Multiple DNS Servers - How does the router decide which one to use?

zakazak

Occasional Visitor
So in WAN Settings I can add multiple DNS Servers.

How does the router decide which one to use or which one to use first?
Does it rotate through the list?
Does it randomly pick one out of the list and stays with it until that DNS goes offline?

Thanks!
 

JJohnson1988

Regular Contributor
If you're referring to the DNS-over-TLS mode, it round-robins the servers due to how Stubby is configured. So to answer the question, it rotates through the list.
 

zakazak

Occasional Visitor
Thanks! Yes I was referring to DNS over TLS/HTTPS.

So it roates. And do you happen to know approx. how often?
 

zakazak

Occasional Visitor
Oki, thanks! I will try figuring it out by adding two different nextdns accounts with empty protocolls and see how they both fill up.
 

bbunge

Part of the Furniture
Log into the router with a terminal and run "stubby -l" and you can watch the connections.
 

cptnoblivious

Senior Member
I noticed that his behaviour is configurable in AdGuardHome's settings (in case you're looking for an easy way to change the DoT behaviour) :)
Since you're already running Merlin ...

Just FYI.
 

JJohnson1988

Regular Contributor
I noticed that his behaviour is configurable in AdGuardHome's settings (in case you're looking for an easy way to change the DoT behaviour) :)
Since you're already running Merlin ...

Just FYI.
Or just create a stubby.postconf script and simply override the behavior. Assuming we are still talking about round-robin vs sequential order.
 

zakazak

Occasional Visitor
I noticed that his behaviour is configurable in AdGuardHome's settings (in case you're looking for an easy way to change the DoT behaviour) :)
Since you're already running Merlin ...

Just FYI.

Thanks but I guess I will go with NextDNS :)

Adguard Home doesn't have any big advantages over NextDNS?
Except maybe, that requests are processed locally and should there for be faster than sending them to NextDNS?
 

JJohnson1988

Regular Contributor
Thanks but I guess I will go with NextDNS :)

Adguard Home doesn't have any big advantages over NextDNS?
Except maybe, that requests are processed locally and should there for be faster than sending them to NextDNS?
It mayyy be a tad faster in regards to latency, but it's difficult to notice in real situations. And AGH uses a lot of memory, which not everyone can afford to spare on their routers.
 

Mogsy

Regular Contributor
Thanks but I guess I will go with NextDNS :)

Adguard Home doesn't have any big advantages over NextDNS?
Except maybe, that requests are processed locally and should there for be faster than sending them to NextDNS?
There will be an issue with DNS rebinding protection. If you do locally, some tweaking about rebinding protection needed. Maybe someone using NextDNS TLS with local dns services like dnsmasq/unbound/diversion can post their settings?
 

JJohnson1988

Regular Contributor
There will be an issue with DNS rebinding protection. If you do locally, some tweaking about rebinding protection needed. Maybe someone using NextDNS TLS with local dns services like dnsmasq/unbound/diversion can post their settings?
If using NextDNS directly in the DoT servers section, DNS rebinding protection in the GUI/Dnsmasq needs to be disabled. Along with DNSSEC.

If you're using the NextDNS CLI that uses DoH, it disables the settings for you, so nothing to do there.
 

JJohnson1988

Regular Contributor
NextDNS doesn't play nicely with rebinding protection, and your log will be spammed with problems if you leave it enabled (likely due to NextDNS offering up a feature that also protects against rebinding -- it's in your profile's Security tab). In addition, NextDNS already does DNSSEC validation on their end, so by leaving it enabled you're essentially double checking the validity of requests.

See this for DNSSEC: DNSSEC and blocked domains - Discussions - NextDNS Help Center
 
Last edited:

zakazak

Occasional Visitor
Hm I have DNS Rebinding protection disabled in NextDNS.
Can I then do it on my router or would it be better to let NextDNS handle this?
 

ColinTaylor

Part of the Furniture
NextDNS doesn't play nicely with rebinding protection, and your log will be spammed with problems if you leave it enabled (likely due to NextDNS offering up a feature that also protects against rebinding -- it's in your profile's Security tab). In addition, NextDNS already does DNSSEC validation on their end, so by leaving it enabled you're essentially double checking the validity of requests.

See this for DNSSEC: DNSSEC and blocked domains - Discussions - NextDNS Help Center
Thanks for the info. I can't say that I've ever had a problem with the logs being (incorrectly) spammed because of rebind protection. It seems to work exactly as expected regardless of the NextDNS setting. I don't normally have DNSSEC enabled but I tried testing with it enabled and still couldn't generate any abnormal log entries. Everything seems fine. Perhaps it's some specific use case.

Hm I have DNS Rebinding protection disabled in NextDNS.
Can I then do it on my router or would it be better to let NextDNS handle this?
I've always just used the rebind protection on the router. It's so rare that such a query happens on my network that it's rather academic which way is better IMHO.
 

zakazak

Occasional Visitor
I can't find any errors in my log as well.

Rebind Protection:
NextDNS: Disabled
Router: Enabled

DNSSEC:
NextDNS: Enabled
Router: Disabled

Does that configuration make sense?
My thoughts were:
I want rebind protection to be enforced/secured locally.
DNSSEC externally to save my own hardware ressources (I know it doesn't use a lot).

Edit: I am blind, there is no DNSSEC option in nextdns?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top