Incubator4

Incubator4

Why should you use DoH/DoT?

Actually, I would like to write an essay instead of a rigorous popular science article. The full name of DoH is DNS over HTTPS, and the full name of DoT is DNS over TLS. These tools are mainly used to encrypt DNS queries to prevent DNS hijacking and tampering.

Why did I think of writing this? Let me briefly introduce the network at home.
Currently, the basic model of the network I use is the main router gateway iKuai + side router Openwrt. I also run some service devices at home.

The main router is responsible for PPPoE dialing, DDNS, DMZ, DHCP, etc. It is responsible for all internet-related matters. iKuai is a very good router system with comprehensive functions and relatively easy to use.
The side router uses Openwrt and runs ss server, openclash, wireguard peer nodes, etc.

The DHCP configuration issued by the main router is not needed for all devices at home, especially for most IoT devices. The default settings are sufficient, so the DHCP obtains the default settings.
Global proxy can be achieved by modifying the HTTP proxy on mobile phones/computers/game consoles to the clash port on Openwrt. So far, there is no problem.

Until one day, I found that the DNS at home seemed to be polluted. Clash's resolution to 114.114.114.114 port 53 timed out, so I changed the DNS to 8.8.8.8 and 1.1.1.1.
It works, but not for long. Devices with Clash still have some problems, and unexpectedly, many devices at home, such as surveillance cameras, automatic cat litter boxes, and robotic vacuum cleaners, cannot connect to the internet.

At first, I thought it was a problem with the coverage of the mesh network at home. After debugging, I found that the Xiaomi mesh I used did have some minor issues. Later, I decided to directly replace it with a batch of ASUS AiMesh devices, which helped... but not completely. What helped was that I could pinpoint the problem with the devices more accurately, after all, ASUS devices are relatively well-made. What didn't help was that the fundamental problem was not solved.

Until finally, I found out if it was caused by the DNS change I made before. After switching the DNS back to the default of the ISP, it seems that the devices are back to normal.

The story is not over yet. It passed calmly for a long time. A few days ago, I found that some of the aforementioned devices could not connect to the internet again. Since there were still extra mesh nodes when I purchased them, I tried to extend the network coverage to dead spots, but it didn't work. It has been more than fifty days since the last router restart. Coincidentally, the router had a new software update, so I tried to update the iKuai system version and found a major update in the DNS interface - DoH!

image

Afterwards, I applied a relatively optimal DNS query for myself, and five seconds later, the mobile app received messages indicating that various devices were online.

Summary#

It may be because the traffic is easily identified or the ISP deliberately pollutes the DNS, which leads to the possibility of DNS hijacking in my home or possibly in this physical area.

And various IoT devices' ISPs, such as Dreame, Xiao Pei, Petkit, etc., do not have a particularly large internet infrastructure. In particular, when reviewing, I found that Xiaomi's devices did not encounter this problem, probably because Xiaomi's large scale makes its platform have more access points, so even if the DNS is polluted, it should not affect domains like mi.com. And coincidentally, these devices are mostly 2.4G devices, so it was mistakenly thought to be a problem with the 2.4G signal.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.