Router DNS Settings

[WoodenProgrammer]

How do the primary and secondary DNS servers work? Is it if the primary stops working it goes to secondary or does it pick randomly? Also, what is the DNS setting under LAN > DCHP Server for?

I have a PI-hole server setup with unbound on it and if the server ever goes offline for any reason, I want it to fail over to something like Cloudflare's DNS.

 

[ColinTaylor]

The LAN > DCHP settings are what is sent to DHCP clients. The WAN DNS settings are what the router uses.

 

[OzarkEdge]

To further this DNS discussion...

I've just installed the RC3-1 beta firmware (thread is closed) aka 9.0.0.4.386_55919 which has introduced another DNS option to Asuswrt, DNSFilter, which adds some granularity for client-specific DNS filtering. That's cool, but not needed here.

It also introduces a DNS Privacy Protocol option to the router-level WAN DNS setting, DNS-over-TLS (DoT) with select server presets. Since I have been using Quad9 DNS servers 9.9.9.9 and 149.112.112.112, I would like to try using DoT with Quad9. Here is how I have it configured and it seems to work but I'm not sure what is correct:

Can anyone confirm that I have DoT configured correctly for Quad9?

Thanks!

OE

 

[bbunge]

How do the primary and secondary DNS servers work? Is it if the primary stops working it goes to secondary or does it pick randomly? Also, what is the DNS setting under LAN > DCHP Server for?

I have a PI-hole server setup with unbound on it and if the server ever goes offline for any reason, I want it to fail over to something like Cloudflare's DNS.

As far as know the WAN/DNS Server 1 and 2 works in sequence. I have never checked but that is the way it should work.

The DNS setting under LAN/DHCP Server/DNS Server is assigned to the clients as the first DNS Server and the router IP address is assigned as the second. Asus factory firmware only has DNS Server here while Merlin Firmware has LAN/DHCP Server/DNS Server 1 and 2.

As for your Pi-Hole IP address it needs to go in LAN/DHCP Server/DNS Server (or DNS Server 1). This is the way I have my DNS Servers set up. The Pi-Hole handles most of the DNS requests and the clients will switch to the router in case the Pi-Hole did not respond.

My WAN/DNS Server 1 is set to 9.9.9.9 and Server 2 is set to 1.1.1.2

Now, my firmware also has DNS over TLS or DoT which encrypts the DNS requests. This feature uses an application called Stubby which is built into the Asus firmware. Merlin firmware also has Stubby. Stubby has a feature called roundrobin which, as it is set up in these firmwares, will querry a list of DNS servers in sequence. So, if you add 1.1.1.1 and 1.0.0.1 in the list each will be queried in turn.

I have used Stubby for a couple of years and now am trying something to minimize DNS failures which are happening more often. I have six DNS over TLS servers set. In order they are Cloudflare Secure (a manual entry 1.1.1.2 - security.cloudflare-dns.com), Quad9 1, Clean Browsing Secure 1, Cloudflare Secure (1.0.0.2 - security.cloudflare-dns.com), Quad9 2 and Clean Browsing Secure 2. Knowing that my ISP routes these anycast IP addresses to servers in different geographic locations, the chance that all locations will be down is remote. Using Unbound as a front end to Pi-Hole does give you security via DNSSEC if it is set up correctly. I choose to use Stubby with my Pi-Hole with DNSSEC enabled to just Quad9. I also use just malware/phishing block lists in Pi-Hole.

As for the mentioned DNS Filter, it was taken out of the Asus factory firmware but will make it back in soon, i hope!

 

[bbunge]

To further this DNS discussion...

I've just installed the RC3-1 beta firmware (thread is closed) aka 9.0.0.4.386_55919 which has introduced another DNS option to Asuswrt, DNSFilter, which adds some granularity for client-specific DNS filtering. That's cool, but not needed here.

It also introduces a DNS Privacy Protocol option to the router-level WAN DNS setting, DNS-over-TLS (DoT) with select server presets. Since I have been using Quad9 DNS servers 9.9.9.9 and 149.112.112.112, I would like to try using DoT with Quad9. Here is how I have it configured and it seems to work but I'm not sure what is correct:

View attachment 37350

Can anyone confirm that I have DoT configured correctly for Quad9?

Thanks!

OE

Yes

If you want to see Stubby work, SSH into the router and run "stubby -l" CTRL+c to quit.

Sure hope Asus does a release for the AC86U really soon!

 

[OzarkEdge]

Sure hope Asus does a release for the AC86U really soon!

Yeah, that's why I'm playing with the beta... and it's teaching me new tricks!

Thanks!

OE

 

[ColinTaylor]

As far as know the WAN/DNS Server 1 and 2 works in sequence. I have never checked but that is the way it should work.

This has been discussed in the Merlin forums but I suspect that the same applies to stock. That is, "By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up." Check the dnsmasq config file to see if either of the following options are present:

-o, --strict-order
By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

--all-servers
By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requester.

 

[Kapet]

From a previous post:

Correct me if I'm wrong here ...

If "DNS Privacy Protocol" is specified as "DoT", then the router does not look at "DNS Server1" and "DNS Server2", but takes addresses Dot-servers only from table "DNS-over-TLS Server List".
This is right?

Question: in what order does the router use the DoT servers, listed in this table? I have six servers, registered in such a table "DNS-over-TLS Server List", from Cloudflare, Quad9, and Google.
I cannot understand the pattern ... When I do a test on the site https://www.cloudflare.com/ssl/encrypted-sni/, - it either passes or not ... That is, the router at different times uses different servers from this table ...

 

[TAGTRAUM]

I've set WAN DNS and LAN DHCP DNS to Raspberry local IP (with cloudflared DOH), also set static routes to block hardcoded google DNS from various devices in my network, works like a charm

 

[OzarkEdge]

I've set WAN DNS and LAN DHCP DNS to Raspberry local IP (with cloudflared DOH), also set static routes to block hardcoded google DNS from various devices in my network, works like a charm

For instance, Google Chromecast appears to use its hard-coded DNS of 8.8.8.8... what part in your scheme forces the Chromecast to use your preferred DNS... where are those "static routes to block hardcoded google DNS"... on the Raspberry PI?

OE

 

[OzarkEdge]

If "DNS Privacy Protocol" is specified as "DoT", then the router does not look at "DNS Server1" and "DNS Server2", but takes addresses Dot-servers only from table "DNS-over-TLS Server List".
This is right?

Question: in what order does the router use the DoT servers, listed in this table? I have six servers, registered in such a table "DNS-over-TLS Server List", from Cloudflare, Quad9, and Google.
I cannot understand the pattern ... When I do a test on the site https://www.cloudflare.com/ssl/encrypted-sni/, - it either passes or not ... That is, the router at different times uses different servers from this table ...

Good question.

My test results... not sure what they all mean yet... must "learn more":

OE

 

[bbunge]

From a previous post:

Correct me if I'm wrong here ...

If "DNS Privacy Protocol" is specified as "DoT", then the router does not look at "DNS Server1" and "DNS Server2", but takes addresses Dot-servers only from table "DNS-over-TLS Server List".
This is right?

Question: in what order does the router use the DoT servers, listed in this table? I have six servers, registered in such a table "DNS-over-TLS Server List", from Cloudflare, Quad9, and Google.
I cannot understand the pattern ... When I do a test on the site https://www.cloudflare.com/ssl/encrypted-sni/, - it either passes or not ... That is, the router at different times uses different servers from this table ...

WAN/DNS Server 1 and 2 are used at boot time mainly to set the router time.

DoT will use the servers listed in order then repeat. Connect to the router in a terminal and run "stubby -l" minus quotes to see this function.

 

[bbunge]

Good question.

My test results... not sure what they all mean yet... must "learn more":

View attachment 37358

OE

Use this instead: https://cloudflare-dns.com/help/

 

[bbunge]

I've set WAN DNS and LAN DHCP DNS to Raspberry local IP (with cloudflared DOH), also set static routes to block hardcoded google DNS from various devices in my network, works like a charm

Pull the plug on your Pi-Hole and watch your network crash. Also not a good idea if you run a guest network as the clients on the guest network will use the router as DNS server even if a Pi-Hole is specified.
Another thing... do you know that DoH still needs conventional DNS to find the DoH server?

 

[qzip]

The LAN > DCHP settings are what is sent to DHCP clients. The WAN DNS settings are what the router uses.

Under my routers LAN section, what would be correct. Typing in the IP address of itself/gateway (I.e 192.168.1.1) or just leaving it blank?

 

[bbunge]

Under my routers LAN section, what would be correct. Typing in the IP address of itself/gateway (I.e 192.168.1.1) or just leaving it blank?

Blank

 

[Paliv]

Good question.

My test results... not sure what they all mean yet... must "learn more":

View attachment 37358

OE

Both the cloudflare test and the help page won't tell you much if you aren't using cloudflare as your resolver. But, @bbunge is right, the test page has been broken for some time and the help page tends to be more consistent.

 

[TAGTRAUM]

For instance, Google Chromecast appears to use its hard-coded DNS of 8.8.8.8... what part in your scheme forces the Chromecast to use your preferred DNS... where are those "static routes to block hardcoded google DNS"... on the Raspberry PI?

OE

Static routes set on router, not on Raspberry Pi lol, also try https://cmdns.dev.dns-oarc.net/ DNS test, i have 100% checks passed and A grade by this test

 

[Kapet]

Static routes set on router, not on Raspberry Pi lol, also try https://cmdns.dev.dns-oarc.net/ DNS test, i have 100% checks passed and A grade by this test

I don't know what kind of test it is, but it was interesting ... Everywhere 100%.

 

[TAGTRAUM]

Pull the plug on your Pi-Hole and watch your network crash. Also not a good idea if you run a guest network as the clients on the guest network will use the router as DNS server even if a Pi-Hole is specified.
Another thing... do you know that DoH still needs conventional DNS to find the DoH server

Any reason to do it, i mean i've set up Raspberry for serving network 24/7, with proper scripts for autoupdate etc., why i must pull the plug on Pi I haven't any guest network, also all asus routers by design promotes itself as DNS servers, and in my chain, router as dns server forward queries to Pi also, every device in my network have 2 dns servers in wired/wireless properties - asus router itself and my raspberry local ip, and ALL queries forwarding to raspberry no matter what device i connect