Back up to the Routers Category

Difference between revisions of "DoH and DoT"

From AAISP Support Site
Jump to navigation Jump to search
[quality revision][checked revision]
m
 
(24 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
__NOTOC__<indicator name="Routers">[[File:menu-router.svg|link=:Category:Routers|30px|Back up to the Routers Category]]</indicator>
 
__NOTOC__<indicator name="Routers">[[File:menu-router.svg|link=:Category:Routers|30px|Back up to the Routers Category]]</indicator>
   
  +
=A trial service=
A&A run DNS over HTTPS (DoT) and DNS over TLS (DoT) resolves. There is information here: https://aa.net.uk/dns which includes information on privacy and the terms and conditions.
 
  +
 
A&A run DNS over HTTPS (DoH) and DNS over TLS (DoT) resolvers for customer use. There is information here at [https://aa.net.uk/dns https://aa.net.uk/dns] which includes information on privacy and the terms and conditions.
   
 
As of September 2019, this is considered a 'trial' service, but is expected to continue and be an 'official' service for customers.
 
As of September 2019, this is considered a 'trial' service, but is expected to continue and be an 'official' service for customers.
   
  +
=A&A DNS Servers=
   
 
{| class="wikitable"
 
{| class="wikitable"
! Setting || ||Description
+
! Service || server ||Description
 
|-
 
|-
  +
| DoH || https://dns.aa.net.uk/dns-query || Usually set in your web browser, where supported.
| Line type || Auto || Usually set this to automatic as it allows ADSL or ADSL2+ (depending on modem and line type).
 
 
|-
 
|-
  +
| DoT || dns.aa.net.uk || Usually set in your operating, where supported.
| Mode || Routed || This means that IP traffic is routed, and is the normal mode unless setting up a PPPoE bridge to another device.
 
 
|-
 
|-
  +
| Standard DNS || 217.169.20.20 <br>217.169.20.21 <br>2001:8b0::2020 <br>2001:8b0::2021 || Our standard 'port 53' servers, widely used (everywhere).
| PPP mode || PPPoA || When routing IP you want your router to connect using PPPoA mode. PPPoE (see below) is more commonly used when bridging to a separate PPPoE device such as a FireBrick
 
|-
 
| VPI/VCI || 0/38 || This is often the default on most broadband routers
 
|-
 
| Mux || VC-Mux || This is often the default on most broadband routers
 
|-
 
| Login || As advised || We allocate a login for one or more lines. This is of the form of a name followed by @, a realm, a dot then a single digit number. (e.g. test@a.1). The final number is the line number (e.g. 1, 2, etc.) for where customers have multiple lines sharing IP addresses.
 
|-
 
| Password || As advised || We allocate a password, but you can change this on the Broadband Control Pages. If you change the password on our system your lines will go off line until you change the password on the router as well. If your router cannot handle the length of password we provide, please contact support who will be happy to set a shorter password.
 
|-
 
| WAN IP (local) || 0.0.0.0 || Whilst we allocate a fixed IP address for your service, including the WAN address, it is best not to set this as it is allocated automatically using PPP. If you configure this incorrectly you will normally find you cannot log in at all.
 
|-
 
| WAN IP (remote) || 0.0.0.0 || The IP address for our end of the PPP link should not be configured. This is allocated by PPP automatically. This will change depending on equipment at our end and may even change on every connection in the future.
 
|-
 
| LAN IP || As advised || If using NAT then this will be some default such as 192.168.1.254. If you have a block of IPs from us, use the IP and netmask as advised. DO NOT make up a netmask for use with a real IP address that we have allocated - always use the one we have advised.
 
|-
 
| Routes || As necessary || If you have a separate router/firewall link block, you will need to configure a static route for your main IP block via your router/firewall. You may want your DSL router to act as a DHCP server for your LAN.
 
 
|}
 
|}
  +
Our privacy statement and terms can be found at: https://aa.net.uk/dns
   
  +
=Testing if it’s working=
  +
We have a testing domain, if you go to http://encrypted-dns-tester.aa.net.uk you will be directed to a page saying if your browser used DoT or DoH. The DNS lookup and page will fail if you are not using our DoT or DoH servers. (currently only over IPv6 and HTTP)
   
=Help with browsers and devices=
+
=Help setting DoH or DoT on browsers and devices=
  +
At the moment there is limited support for DoT and DoH on computers generally. Browsers are starting to support DoH, and Android from version 9 supports DoT. macOS and iOS support DoH/DoT by loading a custom profile. These are new protocols and it will take time before they are widely used.
==FireFox==
 
   
  +
==General resources==
  +
* [https://support.mozilla.org/en-US/kb/firefox-dns-over-https FireFox's DoH info]
  +
*[https://www.chromium.org/developers/dns-over-https Chromium's DoH developer info]
  +
 
==FireFox==
  +
DoH is supported in Firefox's UI in version 69 and up.
 
#Menu
 
#Menu
 
#Preferences
 
#Preferences
Line 45: Line 41:
 
Checking your browser
 
Checking your browser
   
In your Firefox URL bar, type: <code>about:networking</code> and enter. Then click DNS on the left, and you should see your DNS lookups, and they shoudl have TRR (Trusted Recursive Resolver) listed as true.
+
In your Firefox URL bar, type: <code>about:networking</code> and enter. Then click DNS on the left, and you should see your DNS lookups, and they should have TRR (Trusted Recursive Resolver) listed as true.
   
 
==Chrome==
 
==Chrome==
DoH is expected to be a feature in Chrome version 78
+
DoH is expected to be a feature in Chrome version 78 or 79.
  +
  +
https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html
   
 
==Android (DoT)==
 
==Android (DoT)==
   
DoT is supported in Android version 9 and up
+
DoT is supported in Android version 9 (Pie) and up
   
 
[[File:Android-dot-setting.jpg|thumb]]
 
[[File:Android-dot-setting.jpg|thumb]]
Line 58: Line 56:
 
#Search for “DNS” in settings search bar
 
#Search for “DNS” in settings search bar
 
#Go to PrivateDNS setting screen
 
#Go to PrivateDNS setting screen
#Tap 'Private DNS provider hostname', and Set: dns.aa.net.uk
+
#Tap ‘Private DNS provider hostname’ and set: dns.aa.net.uk
 
#Click Save
 
#Click Save
  +
  +
==iOS==
  +
  +
This has been tested on iOS 15. It sensibly warns you that the config isn't signed and that someone could spy on your phone's DNS, but if you click through it seems to "just work". You should review mobileconfig profiles before installing.
  +
  +
#Download the mobileconfig file for the service you want to enable: [https://testing.me.uk/aa-https.mobileconfig DoH] or [https://testing.me.uk/aa-tls.mobileconfig DoT]
  +
#Navigate to the downloaded file in the "files" app and open it - this should add it to settings
  +
#Navigate to the "VPN & Device Management" section of settings and review the profile - this should activate it
  +
  +
==Stubby==
  +
[https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Stubby] is an application acts as a local DNS resolver on port 53 but does its lookups over TLS (DoT) which means it can act as a DNS proxy for your whole machine.
  +
  +
Adding our servers should be enough:
  +
- address_data: 2001:8b0::2022
  +
tls_auth_name: "dns.aa.net.uk"
  +
- address_data: 2001:8b0::2023
  +
tls_auth_name: "dns.aa.net.uk"
  +
- address_data: 217.169.20.22
  +
tls_auth_name: "dns.aa.net.uk"
  +
- address_data: 217.169.20.23
  +
tls_auth_name: "dns.aa.net.uk"
  +
  +
And once running, test with
  +
dig +short @::1 encrypted-dns-tester.aa.net.uk
  +
81.187.39.93
  +
  +
If encrypted-dns-tester.aa.net.uk resolves to 81.187.30.81 then it wasn't using our DoT servers.
   
 
==Using DOH with curl==
 
==Using DOH with curl==
   
Note: curl version 7.62.0 or above is required, here's an example:
+
Curl version 7.62.0 and above support using DoH for its DNS lookups. Here's an example:
   
 
curl --doh-url https://dns.aa.net.uk/dns-query https://www.aa.net.uk
 
curl --doh-url https://dns.aa.net.uk/dns-query https://www.aa.net.uk
  +
or
  +
curl --doh-url https://dns.aa.net.uk/dns-query https://encrypted-dns-tester.aa.net.uk
   
This will download the www.aa.net.uk webpage but would have used the DOH server to resolve the DNS.
+
This will download the www.aa.net.uk webpage and would have used the DOH server to resolve the DNS.

Latest revision as of 16:47, 11 January 2022


A trial service

A&A run DNS over HTTPS (DoH) and DNS over TLS (DoT) resolvers for customer use. There is information here at https://aa.net.uk/dns which includes information on privacy and the terms and conditions.

As of September 2019, this is considered a 'trial' service, but is expected to continue and be an 'official' service for customers.

A&A DNS Servers

Service server Description
DoH https://dns.aa.net.uk/dns-query Usually set in your web browser, where supported.
DoT dns.aa.net.uk Usually set in your operating, where supported.
Standard DNS 217.169.20.20
217.169.20.21
2001:8b0::2020
2001:8b0::2021
Our standard 'port 53' servers, widely used (everywhere).

Our privacy statement and terms can be found at: https://aa.net.uk/dns

Testing if it’s working

We have a testing domain, if you go to http://encrypted-dns-tester.aa.net.uk you will be directed to a page saying if your browser used DoT or DoH. The DNS lookup and page will fail if you are not using our DoT or DoH servers. (currently only over IPv6 and HTTP)

Help setting DoH or DoT on browsers and devices

At the moment there is limited support for DoT and DoH on computers generally. Browsers are starting to support DoH, and Android from version 9 supports DoT. macOS and iOS support DoH/DoT by loading a custom profile. These are new protocols and it will take time before they are widely used.

General resources

FireFox

DoH is supported in Firefox's UI in version 69 and up.

  1. Menu
  2. Preferences
  3. Scroll down to Network Setting...
  4. Scroll down and tick 'Enable DNS over HTTPS' and enter in a Custom provider: https://dns.aa.net.uk/dns-query
Firefox-DoH.png

Checking your browser

In your Firefox URL bar, type: about:networking and enter. Then click DNS on the left, and you should see your DNS lookups, and they should have TRR (Trusted Recursive Resolver) listed as true.

Chrome

DoH is expected to be a feature in Chrome version 78 or 79.

https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html

Android (DoT)

DoT is supported in Android version 9 (Pie) and up

Android-dot-setting.jpg
  1. Settings
  2. Search for “DNS” in settings search bar
  3. Go to PrivateDNS setting screen
  4. Tap ‘Private DNS provider hostname’ and set: dns.aa.net.uk
  5. Click Save

iOS

This has been tested on iOS 15. It sensibly warns you that the config isn't signed and that someone could spy on your phone's DNS, but if you click through it seems to "just work". You should review mobileconfig profiles before installing.

  1. Download the mobileconfig file for the service you want to enable: DoH or DoT
  2. Navigate to the downloaded file in the "files" app and open it - this should add it to settings
  3. Navigate to the "VPN & Device Management" section of settings and review the profile - this should activate it

Stubby

Stubby is an application acts as a local DNS resolver on port 53 but does its lookups over TLS (DoT) which means it can act as a DNS proxy for your whole machine.

Adding our servers should be enough:

 - address_data: 2001:8b0::2022
   tls_auth_name: "dns.aa.net.uk"
 - address_data: 2001:8b0::2023
   tls_auth_name: "dns.aa.net.uk"
 - address_data: 217.169.20.22
   tls_auth_name: "dns.aa.net.uk"
 - address_data: 217.169.20.23
   tls_auth_name: "dns.aa.net.uk"

And once running, test with

dig +short @::1 encrypted-dns-tester.aa.net.uk
81.187.39.93

If encrypted-dns-tester.aa.net.uk resolves to 81.187.30.81 then it wasn't using our DoT servers.

Using DOH with curl

Curl version 7.62.0 and above support using DoH for its DNS lookups. Here's an example:

curl --doh-url https://dns.aa.net.uk/dns-query https://www.aa.net.uk

or

curl --doh-url https://dns.aa.net.uk/dns-query https://encrypted-dns-tester.aa.net.uk

This will download the www.aa.net.uk webpage and would have used the DOH server to resolve the DNS.