DNS Security

[gattaca]

These are the 5 critical caps I have..

 

[owine]

These are the 4 critical caps I have..

View attachment 17888 View attachment 17889 View attachment 17890 View attachment 17891

Cap 2, #3 should probably be Yes in order to push the router's IP to clients as the DNS server.

 

[gattaca]

Cap 2, #3 should probably be Yes in order to push the router's IP to clients as the DNS server.

Funny, I read in a post I think RMerlin was involved in that setting that value to yes or no was totally irrelevant if there is no value in the DNS1 or DNS2 entries. In fact, as I recall they were looking thru the source code when that was said. I now wish I'd kept all the links talking about this... there were SO MANY..

This is the thread -> https://www.snbforums.com/threads/setting-up-correct-dns-settings.56387/#post-486399

The quote was "This is unnecessary when the LAN DNS server fields are empty (in fact that setting is ignored). The option is "Advertise router's IP in addition to user-specified DNS". When there are no user-specified DNS servers the router's address is always advertised."

 

[dave14305]

Funny, I read in a post I think by RMerlin that setting that value to yes or no was totally irrelevant if there is no value in the DNS1 or DNS2 entries. In fact, as I recall they were looking thru the source code when that was said. I now wish I'd kept all the links talking about this... there were SO MANY..

This is the thread -> https://www.snbforums.com/threads/setting-up-correct-dns-settings.56387/#post-486399

The quote was "This is unnecessary when the LAN DNS server fields are empty (in fact that setting is ignored). The option is "Advertise router's IP in addition to user-specified DNS". When there are no user-specified DNS servers the router's address is always advertised."

@ColinTaylor recently drove this point home.
384.11 Secure DNS
Setting up correct DNS settings

 

[gattaca]

@ColinTaylor recently drove this point home.
384.11 Secure DNS
Setting up correct DNS settings

^^^
Yeap those are the ones! TY

 

[owine]

Funny, I read in a post I think RMerlin was involved in that setting that value to yes or no was totally irrelevant if there is no value in the DNS1 or DNS2 entries. In fact, as I recall they were looking thru the source code when that was said. I now wish I'd kept all the links talking about this... there were SO MANY..

This is the thread -> https://www.snbforums.com/threads/setting-up-correct-dns-settings.56387/#post-486399

The quote was "This is unnecessary when the LAN DNS server fields are empty (in fact that setting is ignored). The option is "Advertise router's IP in addition to user-specified DNS". When there are no user-specified DNS servers the router's address is always advertised."

@ColinTaylor recently drove this point home.
384.11 Secure DNS
Setting up correct DNS settings

^^^
Yeap those are the ones! TY

Makes sense there would be a fail save against pushing no DNS at all. I keep that enabled for “why not” purposes.

 

[dave14305]

Makes sense there would be a fail save against pushing no DNS at all. I keep that enabled for “why not” purposes.

The default firmware value for “Advertise router's IP in addition to user-specified DNS” is “Yes” in Merlin, so it’s not wrong to have it. Just not absolutely necessary.

 

[58chev]

These are the 4 critical caps I have..

Your last screen would have me not connecting to the WAN side of my router.

https://www.snbforums.com/threads/384-11-secure-dns.56702/#post-493719

I followed what Merlin and others mentioned.

Set "Wan: Use local caching DNS server as system resolver " to No on the Tools -> Other Settings page.

 

[gattaca]

^^^^ Ah yes this setting has been discussed on/off very recently. The reason I left it YES was due to this discussion about performing better with the local cache. I also think that some of the errors on not connecting are possibly due to the way that test page may be setup. I use to see that but I changed these entries on my page.

As always I defer to the RMerlin and other SMEs.

"Yes, as I said it is faster, but the reason to use "No" for Use local caching, is because of possibles issues (and permanent ones for some users) especially with DoT used, as for checking if WAN works or not and for NTP time synchronization.

It newer was an issue if caching on the router would be faster or not, of course it will; but be careful to use on case per case only if certain no issues occur with Network Monitoring or NTP. And they might occur in the future at some point, not instantly (if cache remembers an old resolve no longer valid, breaks, corrupts, dnsmasq or stubby fails...), which is the very reason RMerlin went back to "No" as default. Then if that ever happens, you will have to use "No" for Use local caching. If all works, stay with "Yes" for speed

"

from --> https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-12#post-493556
from --> https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-10#post-493362

 

[martinr]

.
... which is the very reason RMerlin went back to "No" as default. Then if that ever happens, you will have to use "No" for Use local caching. If all works, stay with "Yes" for speed

"

from --> https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-12#post-493556
from --> https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-10#post-493362

Thanks for pulling it all together in your summary. Just to clarify: in 384.11_2 the default setting for “WAN: Use local caching for DNS server as system resolver (default:Yes) “ is, as it says, Yes. So Merlin has, in 384.12 Alpha, changed the default to No?

 

[gattaca]

Thanks for pulling it all together in your summary. Just to clarify: in 384.11_2 the default setting for “WAN: Use local caching for DNS server as system resolver (default:Yes) “ is, as it says, Yes. So Merlin has, in 384.12 Alpha, changed the default to No?

Correct. The way I read the content is RMerlin is changing that default from Yes (as I have shown in 384.11_2) to No in 384.12 Alpha for the many reasons they discussed in a page or 2 of entries around that entry point in that thread. I think L&LD also discussed the speed difference he sees somewhere else so he kept his setting to YES. This Yes to No change is ONLY for "WAN: Use local caching for DNS server as system resolver" There are clearly some cases where YES breaks some people's setup totally. So I think that is why RMerlin is setting the value to No in 384.12 Alpha. As always, I defer to that thread and those SMEs.

IMHO, part of the reasons some setups may have issues with the "Network Monitoring" or "NTP" MAY be due to the setup monitoring screen I included above. I think having multiple entries or both ping and DNS lookup may help. I recall I only use to use 1 for DNS (I think it was the MS default or something) and I had issues with the the Network Monitor showing me that I was not connected all the time, especially after I rebooted and then sometimes it complained all the time. When I added multiples and did both DNS and PING as shown, those issues SEEM to have not reoccurred (so far). I am running Merlin 384.11_2 + amtm + diversion + skynet + ntp + spd + etc... (all the tooling) at their current versions on an AC86 with the settings noted in the above screen caps. Bottom line: No seems to fix things for certain configs and Yes seems to make some DNS lookup faster which may be due to the local caching. That's all I currently understand.
I will try to update the screen cap with more info tonight. TY

 

[Marin]

Yes I have kept this setting as “Yes” too as it keeps my configuration behave very similarly to that of Stubby’s. I have, too, noticed considerable increases in speed in the last few weeks via same VPN server that I have used for at least 6 months now (now at approx 95% of ISP). Whether this is a placebo effect, plain coincidence, or due to my current configuration, time will tell.


Sent from my iPhone using Tapatalk

 

[martinr]

Correct. The way I read the content is RMerlin is changing that default from Yes (as I have shown in 384.11_2) to No in 384.12 Alpha for the many reasons they discussed in a page or 2 of entries around that entry point in that thread. I think L&LD also discussed the speed difference he sees somewhere else so he kept his setting to YES. This Yes to No change is ONLY for "WAN: Use local caching for DNS server as system resolver" There are clearly some cases where YES breaks some people's setup totally. So I think that is why RMerlin is setting the value to No in 384.12 Alpha. As always, I defer to that thread and those SMEs.

IMHO, part of the reasons some setups may have issues with the "Network Monitoring" or "NTP" MAY be due to the setup monitoring screen I included above. I think having multiple entries or both ping and DNS lookup may help. I recall I only use to use 1 for DNS (I think it was the MS default or something) and I had issues with the the Network Monitor showing me that I was not connected all the time, especially after I rebooted and then sometimes it complained all the time. When I added multiples and did both DNS and PING as shown, those issues SEEM to have not reoccurred (so far). I am running Merlin 384.11_2 + amtm + diversion + skynet + ntp + spd + etc... (all the tooling) at their current versions on an AC86 with the settings noted in the above screen caps. Bottom line: No seems to fix things for certain configs and Yes seems to make some DNS lookup faster which may be due to the local caching. That's all I currently understand.
I will try to update the screen cap with more info tonight. TY

Many thanks for expanding even more on this topic. Much appreciated. I’ve changed my setting to No in anticipation and after reading your posts. To be sure, even if it took a whole second longer to look up my frequently browsed domains eg this forum, I doubt I would even notice, so I’m playing safe.

 

[scjr]

Many thanks for expanding even more on this topic. Much appreciated. I’ve changed my setting to No in anticipation and after reading your posts. To be sure, even if it took a whole second longer to look up my frequently browsed domains eg this forum, I doubt I would even notice, so I’m playing safe.

I’ve been running the alpha with it set at No for a few days now. I’ve noticed no difference while browsing and page loads. There will be instances that this setting will be have to set to Yes, like this one:

https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-17#post-494356

 

[martinr]

I’ve been running the alpha with it set at No for a few days now. I’ve noticed no difference while browsing and page loads. There will be instances that this setting will be have to set to Yes, like this one:

https://www.snbforums.com/threads/384-12_alpha-builds-testing-all-variants.56639/page-17#post-494356

Most helpful, thank you.
In a utopian world there’d be a help icon against each setting in a router’s firmware - well, against all but the blatantly obvious ones, anyway - detailing the implications, and pros and cons, of the Yes/No options; when you should and shouldn’t use each option, and which other settings might affect your decision ....... etc. With DNS, it strikes me that would be so complicated, you’d need a small team of developers to keep on top of it. And the Help file would be ten times the size of the firmware itself. And most of us would still come to the forum after tearing our hair out trying to make sense of it all just wanting to be told which settings to set.

 

[gattaca]

^^ Yeap. Explaining complex code on level most people can understand is very difficult. I updated the original images above and will post here too.