Would any of this make my browsing more secure? (WAN DNS settings)

[Rob Q]

Under "WAN DNS Setting", there's these settings. Should I change anything to make it more secure?
Stuff in ( ) means that's the current selected option.

DNS Server: Auto
Forward local domain queries to upstream DNS: Yes / (No)
Enable DNS Rebind protection: Yes / (No)
Enable DNSSEC support: Yes / (No)
- If "Yes" is selected....
- Validate unsigned DNSSEC replies: (Yes) / No
Prevent client auto DoH: Yes / No / (Auto)
DNS Privacy Protocol: (None) / DNS-over-TLS (DoT)
- If "DNS-over-TLS (DoT)" is selected ....
- DNS-over-TLS Profile: (Strict) / Opportunistic
- Preset server: A list of servers that fills out the "DNS-over-TLS Server List".

Router: ASUS RT-AC1900P
Frimware: Asuswrt-Merlin (386.12_6)
ISP: TekSavvy

Current installed addons: Diversion (ad blocker)

 

[Viktor Jaep]

Under "WAN DNS Setting", there's these settings. Should I change anything to make it more secure?
Stuff in ( ) means that's the current selected option.

DNS Server: Auto
Forward local domain queries to upstream DNS: Yes / (No)
Enable DNS Rebind protection: Yes / (No)
Enable DNSSEC support: Yes / (No)
- If "Yes" is selected....
- Validate unsigned DNSSEC replies: (Yes) / No
Prevent client auto DoH: Yes / No / (Auto)
DNS Privacy Protocol: (None) / DNS-over-TLS (DoT)
- If "DNS-over-TLS (DoT)" is selected ....
- DNS-over-TLS Profile: (Strict) / Opportunistic
- Preset server: A list of servers that fills out the "DNS-over-TLS Server List".

Router: ASUS RT-AC1900P
Frimware: Asuswrt-Merlin (386.12_6)
ISP: TekSavvy

Current installed addons: Diversion (ad blocker)

It won't make your browsing more secure. Your ISP/upstream services can still watch everything you go to. Settings like these would make DNS resolution more secure, but ultimately won't help with browsing security.

 

[Rob Q]

It won't make your browsing more secure. Your ISP/upstream services can still watch everything you go to. Settings like these would make DNS resolution more secure, but ultimately won't help with browsing security.

Would any of these help? My main concern is keeping the remote attacks from getting in and we do online banking. So the more secure, the better.

 

[L&LD]

If you're online, you're not secure.

Remote attacks are not possible if your firewall is working.

Only compromises from within the network (i.e. watch where you're clicking).

 

[Viktor Jaep]

Would any of these help? My main concern is keeping the remote attacks from getting in and we do online banking. So the more secure, the better.

If you're online, you're not secure.

Remote attacks are not possible if your firewall is working.

Only compromises from within the network (i.e. watch where you're clicking).

Agree completely with @L&LD ... I'd be more worried about your device security for scenarios like that. Your router's firewall is already keeping everything uninvited out. Perhaps invest in some good AntiMalware software. And yes, changing your WAN DNS to a secure DNS Service like Quad9 would in many cases help prevent your internal clients from getting to bad sites, or from malware reaching its C&C server... so in that sense, it could help make your "browsing" more secure if you happen to get infected internally if that's what you were referring to.

 

[bennor]

Would any of these help?

You can decide for yourself if any of the add-on scripts are useful for your needs by reviewing each of the scripts to learn what they do.

Asuswrt-Merlin Addon Software Catalog

Asus-Merlin Addon Software Catalog This sticky post functions as a software catalog (with links to threads, scripts, and author names), grouped by functionality, to make it easier for Asus-Merlin users to find and install addons for their Asus routers without having to search through massive...

www.snbforums.com

The add-on subforum has more information one can search through on those scripts.

Asuswrt-Merlin AddOns

This forums is for discussions about AddOns for Asuswrt-Merlin, i.e. Diversion, Skynet, etc.

www.snbforums.com

Like already indicated above, your router firewall is supposed to stop intrusions. You should consider a layered approach if you haven't done so already, also indicated above. Make sure to run antivirus and malware security software on each computer/device. Make sure to use strong WiFi passwords. Do not have open networks. Period! Make sure to access secure websites when surfing. Avoid opening up any port forwarding holes in the firewall for any network services. Above all don't click on stuff in emails or web pages without understanding what that link is and where it goes. A lot of intrusions are done through user error.

 

[Rob Q]

I suppose I could put SkyNet on. With, that, the router's default firewall, and AiProtect that would be a good combo.
Not too sure what Unbound does. Read it a few times, still don't understand it.
DNSCrypt encrypts the stuff that's sent out from the router, to the ISP?
Yeah, I have Windows Security all enabled. Firewall and AntiVirus.

On an unrelated note... WiFi Channel Check/Switcher looks good. The 2.4 GHz band is really full of networks.

 

[Tech9]

You don't need to install any custom scripts. They are additional tools and you have to know what they do first, basics of how they do it and you need at least basic ability to troubleshoot your configuration yourself. Otherwise you're not getting the extra security you are hoping for, but extra trouble. Don't copy someone else's configuration and don't adopt someone else's "security" and "privacy" ideas. Your router's built-in firewall is dropping all unsolicited inbound connections by default, built-in AiProtection provides basic signature based filtering, built-in options for filtering phishing, malware, etc. DNS services are also available. This is 3 levels of protection already. Your router can't do anything else. The rest in your security equation is what you do online and how. The router has nothing to do with it.

 

[Rob Q]

Well, according to the Skynet log, looks like it's picking up more. Unless it replaces the routers firewall or just makes it better.

 

[ColinTaylor]

Well, according to the Skynet log, looks like it's picking up more. Unless it replaces the routers firewall or just makes it better.

Unless you're running a public facing server this is all stuff that is silently dropped by the router's regular firewall.... just like it would be on any other home router.

 

[Tech9]

Well, according to the Skynet log, looks like it's picking up more.

This script shows you as blocked what was matched in blocklists. It was perhaps blocked already by the built-in firewall. A bit of misrepresented information and people who don't know some details think they are under constant attack and the script is saving them. In reality - not even close. Some even believe the script is a firewall. It isn't.

 

[Rob Q]

This script shows you as blocked what was matched in blocklists. It was perhaps blocked already by the built-in firewall. A bit of misrepresented information and people who don't know some details think they are under constant attack and the script is saving them. In reality - not even close.

It's kinda neat that it shows you all that detail though. I wonder how you can do a side-by-side test of the built-in firewall and the Skynet addon. To me anyway, I guess the only real difference is the graphs, tables, and a log entry in the web UI.

 

[Tech9]

I wonder how you can do a side-by-side test of the built-in firewall and the Skynet addon.

Side-by-side with no open ports to Internet they'll do exactly the same thing. Skynet will take resources to show you graphs. Even if you have open ports Skynet won't protect you much with the community generated block lists by John and Jane. What they can do is blocking by error legitimate servers. It was blocking Microsoft, Cloudflare, GitHub, YouTube, etc. in the past. Your DNS server lands on the block list and you don't have Internet access. Unless you can troubleshoot it by yourself - not for you.

You also just made your router as reliable as the USB stick.

 

[Treadler]

To my way of thinking, using malware blocking DNS servers such as Quad9, or Cleanbrowsing ‘security’ is a no brainer. Costs nothing but a few minutes of your time.

DoT, again, a no brainer.

But, these are not silver bullets. Quad9 themselves have said that using their servers only reduces your attack surface by about 30%.

Plenty of other ways to get caught.
Clicking on suspect links = user error.

Your firewall is your friend.
Use the Aiprotect ‘threat scan’ to eliminate the obvious.

 

[Tech9]

Indeed. Why make it complicated for no reason?

The built-in firewall is enabled by default. AiProtection enabled, WAN DNS to Cleanbrowsing (good reputation) with DoT (optional), DNS Director to Router - ready to go.

 

[RMerlin]

Something interesting came up today as Google announced that malicious website blocking in Chrome would be done server-side now instead of relying on a list of malicious sites that gets stored on your computer, blocked client-side, and gets updated every 30 to 60 minutes. They say that the average malicious website tends to be only active for less than 10 minutes on average.

This makes server-side blocking from DNS servers or from Trend Micro's Website Reputation Service quite efficient compared to the default local blacklist blocking a lot of people have been relying upon.

 

[Treadler]

Something interesting came up today as Google announced that malicious website blocking in Chrome would be done server-side now instead of relying on a list of malicious sites that gets stored on your computer, blocked client-side, and gets updated every 30 to 60 minutes. They say that the average malicious website tends to be only active for less than 10 minutes on average.

This makes server-side blocking from DNS servers or from Trend Micro's Website Reputation Service quite efficient compared to the default local blacklist blocking a lot of people have been relying upon.

Provided Google DNS is used?

 

[RMerlin]

Provided Google DNS is used?

Google's DNS does not provide any malicious site blocking. They're referring to Google Chrome's built-in malicious site blocking.

 

[martinr]

More info on Google’s announcement that RMerlin mentioned:

Google is changing how Chrome detects and warns you about unsafe sites | TechCrunch

Google announced a major change to its Safe Browsing feature in Chrome today that will make the service work in real time by checking against a

techcrunch.com

“the average malicious site doesn’t exist for more than 10 minutes.”. Astonishing.

 

[cptnoblivious]

@OP: Keeping "attacks from coming in" ... you need to harden at various levels. Start with the system itself, keeping it patched, up-to-date AV, then the browser, make sure to run ad blocker reduce script use etc.

Don't just look at the network layer.

If you really want to go deep on this:

personal-security-checklist/CHECKLIST.md at 05229c6c834912358ee067f786feceb85be8bff1 · Lissy93/personal-security-checklist

🔒 A compiled checklist of 300+ tips for protecting digital security and privacy in 2024 - Lissy93/personal-security-checklist

github.com