Hello, I'm trying to enable this on my ASUS router. It seems pretty straight forward based on this article. Here's a screen shot of my settings showing this is enabled using Quad9 server at the moment: https://imgur.com/lFbDF9h However, when I run wireshark and ping abc.com or facebook.com , etc it is still showing the traffic going over default DNS port 53. The article above states the default port should be 853 and is not required to be entered. I also do not have anything entered into the SPKI Fingerprint since I haven't look into that. The ASUS article linked above says this is not necessary either. Any ideas why Wireshark is not showing this traffic going over TLS / port 853? I also tried clearing my cache in Linux. https://imgur.com/L7udFl8 The wireshark traffic shows the request going from the IP I'm running wireshark on to my .1 address that my router resides on. Am I missing something? I was looking at this guys thread and he specified the 853 port and was using an SPKI fingerprint per his screenshot. Appreciate any ideas or input.
Windows does not care about your router's settings. At best you have unencrypted DNS between your PC and your router, then encrypted between your router and the internet. At worst you have unencrypted DNS altogether. Check DNS via https://browserleaks.com/dns
Normally: PC <=53=> Router <=443/853=> Encrypted DNS You cannot see the packets on the router from your PC using Wireshark. You should do this through the router using a program such as tcpdump, or use a third-party website as in the message above. However, some applications may use their own built-in DNS clients and ignore or bypass the DNS settings on the PC/router.
Thanks for the input @TairikuOkami . That makes sense. Also, I was using that site to check my DNS leaks when changing the settings. I found out about that great site a while back. It's very useful! @busy - Thanks for your valuable input as well! I'll have to look into possibly figuring out a way to check the traffic from my router. It does not have tcpdump installed in the shell /bin/sh I guess it's safe to assume I'm using the DNS servers since whenever I change then they show up when using browserleaks or other dnsleak test. It's always nice to validate. I might consider finally trying out merlin or some other firmware for my router but I've been pretty happy with the stock ASUS firmware.