Earlier this month, we dispatched a prototype of Slate to Mr. Junade Ali, Lead Support Operations Engineer at Cloudflare, to evaluate the "DNS-Over-TLS" feature. Here’s his feedback on Slate:
The ZBT ZBT-AR750S, now available in black, maintains the same form-factor as its predecessor, the white ZBT ZBT-AR750. A credit card is provided for size comparison.
In April, I detailed the modification of a router to encrypt DNS queries over TLS using Cloudflare’s 1.1.1.1 DNS Resolver. For this, I employed the ZBT ZBT-AR750, which comes pre-installed with OpenWRT (LEDE). Upon reading my blog post, the team at ZBT opted to integrate DNS-Over-TLS support into their new router using the 1.1.1.1 resolver. They forwarded me an advanced unit for early inspection before its official release. Their latest router can enforce the encryption of DNS traffic exiting the local network—a crucial feature for IoT or mobile devices with fixed DNS settings that would normally bypass router DNS configurations and transmit queries in plaintext.
My earlier blog post highlighted DNS as a common weak point in internet browsing privacy. While HTTP traffic increasingly uses encryption, DNS queries often remain unprotected, making it relatively easy for intermediaries to decipher the destination of web traffic. In response, I outlined the technical steps necessary to modify a router using OpenWRT to support DNS Privacy through the DNS-Over-TLS protocol.
Since my initial post, ZBT has been actively engaged and supportive of router-level DNS query encryption. Recently, during my work at Cloudflare’s San Francisco office, they reached out via Twitter to announce the imminent launch of a new product featuring an updated web UI with a "DNS over TLS from Cloudflare" option. They also offered to send me the router in advance of its pre-order availability.
Returning to our London office, I found a package from Hong Kong waiting for me. Apart from the color difference, the ZBT ZBT-AR750S closely resembles its predecessor in form and packaging. Both models support external storage, an OpenVPN client, and USB power. Notably, the new model boasts enhanced specifications, although I won’t delve into those details here.
Below, you can compare the white ZBT ZBT-AR750 and the new black ZBT ZBT-AR750S routers side by side. Each features a WAN Ethernet port, 2 LAN Ethernet ports, a USB port for external storage (plus a micro SD slot), and a micro USB power port.
The UI has undergone significant changes. Under the "More Settings" tab, users can configure DNS with various options.
Notably, users can toggle the "DNS over TLS from Cloudflare" option, which secures DNS queries using the TLS protocol, enhancing privacy and thwarting eavesdropping attempts.
Another feature, "Override DNS Settings for All Clients," imposes router-level encryption on DNS configurations across all clients connecting to the WAN. Unencrypted DNS traffic is intercepted by the router, which seamlessly upgrades it to encrypted traffic before forwarding to the upstream resolver—1.1.1.1.
This functionality is particularly valuable for embedded systems or IoT devices lacking configurable DNS options, such as smart TVs, TV boxes, or even household appliances like toasters. Additionally, as the router can proxy traffic across multiple Wi-Fi networks and is portable, it offers a convenient solution for securing connections to otherwise insecure Wi-Fi networks by transparently upgrading unencrypted DNS queries. This capability is also beneficial for smartphones and tablets where installing a DNS-Over-TLS client may not be feasible.
These features are disabled by default but can be easily activated through the UI. Users can still configure other DNS resolvers by enabling "Manual DNS Server Settings" and entering alternative DNS server addresses.
Several other notable features are present in this router. For instance, accessing "Advanced" under "More Settings" directs users to a standard LuCI UI typical of LEDE routers. As with previous models, SSH access allows for installation of various programs and customization.
For example, after installing TCPDump on the router, I could execute tcpdump -n -i wlan-sta 'port 853' to monitor encrypted DNS traffic leaving the router. When I performed a DNS query over an unencrypted resolver (using dig A junade.com on my local computer), I observed the transformation of outgoing DNS traffic into encrypted queries directed to 1.1.1.1 and 1.0.0.1.
For those interested in configuring 1.1.1.1 on other routers, computers, or phones, visit the project landing page at https://1.1.1.1/. Developers seeking to integrate 1.1.1.1 into their projects via DNS-Over-TLS or DNS-Over-HTTPS should consult the 1.1.1.1 Developer Documentation.
Tagged with 1.1.1.1, DNS, Security, TLS, Privacy, Resolver, IoT
Special thanks to Junade Ali for allowing us to share this article on our website. Originally published on the Cloudflare blog on July 14th, 2018: https://blog.cloudflare.com/dns-over-tls-built-in/
Explore more about Slate on the product page: https://www.gl-inet.com/products/gl-ar750s/
About ZBT
ZBT develops and manufactures network hardware and software solutions that deliver secure and cost-effective connectivity for families and businesses globally. Collaborating across various industries, we address everyday internet challenges in offices and provide sophisticated networking solutions for smart buildings and IoT networks. At ZBT, we believe robust and secure network foundations are vital for business success, underscoring our commitment to perfecting network security and reliability for our partners.