Recently set DNS over TLS on my DSL-AX82U running @GNUton firmware so thought I would add my thoughts on this sometimes overlooked subject.
DNS over TLS (DoT) is a security protocol that encrypts DNS queries using TLS, similar to how HTTPS secures web traffic. Many modern Asus routers — especially those running AsusWRT-Merlin — support DoT natively. Instead of sending plain-text DNS queries that anyone on your network or upstream path could inspect or tamper with, DoT wraps them in encryption and tunnels them to trusted resolvers like Cloudflare or Quad9.
This adds a key layer of privacy protection, particularly useful in environments where DNS traffic might be logged or intercepted (e.g. public Wi-Fi, ISP-level snooping, compromised networks). For technically rigorous setups, Asus firmware allows specifying custom DoT endpoints with strict certificate validation, helping ensure both privacy and integrity.
Advantages:
- Encryption: DNS queries are encrypted, stopping ISPs or on-path actors from snooping or manipulating DNS traffic.
- Trustworthy Resolution: When paired with strict hostname validation, it reduces risks of MITM or rogue resolvers.
- Compatibility: Works natively with many privacy-focused public resolvers (Quad9, Cloudflare, CleanBrowsing).
Drawbacks:
- Latency & Reconnects: TLS handshake adds a delay; some routers don’t handle fallback or reconnection cleanly if the upstream resolver is slow or unreachable.
- Limited Logging Control: If you prefer local DNS logging or inspection, DoT may obscure traffic unless you intercept pre-TLS DNS flows.
- Resolver Lock-In: Hostname validation can cause rigid behavior—if the resolver changes its certificate or endpoint, manual updates may be needed.
https://www.asus.com/uk/support/faq/1051428/
In a completely sane world, madness is the only freedom (J.G.Ballard).
You need to login in order to vote
.
