What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Best configuration for Asus Router + Raspberry Pi + ctrld (Control D) + AiProtection Pro?

S

Sarin

New Around Here
Hi, I’m a beginner in networking and not fluent in English (this text was generated with some help).
I’m currently running the following home network setup and would like your advice on whether this is the best way to configure it, or if there are better practices:
  • ISP: Vodafone Cable (1 Gbit)
  • Router: Asus GT-BE98 with stock firmware (AiProtection Pro enabled)
  • DNS: Raspberry Pi running ctrld (Control D), set as the DNS server via the Asus DHCP
  • Goal: Combine AiProtection Pro (TrendMicro) with Control D for extra DNS filtering (malware, ads, tracking, etc.)
My questions:
  1. Is this setup considered best practice, or are there improvements to make AiProtection Pro and ctrld work better together?
  2. Should I disable Asus features like DNS Director or Safe Browsing when using ctrld?
  3. Are there best practices for placing the Raspberry Pi in the network (e.g., directly as LAN DNS server vs. behind its own firewall)?
  4. Anything to watch out for to ensure AiProtection and ctrld complement each other instead of overlapping?
My goal is a secure and stable configuration where AiProtection provides traffic-level security and Control D handles DNS filtering with flexibility.
Any tips, experiences, or suggestions are very welcome!

Thanks in advance,
Sarin
 
Your configuration will work very well. However, with Control D and the proper filtering servers used, the Pi-Hole is really not needed. Yes, you can add block lists to the Pi-Hole but in my experience not much security is gained. You will gain the best DNS security if you use the built in DNS over TLS (DoT) on the router configured to use the Control D DNS servers.
A Pi-Hole, by default, uses DNS that is not encrypted. Yes, you can enable DNSSEC but that only does verification of the reply. Anyone, especially your ISP, can read the DNS traffic. It is possible to add Stubby to the Raspberry Pi and have the Pi-Hole communicate through the Stubby DoT. Also, the Pi-Hole will only update the block list once a week. Control D and other DNS filtering services upgrade the block lists continually.
You will also have the added maintenance of the Rasbperry Pi and Pi-Hole. Using the Asus router for your LAN DNS server with DoT enabled is, in my opinion, your best choice. I use the Control D servers 76.76.2.2 and 76.76.10.2. I had been using Pi-Hole but I feel this Control D service is adequate for my family needs. I have also tested the Merlin firmware with Diversion and Skynet but came to the conclusion I really did not gain enough to warrant the extra management time.
 
Hello, thanks for the answer, but I don't use a PI-hole but only the ctrld on a Raspberry, the entire DNS traffic is encrypted with ssl.
 
Hello!

Full disclosure - I work for Control D, so I'm biased - but I think you're off to a good start!

A few quick notes from my experience:
  • I've not used any of the Trend Micro products on these routers - I would start by disabling the built-in Asus features you mentioned: (DNS Director, Safe Browsing, etc.) just to keep things simple.
  • Be sure your RPi device has a static IP/DHCP Reservation on your router. It's up to you if you want to put it behind a firewall (like IPTables/UFW) - just be sure the ports for DNS are available: (These are usually UDP:53, TCP:853, and TCP:443)
  • We typically recommend users install ctrld directly on the router - but that requires custom firmware (AsusWRT-Merlin). It's possible on stock firmware - but it's hacky.
  • Once you've got your Router and RPi setup with Control D, you can start introducing the other services you mentioned.
  • Be sure you make good backups before a change.
  • Using the built in services *might* require setting up a custom config if you notice your router's DNS isn't forwarding to your RPi - our chat bot Barry is pretty ace at helping make these.
You can find some more info about the "order of operations" when running ctrld on Asus Routers in this post.

Let me know if you have any questions, feel free to drop in our Discord, subreddit, or discussion forum -- our community is incredibly helpful!
 
You must log in or register to reply here.

Similar threads

N
Solved (Mostly) GT-BE98 Pro & 3 BE30000 (BQ16 Pro) AiMesh Nodes - Crippling Lag Spikes Every 20 Minutes
Replies
0
Views
1K
NotTheHerbie
N
V
So what would be best practice for my specific situation: VPN into home network and DDNS
Replies
11
Views
2K
vmachiel
V
MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
1K
MegaMango
MegaMango
B
Understanding VLAN Assignments with Guest Network Pro: Managing VLANs Across Multiple SSIDs on ASUS RT-AX88U Pro
Replies
1
Views
4K
Hypothosis
H
L
Setup for two Pi-Holes, IPv4 and IPv6, no DNS leaks
Replies
5
Views
2K
Clark Griswald
Clark Griswald
Similar threads
Thread starter Title Forum Replies Date
XIII “GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers” General Network Security 34

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 986 (members: 22, guests: 964)
Back
Top