Closed gloschtla closed 4 years ago
bhanupratapys
commented
4 years ago I'm sorry, you are out of luck here. Not many routers support to use custom dns ports. But i'll try to work on this, something like single IP for different type of dns. No promises, I don't like to have too many front-end servers.
DerMAp
commented
4 years ago @gloschtla Good news: the new beta software for Fritz!Box brings you DoT-Support [1]
@bhanupratapys ... the downside, however, no possibility to define a non-standard server port. Which leads me to the question how the differentiation of servers by filter list leads to, because the different domains (uncensored-dot.dnswarden.com, adblock-dot.dnswarden.com, ...) resolve to the same IP addresses. Does the client send the server name with every request? Unfortunately, I couldn't find this out from RFC 7858. Thank you in advance!
[1] https://avm.de/fritz-labor/frisch-aus-der-entwicklung/frisch-aus-der-entwicklung/
bhanupratapys
commented
4 years ago @DerMAp , fritz box should be using default port 853, just like private dns in android 9+ where you have no option to configure to the non standard port. Majority of the client software are designed to send SNI, so that I can sort out the dns requests based on their SNI and route them accordingly.
DerMAp
commented
4 years ago Hi @bhanupratapys ,
Thanks for the prompt response. Looking into the TLS "Client Hello" with Wireshark reveals that the Fritz!Box does not use the SNI Extension (nor ESNI).
So which type of filter is chosen in this case? And is the SNI-to-filter-list algorithm proprietary or based on some kind of a standard? If so, I'd like to approach AVM and ask for implementation.
I also tried to obtain a reference, but the only other client I have here is kdig, which allows for setting "+tls-hostname=STR; Use TLS with a remote server hostname check.", which, unfortunately, does not make use of the TLS SNI extension either. This brought me to the double-check for SNI using openssl which tells me that Wireshark can extract the SNI information correctly.
Regards, DerMAp
bhanupratapys
commented
4 years ago So which type of filter is chosen in this case?
If there is no SNI present during handshake, then it defaults to normal dns which doesn't do any filtering.
And is the SNI-to-filter-list algorithm proprietary or based on some kind of a standard?
It is a standard protocol which is being used in haproxy and nginx since ages.
I also tried to obtain a reference, but the only other client I have here is kdig, which allows for setting "+tls-hostname=STR; Use TLS with a remote server hostname check.", which, unfortunately, does not make use of the TLS SNI extension either.
Try with +tls-sni=
kdig -d @116.203.70.156 +tls +tls-sni=adblock-dot.dnswarden.com doubleclick.net
kdig -d @116.203.70.156 +tls +tls-sni=uncensored-dot.dnswarden.com doubleclick.net
kdig -d @116.203.70.156 +tls +tls-sni=adult-filter-dot.dnswarden.com pornhub.com
bhanupratapys
commented
4 years ago Update : I'll configure servers to use adblocking filter list when no sni is being sent, so that fritz box users can use it too. Should be live in couple of hours.
bhanupratapys
commented
4 years ago Plaintext dns should now support adblock/adult-filter/uncensored dns on port 53.
116.203.70.156
2a01:4f8:1c1c:75b4::1
116.203.35.255
2a01:4f8:1c1c:5e77::1
88.198.161.8
2a01:4f8:c0c:62a7::1
I visited all of dnswarden's test domains, and it says:
In my home router I did set the IP numbers
116.203.70.156and116.203.35.255, which both are the same in all of the three non-encrypted filtersnormal,ad-block,adult-filter. But how to tell my router to use adult-filter instead of ad-block ?The only thing which is different are the port numbers
5353*,2053*,53*But I don't know how to fix them for my home router. Actually I would prefer encryption, but FritzBox doesn't support this, yet.