Above, an example of the kind of confusing information I started seeing when I ran the DNS test. I know that something was wrong, but had no idea where to start looking. Below is another look at a different view of the information above.
Above, you can see that TLS Enabled is
always "false" but DNSSEC Enabled can be either "true, or false"
I knew it was somewhat related to the chosen DNS addresses provided to the router. And to even confuse my confusion further, different DNS Address Pairs gave different results in their tables as above. I tried all the popular pairs, OpenDNS, CloudFlare, CCANET, and Google. Some gave the same results, some slightly different results, but never a perfect chart with all true!
|Below is the discussion page from Tenta that explains, in great detail, what kind of problems (leaks & encryption errors) can be expected with false indications in the above shown tables. My next step was to get better educated on what exactly what part TLS and DNSSEC played in the overall scheme of communications between the router and the remote Virtural Private Network system.|
In the above discussion, there is a lot of very good information on the future of overall VPN privacy, and the ways it can be allowing either observation of your web activities by others, or even sending data over the VPN "pipe" without being encrypted and private. As neither of this actions are acceptable, and allow types of leaking and observation, it became obvious to me that there is a lot of work that needs to be done by the hundreds of VPN operations to really make their data streams truly "Private".
In my limited knowledge of how all these things work together, I believe there could be two different approaches to once and for all solve these two "problem" situations. One would be to modify the software in the VPN servers to correctly handle both DNS over TLS, as well as enable DNSSEC, to properly keeps visited sites completely private. The other way would be to build these operations directly into all the DNS Servers in the world, a pretty big undertaking by any means.
During the past several weeks, I have subscribed to four different VPN providers. I chose only those that had "On Line" chat to make it easier to ask questions and get answers. When working with the first three, their conclusion was always that the problems that I was seeing are being caused because they did not specifically support my particular model of ASUS Router, with the flashed Merlin Software package. Even though two of the three stated on their web site that their service would work properly with the latest Merlin Software versions. A couple of them even specifically listed the AC5300 with Merlin as operational with their client software. In total I have over 20 hours of on line chat time, with these three VPN providers. Two of them had no idea of what DNS over TLS was, and the third stated that I was trying to make something work with my system that was not possible. It is interesting that none of the three would admit that having a "DNS over TLS" failure, and DNSSEC "false" had anything to do with any kind of leaking.
So what have I done in the mean time to try and resolve this issue?
Well first, I unsubscribed from the three VPN providers that I had been talking to about my findings. Even though a couple of them had gone well beyond my free trial, they issued me a full refund. I simply unsubscribed from the third one, in my free trial period.
Being both stubborn and inquisitive, I decided not to give up on a VPN service and started looking for a low cost service that provided a lot of good features that I may be able to work with. I discovered a rather new operation that listed all the features and more that were being provided by the top rated VPN Providers. What really jumped off their page at me were several things that were not provided by the other providers I had been working with. Some of them are "Guaranteed High Speed", "An Unlimited Number Of Connections At The Same Time", "Detailed On Line Installation Instructions," Real on-line Technical Support People", and the price was right as well. I found a coupon deal on line for $1.99 a month with 24 month subscription. A total cost of $47.76! Don't know how you could go wrong with that price.
I called their chat line and discovered that I was talking with someone that really understand how their system worked, as well as being very up to date on my router and software system. I explained how I had discovered the DNS and DNSSEC problems that I was seeing from other providers. They had not heard of that problem and suggested that I purchase and install their clients on my router and do the same tests to see if they had the same problems.
I installed and configured 5 of their openVPN clients on my router. When I ran the Tenta test program it showed that DNS over TLS was failing on the 5 client locations that I installed and tested. Next I brought up the providers chat line. I was very pleased to find that I was chatting with someone that actually knew their product and how it work and was setup on various routers . We went through a lot of configuration checks for my router. The DNS over TLS being false problem, persisted in all my tests. He then had me switch between their installed clients at different locations. After chatting back and forth, on a couple of evenings, I was told that this appeared to be a real problem, and it was being referred up to their software engineers for further investigation.
Below is information about this provider. I am really impressed with their VPN software. And a disclaimer, I am not connected in any way to their company, or compensated for recommending that you give their package a try!
Here is a link to their web site: The SurfShark Website
|Over the next few days, I continued to surf the web, trying to learn more about enabling DNS over TLS. Then I made a very revealing find, that had been right in front of me for some time, and I never even realized it!|
|Could this information be the answer I have been looking for?|
|Here is where you can download this information: The Tenta DNS|
step, insert the ICANN DNS address in both my WAN and LAN DNS
address of my ASUS Router.
Below are the results from my first test of the Tenta DNS Name Servers.
|And below is the chart showing that the TLS and DNSSEC are both now TRUE!|
|SOME CLOSING COMMENTS AND THINGS TO THINK ABOUT|
bit of background. I am retired now, and have been for
several years. I spent most of my professional work life,
dealing with small compute systems, of one form or another.
I had a limited amount of experience, working with networking and
data transport over CAT5 and Fiber Optic systems, in a small College
environment. Over a span of 39 years, I served at various
times as the Director of Audio Visual Services,
Telecommunications Manager, and Facilities Operations
Technical Services Supervisor. Now retired, I continue to
work with Windows10 computer systems and do a lot of
electronic test equipment repair and service.
What got me started on privacy issues ,with my home network, was the large amount of incoming "stuff" that you are open to when you are connected to the internet. I have watched the development of "Internet Enabled" Virtural Private Networks since they started, some years ago. Please keep in mind that my current experience and the reported findings discussed above, is limited to OpenVPN, running on an ASUS RT-AC5300 Router, with asuswrt-Merlin software.
Now after experiencing and working with my own ASUS Router based OpenVPN, I am left with some really unanswered questions. Every VPN provider, and there seem to be hundreds, tout the value of using their VPN to protect your data and guaranteed 100% privacy when surfing the Internet.
Choosing a different "VPN Client" for your Router, on any VPN providers server list, can result in different "Tenta Test" results! Based on the information, provided by "Tenta's Advanced DNS Text Explained" information page, here are the possibilities that can result, depending on what DNS address pair you select for your WAN and LAN.
as far as I need to go, I think, to get my point across on all the
above information that I have provided.
My guess is that if you do not use the "Tenta DNS Servers", your internet communications may be subject to the "NEUTRAL" or "WARNING" results, being applied to your communications.
If I am seeing this correctly, then many of the VPN Providers are giving us "Clients" to use that are not 100% protective.
If I have gone to a very misguided interpretation, based on my findings, hopefully someone will set me straight!
Either way, I have had fun exploring this subject, and hope it helps others to think about their internet data privacy.
Your comments are always welcome. My Email: firstname.lastname@example.org
View My Stats