DNS: time of maximum confusion (AC86U)

[brec]

My 86U was delivered 10 days ago. In that time I've spent a lot of time on these terrific forums and gotten a lot of great info. Now my head is spinning as I confront the various DNS settings spread across several pages in the GUI. Situation: one-person household. LAN devices are a Mac desktop, a printer, a Windows laptop, an iPhone, an iPad, a car, a smart TV, a couple of Nest thermostats, a Ring doorbell. I have the OpenDNS client on the 86U configured to connect to a remote server, but not at startup; I use it only occasionally.

I've generally known what DNS is, but I haven't kept track of developments. I first encountered Quad9 and similar filterers, DoH, DoT, etc., in the past 10 days.

My goals, not unusual ones, are snappy performance, security against snooping and malware, and reasonable privacy. I would like to be prepared for some occasion when I'd need "unreasonable" privacy at short notice. I don't need DDNS, and I have elected to "Withdraw" on the Administration/Privacy page.

So far, I've found DNS-related settings on...
LAN/DHCP Server
LAN/DNSFilter,
WAN/Internet Connection/WAN DNS Setting
VPN/VPN Client/Network Settings
and on my Mac and iOS devices (probably Windows, too, but I use that less frequently).
Plus among scripts listed by amtm: unbound.
And I've installed Skynet and I'm not sure how that relates to external filters such as Quad9.

I'll leave it there for now. After all, with your help, we've got a whole educational thread ahead of us.

 

[dave14305]

Start out slowly.

1. Set WAN DNS servers 1 & 2 to Quad9.
2. Leave LAN DHCP DNS servers empty.
3. Set DNS Filter global mode to Router (enforces WAN DNS for all clients on LAN).
4. Ignore Unbound for now.
5. Save DoT for later.
6. Wait for others to give advice on VPN settings.
7. Skynet blocks known malware IPs. Quad9 prevents you resolving malware domain names to IPs. Complementary since we don’t know how much overlap there is.

 

[brec]

OK! Did steps 1, 2, and 3. In step 1, WAN/Internet Connection/WAN DNS Setting, I left the other settings below the DNS server IPS at No, No, No, Auto, None.

 

[heysoundude]

My goals, not unusual ones, are snappy performance, security against snooping and malware, and reasonable privacy. I would like to be prepared for some occasion when I'd need "unreasonable" privacy at short notice.

Bravo!
I believe you will appreciate unbound and suricata - they seem to me to make unreasonable privacy quite easily attainable.
VPN - there are tried and true tunnelling protocols, but you may also wish to do your homework on WireGuard as you have a router that can run it. I'm of the opinion that VPNs are for trusted computers/systems to talk to each other securely over other people's connections rather than for individual users to "hide" their activity. (with Unbound, suricata +/- skynet, https, diversion and a browser like brave, you're probably ahead of 90% of the "average joes" out there...and that jumps above 95% if you VPN into your home network -when it's secured as we do it around here- from your mobile devices all the time)

 

[brec]

I don't understand what unbound does for us.

 

[Zastoff]

I don't understand what unbound does for us.

Some info

 

[bluzfanmr1]

I don't understand what unbound does for us.

Using unbound is like being your own dns server instead of using Quad9 or Cloudflare, etc. Instead of your router using those dns servers, unbound will use the root servers. This is what Quad9 etc uses too, but you are now cutting out that middle man. Via unbound you will build up a cache that will almost instantly give a reply instead of having to go out to the internet and back. Hope that makes sense.

 

[brec]

Using unbound is like being your own dns server instead of using Quad9 or Cloudflare, etc. Instead of your router using those dns servers, unbound will use the root servers. This is what Quad9 etc uses too, but you are now cutting out that middle man. Via unbound you will build up a cache that will almost instantly give a reply instead of having to go out to the internet and back. Hope that makes sense.

It does! Wouldn't an effective cache take a lot of storage, though? Does the cache mostly live on "disk" (USB)?

 

[bluzfanmr1]

It does! Wouldn't an effective cache take a lot of storage, though? Does the cache mostly live on "disk" (USB)?

It doesn't take up much space and is user adjustable. Just depends on how many differents sites are visited on your network. Yes it does live on the usb.

Where I live the dns servers all have slower response times. In my case, unbound is the perfect solution as most queries do not have to leave the network and can therefore be answered by unbound.

 

[dave14305]

It does! Wouldn't an effective cache take a lot of storage, though? Does the cache mostly live on "disk" (USB)?

It doesn't take up much space and is user adjustable. Just depends on how many differents sites are visited on your network. Yes it does live on the usb.

The cache lives in RAM. The only time it exists on disk is if unbound_manager saves it to disk before a restart (and reloads it afterward).

 

[RMerlin]

You don't need Unbound for caching. The router's dnsmasq already has a cache (which was dnsmasq's original function).

 

[K-2SO]

Wouldn't an effective cache take a lot of storage, though?

It's a DNS cache. Not content cache.

 

[bluzfanmr1]

The cache lives in RAM. The only time it exists on disk is if unbound_manager saves it to disk before a restart (and reloads it afterward).

My mistake on that detail. I was installing a new ssd and had usb on the brain.