DNS privacy configuration

[yobocuruyo]

Hello,

I have configured the DNS Privacy protocol on my router with the cloudfare servers. Everything is working fine but do I need to set them DNS Server (disable the auto connect)

 

[intr0]

I would say yes.

 

[Tech9]

Everything is working fine

No, custom DNS field is missing in your GUI. Hit Ctrl + F5 to reload the page.

 

[Gary_Dexter]

No, custom DNS field is missing in your GUI. Hit Ctrl + F5 to reload the page.

Because the radio button for Yes isn’t checked?

 

[Yo_2T]

IIRC, when you configure DoT, that particular field (Connect to DNS server automatically) is now gonna be used for when the router first boots up and needs to connect to a time server to set its time. (per RMerlin for the skeptics: http://www.snbforums.com/threads/dot.70386/post-664400)

So you can either leave that as Yes (it will use your ISP's DNS for that) or No and set it to whatever public DNS you want (CloudFlare, etc.)

 

[Tech9]

No, the custom DNS field shows up exactly when you don’t want automatic configuration. @Gary_Dexter

 

[yobocuruyo]

at the end I still don't know. I'm not the only one confused

 

[ColinTaylor]

Everything is working fine but do I need to set them DNS Server (disable the auto connect)

No. Everything is OK as it is.

 

[bbunge]

Hello,

I have configured the DNS Privacy protocol on my router with the cloudfare servers. Everything is working fine but do I need to set them DNS Server (disable the auto connect)

View attachment 38497

You are OK the way it is shown in your post. As stated before, the router will use your ISP DNS when it boots and when the DNS Privacy Protocol, Stubby, loads the router will switch to the DoT connection.
You can also tick No and enter DNS Server 1 and 2.
If you want to use Cloudflare Security DNS you can manually enter 1.1.1.2 and 1.0.0.2 in the address field and security.cloudflare-dns.com in the TLS Hostname field.
Quad91 and 2 also work well for me.

 

[yobocuruyo]

Thanks

 

[Tech9]

Because the radio button for Yes isn’t checked?

Shut... it's the black dots selected, not the white. I saw it just now after firing up one of the routers.

 

[heysoundude]

Hello,

I have configured the DNS Privacy protocol on my router with the cloudfare servers. Everything is working fine but do I need to set them DNS Server (disable the auto connect)

View attachment 38497

now that you've gone through and gotten an answer, might I suggest you reevaluate your DNS config?
your link to cloudflare's dns server is secure, but you're providing a 3rd party corporation outside of your control all sorts of data on your network's DNS lookups - that's a privacy issue.
Since your DNS lookup privacy is a concern for your network/users, please look into the implementation of unbound available to Merlin users. I'd wager you'd rather be your network's own cloudflare/opendns/google/quad9, and get the speed benefit of <1usec cached lookups and direct auth server queries for your users.
Only you can decide what is secure/private enough for your use case - this is merely a suggestion to question your ideals.

 

[Unisoft]

I use cloudflare in that DNS field (not using auto) and cloudflare family for the DNS over TLS DNS ip addresses. As well as DNSSEC enabled I also select Rebind Protection as well. To test at cloudflare you have to disable temporarily the DNSSec as it cant seem to test with that On. DNS ipv4 servers will be able to do DNS for native ISP IPv6 due to AAAA record as well though you could also set an IPv6 specific DNS over TLS address as well.

 

[Tech9]

Since your DNS lookup privacy is a concern for your network/users, please look into the implementation of unbound available to Merlin users. I'd wager you'd rather be your network's own cloudflare/opendns/google/quad9, and get the speed benefit of <1usec cached lookups and direct auth server queries for your users.

Not exactly. Your ISP still can collect your browsing history and Unbound is much slower until the local cache is built. Your local DNS resolver can't compete with big guys cache. Google, Cloudflare, OpenDNS, etc. respond with constant ms all the time. Also, Unbound may leak your external IP address.

 

[bbunge]

now that you've gone through and gotten an answer, might I suggest you reevaluate your DNS config?
your link to cloudflare's dns server is secure, but you're providing a 3rd party corporation outside of your control all sorts of data on your network's DNS lookups - that's a privacy issue.
Since your DNS lookup privacy is a concern for your network/users, please look into the implementation of unbound available to Merlin users. I'd wager you'd rather be your network's own cloudflare/opendns/google/quad9, and get the speed benefit of <1usec cached lookups and direct auth server queries for your users.
Only you can decide what is secure/private enough for your use case - this is merely a suggestion to question your ideals.

I ran Unbound on a Pi-Hole with the default block list and got a bunch of sites blocked in AiProtect. Unbound gone. Pi-Hole gone also...

 

[Tech9]

I ran Unbound on a Pi-Hole with the default block list and got a bunch of sites blocked in AiProtect. Unbound gone. Pi-Hole gone also...

There is no connection between your observations and the conclusion.

 

[bbunge]

There is no connection between your observations and the conclusion.

Sure there is... For my needs why run something that does not protect well enough as AiProtect and Quad9?

 

[Tech9]

something that does not protect well

Unbound is a DNS resolver. Pi-hole is a DNS-based blocker. Both are tools. You're blaming the wrench for not fitting the nut.

 

[Tech9]

well enough as AiProtect

By the way, have you asked yourself a question why Web History requires TrendMicro engine? Why it isn't available if you don't agree to data sharing? It doesn't need 3rd party software. FreshTomato is doing it perfectly fine without TrendMicro, for example. What is your privacy oriented thinking saying - it's done this way because it was easier for Asus or because someone wanted it done this way?

 

[heysoundude]

Not exactly. Your ISP still can collect your browsing history and Unbound is much slower until the local cache is built. Your local DNS resolver can't compete with big guys cache. Google, Cloudflare, OpenDNS, etc. respond with constant ms all the time. Also, Unbound may leak your external IP address.

You've got to look at security and privacy holistically and comprehensively. WARNING- the thread takes a left turn off the original path from here

HTTPS is a thing (it's an option in brave to try to force it, but most sites are already compliant), and in most places where these routers will be used, the cache populates pretty quickly.
(got kids checking their Insta or TikTok or Snapchat?)
Once it has, unbound wins handily- my cached queries take 0-1 usec, while the recursive lookups (to the same AUTH servers Google and cloudflare etc use to populate their own caches, BTW) take 16, 32, 64 ms. That's a pretty significant time/speed difference: 10^-6 sec vs 10^-3 sec. I'm already loading the page while your DNS query is returning from google etc...and they have made note of what you searched for (I have too - to make my navigation to where webpages live faster), how long you're on the page...
Diversion blocks whatever ads might try to sneak through (they're more likely to be hail mary types of ads than targeted by what a DNS query gleaned in prior lookups - if they do sneak through), and even then with SLAAC and/or ipv6 privacy extensions, they can't even be sure theyre sending appropriate data to the right machine/device/viewer, and in my case my browser mitigates that stuff as well on the way out with HTTPS...so, more obfuscation/confusion to an entity passively tracking your activities for their gain, basically denying them any way to metric the targeting accuracy where they derive revenues from.
Then there's DNSSEC...

I'm not saying I'm as secure or private as I could be, I'm saying have a look/think about what you're trying to accomplish, OP, and weigh your own risks/exposure and then try to make yourself get to the point that you accept what you're doing is enough for you. DoT and cloudflare may not be the best for you....just as not all traffic needs to go through a VPN