What's new

Disabling your router's provisioning of DNS services

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JohnD5000

Very Senior Member
In running GRC's DNS Benchmark, in Conclusions & Recommendations one result is:

-----------------------------------
System has only ONE (router based) nameserver configured.
It appears that only one local (router gateway) DNS nameserver, with the IP address of [192.168.1.1], is currently providing all DNS name resolution services to this system. This configuration is not recommended because most consumer-grade routers provide inefficient and under-powered DNS resolution services.

Unless the DNS resolvers your router is using is under your control, it may not be providing the best or complete name resolution services. For example, is it using multiple redundant DNS nameservers?

Users of GRC's DNS Spoofability system have determined that consumer-grade routers can be crashed by the receipt of specific DNS reply packets from the Internet. This opens the possibility that Internet-based criminals could acquire access to your router from the Internet as well as to the private network in controls.

Many consumer-grade routers fail to provide the full range of DNS lookup services. This may have been detected by the benchmark and noted below.

Recommended Actions:

Unless you have some specific reason not to, you should give serious thought to disabling your router's provisioning of DNS services (which it is providing for all computers on your local network). After this is done, a fresh reboot of your computers will likely reveal the multiple DNS nameservers provided by your ISP. This is a superior configuration, without an under-powered router acting as a incompetent middleman and impeding all DNS access.

Note that if you can determine the IP addresses of your ISP-provided nameservers (which may be visible in your router's web configuration) you could manually add them to the nameservers being tested by this benchmark, while also leaving your router providing DNS. This would allow you to compare the performance when running through your router versus "going direct".
-------------------------------
How can you disable the router's provisioning of DNS services in Merlin? I have a RT-AC68U and running 380.63_2
 
In running GRC's DNS Benchmark, in Conclusions & Recommendations one result is:

-----------------------------------
System has only ONE (router based) nameserver configured.
It appears that only one local (router gateway) DNS nameserver, with the IP address of [192.168.1.1], is currently providing all DNS name resolution services to this system. This configuration is not recommended because most consumer-grade routers provide inefficient and under-powered DNS resolution services.

Unless the DNS resolvers your router is using is under your control, it may not be providing the best or complete name resolution services. For example, is it using multiple redundant DNS nameservers?

Users of GRC's DNS Spoofability system have determined that consumer-grade routers can be crashed by the receipt of specific DNS reply packets from the Internet. This opens the possibility that Internet-based criminals could acquire access to your router from the Internet as well as to the private network in controls.

Many consumer-grade routers fail to provide the full range of DNS lookup services. This may have been detected by the benchmark and noted below.

Recommended Actions:

Unless you have some specific reason not to, you should give serious thought to disabling your router's provisioning of DNS services (which it is providing for all computers on your local network). After this is done, a fresh reboot of your computers will likely reveal the multiple DNS nameservers provided by your ISP. This is a superior configuration, without an under-powered router acting as a incompetent middleman and impeding all DNS access.

Note that if you can determine the IP addresses of your ISP-provided nameservers (which may be visible in your router's web configuration) you could manually add them to the nameservers being tested by this benchmark, while also leaving your router providing DNS. This would allow you to compare the performance when running through your router versus "going direct".
-------------------------------
How can you disable the router's provisioning of DNS services in Merlin? I have a RT-AC68U and running 380.63_2
Goodbye LAN Services and my ad-blocking solution...
Seriously?
 
In your Asus GUI > LAN > DHCP Server > DNS and WINS Server Setting

In DNS Server 1 + 2 add the DNS addresses you have used in WAN settings.
 
@JohnD5000 Whilst GRC's recommendation might have had some merit as blanket statement in the past, I believe most of the issues don't apply if running Merlin's firmware.

As @AndreiV pointed out you can change the DNS servers given out by DHCP, but that doesn't really solve the issue of redundancy as those are the same servers that the router uses. Windows for example just uses the first DNS server, switching to the second only when the first is completely offline (rather than being slow). The router's DNS has more flexibility in how it behaves.

And as @thelonelycoder said, you loose the advantages of a local name server, like faster DNS lookups, LAN services like ad-blocking, name resolution for LAN clients, the ability to create alias hostnames for clients, etc.
 
Last edited:
And as @thelonelycoder said, you loose the advantages of a local name server, like faster DNS lookups, LAN services like ad-blocking, name resolution for LAN clients, the ability to create alias hostnames for clients, etc.

GRC's test sees what the client sees, which is kind of how things work - as several have pointed out, many vendors bind different services internally, and changing this would break things...

DNSMasq can (and often does) bind many DNS servers behind the scenes - but this is supposed to be transparent to the client...
 
GRC's test sees what the client sees, which is kind of how things work - as several have pointed out, many vendors bind different services internally, and changing this would break things...

DNSMasq can (and often does) bind many DNS servers behind the scenes - but this is supposed to be transparent to the client...
If you specify the DNS Server(s) in the WAN settings, then only these are used.
 
A lot of the GRC "recommendations" related to DNS are coming out of the 90s. A lot of their advices are flat out wrong these days. Like their DNS benchmark, which totally ignores the impact a DNS can have on CDNs.
 
In running GRC's DNS Benchmark, in Conclusions & Recommendations one result is:

-----------------------------------
System has only ONE (router based) nameserver configured.
It appears that only one local (router gateway) DNS nameserver, with the IP address of [192.168.1.1], is currently providing all DNS name resolution services to this system. This configuration is not recommended because most consumer-grade routers provide inefficient and under-powered DNS resolution services.

Unless the DNS resolvers your router is using is under your control, it may not be providing the best or complete name resolution services. For example, is it using multiple redundant DNS nameservers?

Users of GRC's DNS Spoofability system have determined that consumer-grade routers can be crashed by the receipt of specific DNS reply packets from the Internet. This opens the possibility that Internet-based criminals could acquire access to your router from the Internet as well as to the private network in controls.

Many consumer-grade routers fail to provide the full range of DNS lookup services. This may have been detected by the benchmark and noted below.

Recommended Actions:

Unless you have some specific reason not to, you should give serious thought to disabling your router's provisioning of DNS services (which it is providing for all computers on your local network). After this is done, a fresh reboot of your computers will likely reveal the multiple DNS nameservers provided by your ISP. This is a superior configuration, without an under-powered router acting as a incompetent middleman and impeding all DNS access.

Note that if you can determine the IP addresses of your ISP-provided nameservers (which may be visible in your router's web configuration) you could manually add them to the nameservers being tested by this benchmark, while also leaving your router providing DNS. This would allow you to compare the performance when running through your router versus "going direct".
-------------------------------
How can you disable the router's provisioning of DNS services in Merlin? I have a RT-AC68U and running 380.63_2
Anyone without in-depth knowledge of the topic would most likely be very concerned about such statements as these ( as evidenced by the initial question). To blanket label DNS services provided by consumer grade routers to be "an incompetent middleman" seems overly harsh to me. I would assume that measures would be put in place to protect against such attacks through DNS replies , and that the range of services provided would be sufficient for purpose.
Does anyone have any commentary on the perceived security threat posed by running DNSMasq on our ASUS routers, or the "must have" lookup services we are missing?
 
most consumer-grade routers provide inefficient and under-powered DNS resolution services.

Source?

Also, I'd argue most consumer routers aren't "under-powered" at all but rather "OVER-powered" if anything?

https://www.amazon.com/Best-Sellers-Electronics-Computer-Routers/zgbs/electronics/300189

Which one do you think is particularly "under-powered"?

"without an under-powered router acting as a incompetent middleman"

Unclear on how this takes the router out of the "middle" anyway?

 
Last edited:
A lot of the GRC "recommendations" related to DNS are coming out of the 90s. A lot of their advices are flat out wrong these days. Like their DNS benchmark, which totally ignores the impact a DNS can have on CDNs.

I really just want to put the fastest and most secure DNS on the router. I have Comcast and it was defaulting to their DNSs (75.75.75.75, 75.75.75.76) with"Connect to DNS Server automatically" set to Yes. I changed this to "No" and entered these DNS to google's 8.8.8.8, 8.8.4.4 on the WAN tab. Was this a smart move? Should I switch back to Auto = Yes?
 
Last edited:
I really just want to put the fastest and most secure DNS on the router. I have Comcast and it was defaulting to their DNSs (75.75.75.75, 75.75.75.76) with"Connect to DNS Server automatically" set to Yes. I changed this to "No" and entered these DNS to google's 8.8.8.8, 8.8.4.4 on the WAN tab. Was this a smart move? Should I switch back to Auto = Yes?

Using Google instead of Comcast isn't the same thing as turning off router DNS.

The concept is caching recent DNS looks up locally right? So if your PC or phone or whatever asks "whats's the IP for Microsoft?" instead of asking Comcast or Google (which are farther away = slower) it asks the router if by chance anyone else has checked that lately. If they have, you win milliseconds! If not, it asks Comcast anyway.

So really, I don't see you have anything to lose with router DNS. Unless the router is really old, slow, and you have a LOT of local traffic, it will be faster than the ISP.
 
Last edited:
I really just want to put the fastest and most secure DNS on the router. I have Comcast and it was defaulting to their DNSs (75.75.75.75, 75.75.75.76) with"Connect to DNS Server automatically" set to Yes. I changed this to "No" and entered these DNS to google's 8.8.8.8, 8.8.4.4 on the WAN tab. Was this a smart move? Should I switch back to Auto = Yes?

That's fine - can put in any DNS providers there - Google's Public DNS is one option - for those that have some parental control issues, OpenDNS is a decent choice - I like Level3's, but these days with the CenturyLink deal, who knows what is going to happen there...

There's also Neustar Public DNS, which many people miss -- https://www.neustar.biz/security/dns-services/recursive-dns

(disclosure here - Neustar is one of my vendors)
 
I really just want to put the fastest and most secure DNS on the router. I have Comcast and it was defaulting to their DNSs (75.75.75.75, 75.75.75.76) with"Connect to DNS Server automatically" set to Yes. I changed this to "No" and entered these DNS to google's 8.8.8.8, 8.8.4.4 on the WAN tab. Was this a smart move? Should I switch back to Auto = Yes?

Your iSP's DNS should always be your primary choice, because when your provider offers direct peering or local caches for some CDNs, you will get the best performance out of them when downloading (which is far more important than the time it takes to resolve one single query, that will get cached locally afterward anyway).

There was a debate about this on another forum (once again sparked by GRC's dns benchmark tool), where I provided some first-hand test results to back my claims. Unfortunately it was posted in French, so there's little point for me in linking to it here. But basically, I did a traceroute to www.google.com while using my ISP's DNS, and while using a public DNS. Latency with a third party DNS were 20-40ms slower when accessing www.google.com than when using the DNS of my ISP. So even if that one single DNS lookup took a few ms less to resolve, afterward every single access to www.google.com would have been 20-40 ms slower. That would have been far more visible in day-to-day use than that single DNS lookup.

Unless you have a very specific reason to change from your ISP's DNS, stick with them.
 
Pretty much all of them - lol...
Under powered for what exactly? Pretty much every consumer router has a multi-core processor that's idle 99.9% of the time and unlikey to ever break a sweat in a typical consumer use case. The suggestion they're under powered is kind of silly.
 
A lot of the GRC "recommendations" related to DNS are coming out of the 90s. A lot of their advices are flat out wrong these days. Like their DNS benchmark, which totally ignores the impact a DNS can have on CDNs.

Agreed - most of the DNS issues that Gibson presents have been addressed in BIND, DNSmasq, and others...

The possible concern would be really old gateways and routers, but even there, most of those have been retired...
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top