What's new

DNS description thread?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Bamsefar

Senior Member
I would like to make a wish now before Christmas and all:

That someone that know how the DNS solutions that now are available for Asus Routers with RMerlin's superb versions, creates a preferable sticky post that yes simply describes the options available and well comes with some sort of recomendation. Currently I simply have given up, with everything from DNSSEC to DoH/DoT and <what-ever-flawor-that-might-be-available>. For me currently it is to much to digest - I simply need some friendly help :) If I may wish for something that is :)
 
I would first try to read up on it here. Just read what you want to read. Then when the topic comes up, you will have an idea of what people are talking about. FWIW, your settings is what counts, not someone's recommendation from the other side of the globe.
 
Okey, so wish not granted - got it.


DNS Rebind protection = protects against DNS being /hijacked/attacked/changed.

DNSSEC checks the DNS lookup servers haven't been hijacked .

Validate unsigned DNSSEC replies . Checks the DNS server really doesn't use DNSSEC.

DNS Privacy Protocol . DNS over TLS , encrypts your DNS lookups to stop people spying on the URL's you request in your browser.

DNS-over-TLS Profile : Strict will only allow the use of a remote DNS server if it can be authenticated as genuine . If authentication fails you won't access the website you requested.

Opportunistic setting will check the DNS server but still allow the "lookup" and connection if it fails to authenticate the server is genuine/safe.

On my AC3200 I use the settings shown in the screenshot :

DNS-TLS.png
 
Last edited:
DNS Rebind protection = protects against DNS being /hijacked/attacked/changed.

DNSSEC checks the DNS lookup servers haven't been hijacked .

Validate unsigned DNSSEC replies . Checks the DNS server really doesn't use DNSSEC.

DNS Privacy Protocol . DNS over TLS , encrypts your DNS lookups to stop people spyiong on the URL's you request in your browser.

DNS-over-TLS Profile : Strict will only allow the use of a remote DNS server if it can be authenticated as genuine . If authentication fails you won't access the website you requested.

Opportunistic setting will check the DNS server but still allow the "lookup" and connection if it fails to authenticate the server is genine/safe.

On my AC3200 I use the settings shown in the screenshot :

DNS-TLS.png
Wow! This is about as simple as it gets! The only other point is the selection of resolvers: for unfiltered DNS use Cloudflare or Google, for basic filtered protection use Quad9 or Safe Browsing.
 
Okey, so wish not granted - got it.
This is a very complex question. I know you want an Easy Button to get the answer, but none exists. These are all new and competing technologies. I suggest you Google for "DNS over TLS vs DNS over HTTPS vs Dnscrypt-proxy" and read, read, read.

I will say this, DNS over TLS and DNS over HTTPS are I.E.T.F. standards, DNscrypt-proxy is not, if that matters to you. Also note that most information on DNSCrypt is about the old V.1 that is abandoned; there is a new version 2 under active development as DNSCrypt-proxy. Here is the Google search link.

Still want the Easy Button? Set up DNS over TLS as shown above by AndreiV.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top