DNS server assignment local & router

[randomName]

For a while I've had my Router's Wan setting to use Google's 8.8.8.8, 8.8.4.4. DNS

About a month ago I came across 'Dave's Garage' and his video about DNS privacy 'Are YOU the Product...' YouTube video,

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

So I decided to add and also encrypt Google's DNS server on my local devices, all except my gaming computer.


Does that create any conflict if the Router is set to Google's DNS, while the local devices are also set to Google's DNS but encrypted? If I have local devices encrypted do I need to even use the Router's DNS server settings?


Thanks

 

[cptnoblivious]

If the clients have their own DNS set (either directly or via DHCP) the routers dns server settings should only be used for the name resolution required by the router. I.e. to resolve timeserver names, or lookups related to to other queries coming from the router itself, like checking update servers etc.

Thought personally, Google & Privacy don't typically go in the same sentence, so I pass on their servers. YMMV.

 

[bbunge]

Managing individual client network settings, including DNS, can become a chore. Especially if you decide to change upstream DNS resolvers. While many web browsers have the ability to encrypt their DNS using DoH (DNS over HTTPS) I feel this is less than ideal as the default DoH resolvers are not filtered.
By filtered, mean that malware, scam and other web sites are filtered out by the DNS provider. Google DNS does not filter...
I feel that using a filtered DNS provider such as Quad9, CleanBrowsing or Cloudflare Security is the better way. With any router you cna set the DNS resolvers in the router settings. Routers like Asus can also be set to use those filtered services over DoT (DNS over TLS) which is encrypted. With the router set this way and all the clients in the LAN set to use the router as DNS your entire network can benefit from filtered and encrypted DNS. And, if you decide to try another DNS provider there are settings to be changed in one device, the router.
I also block auto DoH services in web browsers in my LAN. I want the browsers to use the router for DNS. I also have been known to use a Pi-Hole to block adds but that is another lesson.

It is your router and LAN so you can do what you please. It is my opinion that what you mentioned in the first post is not very secure DNS wise. You are using a good router on Merlin firmware. You could run DoT to a filtering DNS service, add Diversion to block adds and other suspicious web sites and use DNS Director to force all the clients on your LAN to use the router or another DNS service of your choosing. I would also leave the clients to get their network settings via DHCP except those that really need to have static IP addresses.

 

[randomName]

Managing individual client network settings, including DNS, can become a chore. Especially if you decide to change upstream DNS resolvers. While many web browsers have the ability to encrypt their DNS using DoH (DNS over HTTPS) I feel this is less than ideal as the default DoH resolvers are not filtered.
By filtered, mean that malware, scam and other web sites are filtered out by the DNS provider. Google DNS does not filter...
I feel that using a filtered DNS provider such as Quad9, CleanBrowsing or Cloudflare Security is the better way. With any router you cna set the DNS resolvers in the router settings. Routers like Asus can also be set to use those filtered services over DoT (DNS over TLS) which is encrypted. With the router set this way and all the clients in the LAN set to use the router as DNS your entire network can benefit from filtered and encrypted DNS. And, if you decide to try another DNS provider there are settings to be changed in one device, the router.
I also block auto DoH services in web browsers in my LAN. I want the browsers to use the router for DNS. I also have been known to use a Pi-Hole to block adds but that is another lesson.

It is your router and LAN so you can do what you please. It is my opinion that what you mentioned in the first post is not very secure DNS wise. You are using a good router on Merlin firmware. You could run DoT to a filtering DNS service, add Diversion to block adds and other suspicious web sites and use DNS Director to force all the clients on your LAN to use the router or another DNS service of your choosing. I would also leave the clients to get their network settings via DHCP except those that really need to have static IP addresses.

So from what I understand I should choose e.g. Quad 9 in the DNS Server filter settings, Prevent client auto DoH = Yes, and lastly under the Preset servers choose Qaud 1 & Quad 2 addresses. Is that part correct? I've also removed the client DNS encryption on each device.

 

[bbunge]

So from what I understand I should choose e.g. Quad 9 in the DNS Server filter settings, Prevent client auto DoH = Yes, and lastly under the Preset servers choose Qaud 1 & Quad 2 addresses. Is that part correct? I've also removed the client DNS encryption on each device.

Quad9 is one that filters. CleanBrowsing is good as well. I use Cloudflare Security (1.1.1.2 and 1.0.0.2 with TLS Hostname: security.cloudflare-dns.com)

Some DNS services work better than others depending where you are located. For me all of the above are within 100 miles of where I live. You really do not get a choice in the datacenter hosting the DNS resolver as all are using anycast addresses that can be routed by the ISP.