What's new

i want to make sure i'm doing DNS right

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

stuffedtiger

Occasional Visitor
for a long time i was using this dnsmasq.postconf script to have dnsmasq send out my router's address as a DNS server to clients, and then put in my custom DNS servers on the WAN -> Internet Connection and IPv6 pages. this worked very well, but now with the addition of DoT i want to make sure i'm doing everything right, so i'm asking the community for guidance.

at the moment, i have Connect to DNS Server automatically set to True for both IPv4 and IPv6 DNS servers and on the WAN -> Internet Connection page i've enabled DoT and have the two IPv4 and two IPv6 Cloudflare DNS addresses added (i'm not sure if i need both v4 and v6 here). i also enabled DNSFilter and set the Global Filter Mode to Router.

i tested this configuration using the Cloudflare ESNI Checker posted in one of the threads i saw about DoT and i get a green check mark on Secure DNS. my confusion comes in at the point where i wonder if both IPv4 and IPv6 DNS servers are necessary in the DoT setup. AFAIK an IPv6 address can be retrieved from a IPv4 DNS server but if i'm trying to access an IPv6 domain will my router use the IPv6 DNS server by default? or does the firmware "round robin" its picks based on availability? are just the two IPv4 servers enough?

another point of confusion comes from seeing what appear to be my IPS's IPv6 DNS servers when i check my internet connection from within Windows. my router's address shows as the IPv4 DNS server. this was the reason i used that dnsmasq.postconf script in the first place. i wanted to make sure every device that connected to my router used the custom DNS servers since even after entering the DNS servers manually into the router, i would still see my ISP's IPv6 DNS servers in Windows. DNSFilter apparently does this too, but i learned about it after already setting up the dnsmasq.postconf script so i didn't want to mess with it. so i wondering: even though i see my ISP's DNS servers in Windows, will my computer still use the custom DNS servers specified in the DoT settings?
 
Last edited:
at the moment, i have Connect to DNS Server automatically set to True for both IPv4 and IPv6 DNS servers
This is what I have as well. It is only in effect until DoT comes up.
and on the WAN -> Internet Connection page i've enabled DoT and have the two IPv4 and two IPv6 Cloudflare DNS addresses added (i'm not sure if i need both v4 and v6 here).
Not required but good for resiliency.
i also enabled DNSFilter and set the Global Filter Mode to Router.
I have this enabled as well.
i tested this configuration using the Cloudflare ESNI Checker posted in one of the threads i saw about DoT and i get a green check mark on Secure DNS. my confusion comes in at the point where i wonder if both IPv4 and IPv6 DNS servers are necessary in the DoT setup.
No
AFAIK an IPv6 address can be retrieved from a IPv4 DNS server but if i'm trying to access an IPv6 domain will my router use the IPv6 DNS server by default?
No
or does the firmware "round robin" its picks based on availability?
Yes
are just the two IPv4 servers enough?
Yes
another point of confusion comes from seeing what appear to be my IPS's IPv6 DNS servers when i check my internet connection from within Windows. my router's address shows as the IPv4 DNS server. this was the reason i used that dnsmasq.postconf script in the first place. i wanted to make sure every device that connected to my router used the custom DNS servers since even after entering the DNS servers manually into the router, i would still see my ISP's IPv6 DNS servers in Windows. DNSFilter apparently does this too, but i learned about it after already setting up the dnsmasq.postconf script so i didn't want to mess with it.
Remove that line from dnsmasq.postconf
so i wondering: even though i see my ISP's DNS servers in Windows, will my computer still use the custom DNS servers specified in the DoT settings?
Yes, confirm with Cloudflare test page
https://1.1.1.1/help
 
You shouldn't need a to use a dnsmasq.postconf script if you are using your router for DNS. The example you linked to is to advertise to clients on your network the IP of a DNS server hosted somewhere else on your network (something like a Pi-hole). By default the dnsmasq config has
Code:
dhcp-option=lan,option6:23,[::]
[::] is special here and is replaced by your routers IPv6 address.

If for some reason you want to use the link address instead (for example windows sometimes uses the old IP right after your connection restarts), you can use [fe80::] which dnsmasq automatically replaces with your routers link address. An example line for dnsmasq.postconf would be
Code:
sed -i "s/\[::\]/[fe80::]/" "$1"
 
thanks guys! appreciate all the input. i feel like i have it setup correctly now. there are check marks in all the right spots.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top