confused about the 3 different DNS settings

[Michael3421]

The web interface of the ZenWiFi AX (XT8) AX6600 (fw 3.0.0.4.388_23285) has three different settings for DNS. Other routers have just one setting, so I am confused about the difference between these three settings.

Two of the DNS settings are in the WAN section in the Internet connection tab. The first is "DNS server" which I set to Adguard. This seems to be old insecure DNS as the parameter is an IP address.

The second is "DNS Privacy protocol" which can be either "none" or "DoT". When set to DoT, I set it to Cloudflare.

The last group of DNS parameters is in the LAN section in the DHCP server tab. The options are "DNS Server 1" and "DNS Server 2". This seems to be old insecure DNS again as the parameters are IP addresses.

The mobile app has no setting for LAN side DNS. It has only one WAN DNS setting and it is the old insecure DNS IPs.

Can anyone compare and contrast these three different groups of DNS parameters? Thanks.

 

[bbunge]

1. You need to have DNS servers or resolvers set in WAN/DNS Servers. These can be considered as the default and can be manually assigned or dynamically assigned by your ISP. These servers are used on startup to resolve time servers to set the routers time and can be used for "normal" resolution. The IP addresses used are Anycast addresses and can be resolved, normally, to the closest data center.

2. DNS over TLS or DoT is an optional setting that encrypts the request to and response from the upstream DNS servers. The upstream server must support DoT. Most do support DoT today. When DoT is enabled the WAN/DNS Servers are only used on system start and all other requests are sent through Dnasmaq/Stubby which are internal programs on the router. Normally the servers chosen should match the servers in WAN.DNS Servers.

3. The LAN/DHCP Server/DNS Server 1 and 2 are normally left blank. Putting an entry in here bypasses the WAN settings for DNS. There are exceprions to this. For example, some use a Pi-Hole DNS Server on their LAN and put its IP address in DNS Server 1. The LAN clients will use the Pi-Hole as the first DNS Server and the router as the second DNS server.

4. You did not ask but another DNS security setting is DNSSEC. This is a validation of the DNS Server response and can be used with or without DoT.

Hope this helps!

I use Cloudflare Secure servers at 1.1.1.2 and 1.0.0.2. I enable DNSSEC.
For DoT use 1.1.1.2 and 1.0.0.2 with TLS Hostname of security .cloudflare-dns.com This is a manual entry in the WAN GUI.

 

[Tech9]

old insecure DNS

What is "old insecure DNS"?

 

[drinkingbird]

The web interface of the ZenWiFi AX (XT8) AX6600 (fw 3.0.0.4.388_23285) has three different settings for DNS. Other routers have just one setting, so I am confused about the difference between these three settings.

Two of the DNS settings are in the WAN section in the Internet connection tab. The first is "DNS server" which I set to Adguard. This seems to be old insecure DNS as the parameter is an IP address.

The second is "DNS Privacy protocol" which can be either "none" or "DoT". When set to DoT, I set it to Cloudflare.

The last group of DNS parameters is in the LAN section in the DHCP server tab. The options are "DNS Server 1" and "DNS Server 2". This seems to be old insecure DNS again as the parameters are IP addresses.

The mobile app has no setting for LAN side DNS. It has only one WAN DNS setting and it is the old insecure DNS IPs.

Can anyone compare and contrast these three different groups of DNS parameters? Thanks.

DNS will always be IPs. That does not make them insecure, it just makes them actually work.