ The target of ca_file= may not be needed or may differ.

modules = { 'policy' }
policy.TLS_FORWARD({
{'103.247.36.36', hostname='dns1.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'}
{'103.247.37.37', hostname='dns2.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'} })
#This signifies the end of the { 'policy' } section

Stubby + Unbound

A dual-Docker solution, where Unbound is used as a DNS-caching forwarder, and Stubby is used as a DNS-over-TLS transport server between Unbound and DNSFilter. This combines the caching powers of Unbound with the high-performing DNS-over-TLS implantation that Stubby provides.

Link to the GitHub Project.

Stubby (Standalone)

In the upstream_recursive_servers: section of stubby.yaml:

upstream_recursive_servers:
- address_data: 103.247.36.36
tls_auth_name: "dns1.dnsfilter.com"
- address_data: 103.247.37.37
tls_auth_name: "dns2.dnsfilter.com"

Unbound (Standalone)

The default DNS forwarder in the open-source firewalls IPFire and pfSense.

Performance Warning

DNS-over-TLS performance in Unbound is relatively poor. About 8–10 queries per second is our suggested maximum, so only low-traffic networks are suggested. Consider using Knot Resolver or the Stubby + Unbound Docker solution.

In the unbound.conf file, ensure the following is set in the server: section. DNSFilter must be the only two forwarder addresses configured.

ssl-upstream: yes
name: "."
forward-addr: 103.247.36.36@853
forward-addr: 103.247.37.37@853
Was this article helpful?
4 out of 11 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.