Question about DNS filtering

[MSL123]

Questions about the interaction of DNS filtering under AI Protection and custom DNS settings under LAN : DHCP.

Where is the best place to set a network wide DNS setting if I am using an outside DNS service? In the DHCP settings or the AIProtection DNS Filter page? Both seem to allow for it. If I set in both which take precidence?

Also, if I want to set a service that allows DNSSEC, how does this work with a AIProtection settings? Does it try to enforce DNSSEC even if I have a custom DNS specified for a particular device in DNS Filter?

Finally, the Advertise Router's IP in addition to user specified DNS - what does this mean in practical terms? If the end user device is using dns settings rotation and goes to the router for DNS as opposed to the custom settings - what DNS service will end up being used? The router DNS received from upstream or the custom settings I have specified.

Thanks!

 

[ColinTaylor]

The default settings are correct for most users. In this mode DHCP clients are given the router's IP address as a DNS server. But the clients are free to use or ignore this address as they see fit.

On the LAN/DHCP page you can specify the IP addresses of other DNS servers instead of, or as well as, the router's address. Again, these addresses are given out to DHCP clients and they can use them or ignore them.

DNSFilter redirects a host's (or all hosts') DNS queries to a specific DNS server. This applies irrespective of whether that host is a DHCP client or not. This is useful for devices (like Roku boxes) that use hard-coded DNS addresses. It's also useful for forcing clients to use a "family friendly" DNS service instead of your ISP's servers.

Two things to note.

Any device that is using DNSFilter will not be able to resolve local host names (like printer.home.lan) because the local DNS server is being bypassed.

You can specify more than one DNS server on the LAN/DHCP page but most clients only use the first one. If the first DNS server stops responding only then will it switch over to the next DNS server in its list.

 

[Michael Wayne]

The default settings are correct for most users. In this mode DHCP clients are given the router's IP address as a DNS server. But the clients are free to use or ignore this address as they see fit.

On the LAN/DHCP page you can specify the IP addresses of other DNS servers instead of, or as well as, the router's address. Again, these addresses are given out to DHCP clients and they can use them or ignore them.

DNSFilter redirects a host's (or all hosts') DNS queries to a specific DNS server. This applies irrespective of whether that host is a DHCP client or not. This is useful for devices (like Roku boxes) that use hard-coded DNS addresses. It's also useful for forcing clients to use a "family friendly" DNS service instead of your ISP's servers.

Two things to note.

Any device that is using DNSFilter will not be able to resolve local host names (like printer.home.lan) because the local DNS server is being bypassed.

You can specify more than one DNS server on the LAN/DHCP page but most clients only use the first one. If the first DNS server stops responding only then will it switch over to the next DNS server in its list.

Hi. Thanks a lot for this explanation. I have also been investigating the benefits of using DNSFilter vs just adding a DNS under Wan. Just one short questions. For specific clients you can specify either "router" or "No Filtering". I've done several tests and in all of them both options do the same for the client. I know there is an explanation on that same page but I still don't understand the difference. With both of them the client uses either the isp dns if nothing is specified in wan, or the wan dns if specified a specific one, other than the isp).

 

[dave14305]

Hi. Thanks a lot for this explanation. I have also been investigating the benefits of using DNSFilter vs just adding a DNS under Wan. Just one short questions. For specific clients you can specify either "router" or "No Filtering". I've done several tests and in all of them both options do the same for the client. I know there is an explanation on that same page but I still don't understand the difference. With both of them the client uses either the isp dns if nothing is specified in wan, or the wan dns if specified a specific one, other than the isp).

With “No filtering” a client can override their DNS setting locally and send DNS requests to that server (i.e. bypass the router completely). With “Router” no matter what the client sets locally for DNS, DNS requests will be forced by the router to go through the LAN DHCP 1 server or else the router IP itself, even though the client won’t see a difference in their settings (i.e ipconfig /all).

 

[DroidST]

With “No filtering” a client can override their DNS setting locally and send DNS requests to that server (i.e. bypass the router completely). With “Router” no matter what the client sets locally for DNS, DNS requests will be forced by the router to go through the LAN DHCP 1 server or else the router IP itself, even though the client won’t see a difference in their settings (i.e ipconfig /all).

This is what I am doing / have been doing. I use OpenDNS Home as the global setting (and use their web interface to make filtering adjustments. Though I don't think it's necessary I also put OpenDNS Server IPs under WAN DNS setting and I have 'Connect to DNS Server Automatically' to NO under WAN DNS.

So, by default all clients use OpenDNS and I have several clients set to 'No Filter' (under DNSFilter) and use 1.1.1.1 and 1.0.0.1 for DNS which I find the fastest for me and I like the HTTPS option where I get support (Android app, Firefox on Windows, Chrome to get TLS support for 1.1.1.1 servers soon).


Which brings me to a Feature Request for RMerlin (isn't the DNSFilter code his?) to support 1.1.1.1 Servers using HTTPS (and/or TLS?) under DNSFilter Global Filter Mode.

You can add Custom Servers but it would require code to support HTTPS and/or TLS options. This would force all clients with 1.1.1.1 secure/private DNS.

Is there a Thread for Merlin Feature Requests here, I'll have to search.

.

 

[ColinTaylor]

Which brings me to a Feature Request for RMerlin (isn't the DNSFilter code his?) to support 1.1.1.1 Servers using HTTPS (and/or TLS?) under DNSFilter Global Filter Mode.

You can add Custom Servers but it would require code to support HTTPS and/or TLS options. This would force all clients with 1.1.1.1 secure/private DNS.

Is there a Thread for Merlin Feature Requests here, I'll have to search.

There was another thread where I discussed this with Merlin and John recently. Basically it's not possible. DNSFilter works by intercepting the DNS requests and changing the packet information. Essentially it performs a man-in-the-middle attack. The whole point of DoT or DoH is to prevent this sort of thing happening, so it would be a contradiction.

You can still use DNSFilter to direct clients to use the router's DNS, which in turn can be set to use DoT (on the WAN page). You just can't set individual DoT/DNS servers for individual clients.

EDIT: This was the discussion I was thinking about: https://www.snbforums.com/threads/dnsfilter-bypassed-with-android-pie-9s-private-dns.49781/

 

[DroidST]

ok then, that's that! I just had thought about this (having the router do force the https 1.1.1.1 for all clients) while manually setting up the DNSFilter clients on my 86U the other day. Your post saves me from searching and/or posting a request to RMerlin..

I wish I could force all the Echo Dots and Google Homo mini's to go that route as well.

 

[DroidST]

@ColinTaylor if you have the link to that Thread, I'd love to read there..

 

[ColinTaylor]

@ColinTaylor if you have the link to that Thread, I'd love to read there..

I updated post #6 .

Idle speculation: I suppose it might theoretically be possible to set something up whereby you were running multiple instances of stubby on the router and redirecting clients accordingly. I think you'd have to define very specifically how you'd want this to work. At the moment there's not a lot of choice in terms of reliable DoT servers on the internet anyway.

 

[DroidST]

Thanks for the link.

Just want to make sure my feature request is clear.

The router receives/intercepts the clear text dns request (eg the domain name) and the router then initiates the https request to 1.1.1.1. Once the result is received from 1.1.1.1, the router sends the result in clear text standard dns form and port back to that local network client.

There would be no https connection between the local client and the router, local clients would be configured as they are now (the router would force using 1.1.1.1 w/https) but these requests would be secure once they go out the WAN (of course we have to rely on Cloudflare for privacy).

He's intercepting the clear text dns request now and sending it elsewhere in DNSFilter.

 

[dave14305]

This is what I an doing / have been doing. I use OpenDNS Home as the global setting (and use their web interface to make filtering adjustments. Though I don't think it's necessary I also put OpenDNS Server IPs under WAN DNS setting and I have 'Connect to DNS Server Automatically' to NO under WAN DNS.

In my opinion, the better scenario would be to set:

1. WAN DNS servers to OpenDNS Home IPs.
2. DNSFilter global mode to Router.
3. Individual clients set to “No filtering” or “Custom” to avoid OpenDNS if necessary.

This allows:

1. DNS resolution for your LAN device names.
2. LAN-wide protection with OpenDNS by default.
3. Ability to use Diversion for network level Ad-blocking.
4. Ability to bypass OpenDNS or Diversion for individual clients.
5. Ability to use Stubby for DNS over TLS if installed.

DNS over HTTPS (DoH) on a client will bypass any of the router’s config above. I’m hoping my teens don’t discover the CloudFlare 1.1.1.1 app for iOS that would let them bypass the protections I’ve layered on the home network.

 

[dave14305]

Thanks for the link.

Just want to make sure my feature request is clear.

The router receives/intercepts the clear text dns request (eg the domain name) and the router then initiates the https request to 1.1.1.1. Once the result is received from 1.1.1.1, the router sends the result in clear text standard dns form and port back to that local network client.

There would be no https connection between the local client and the router, local clients would be configured as they are now (the router would force using 1.1.1.1 w/https) but these requests would be secure once they go out the WAN (of course we have to rely on Cloudflare for privacy).

He's intercepting the clear text dns request now and sending it elsewhere in DNSFilter.

Even though the AC86U is listed as not yet supported, keep an eye on this thread to know when you can set it up as you wish (mentioned in #5 in my previous post):

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/

 

[ColinTaylor]

Thanks for the link.

Just want to make sure my feature request is clear.

The router receives/intercepts the clear text dns request (eg the domain name) and the router then initiates the https request to 1.1.1.1. Once the result is received from 1.1.1.1, the router sends the result in clear text standard dns form and port back to that local network client.

There would be no https connection between the local client and the router, local clients would be configured as they are now (the router would force using 1.1.1.1 w/https).

He's intercepting the clear text dns request now and sending it elsewhere in DNSFilter.

Yes that might work, it's subtly different from the discussion in the other thread (hence my speculation).

Probably the biggest problem is working out how to present the various options to the user, rather than the technical aspect.

Rather then giving the user the ability to specify their own custom DNS/DoT servers, if we restricted it to one predefined option (the server that may or may not be being used on the WAN) then that would be fairy straight forward.

 

[DroidST]

In my opinion, the better scenario would be to set:

1. WAN DNS servers to OpenDNS Home IPs.
2. DNSFilter global mode to Router.
3. Individual clients set to “No filtering” or “Custom” to avoid OpenDNS if necessary.

This allows:

1. DNS resolution for your LAN device names.
2. LAN-wide protection with OpenDNS by default.
3. Ability to use Diversion for network level Ad-blocking.
4. Ability to bypass OpenDNS or Diversion for individual clients.
5. Ability to use Stubby for DNS over TLS if installed.

DNS over HTTPS (DoH) on a client will bypass any of the router’s config above. I’m hoping my teens don’t discover the CloudFlare 1.1.1.1 app for iOS that would let them bypass the protections I’ve layered on the home network.

Well, I have people in the house that I want to force a filter no matter what DNS server they enter and I like OpenDNS's options. Essentially, I filter everything/everyone one except what I specifically setup as NO FILTER.

Eventually, I won't need to filter content but I like secure DNS.

OpenDNS is not the fastest, for me here 1.1.1.1 / 1.0.0.1 is beating google's and a couple others I have tested. Forget about Comcast servers! Pretty sure they make money off that info as well.

On my phone, I use the 1.1.1.1 app.

.

 

[DroidST]

Yes that might work, it's subtly different from the discussion in the other thread (hence my speculation).

Probably the biggest problem is working out how to present the various options to the user, rather than the technical aspect.

Rather then giving the user the ability to specify their own custom DNS/DoT servers, if we restricted it to one predefined option (the server that may or may not be being used on the WAN) then that would be fairy straight forward.

I envision having the Global Filter Mode option Cloudflare HTTPS (or 1.1.1.1 HTTPS) listed/available with those other 5 options currently there. The router code handles HTTPS required with Cloudflare's servers. Maybe TLS option as well but probably only need one.

So, the local network clients wouldn't change anything, the router admin simply would select Cloudflare HTTPS under DNSFilter Global Filter Mode. Cloudflare's servers are public and free so don't need to have an account and DNSOMatic with OpenDNS.

 

[ColinTaylor]

I envision having the Global Filter Mode option Cloudflare HTTPS (or 1.1.1.1 HTTPS) listed/available with those other 5 options currently there. The router code handles HTTPS requires with Cloudflare's servers. Maybe TLS option to but probably only need one.

I think DoT is the way to go rather than DoH. I know Merlin is not a fan of DoH (and I concur).

I don't know what the situation is with Merlin's firmware, but with John's which I use DoT is already integrated and working. At the moment stubby only runs if enabled for the WAN. Tomorrow when the family aren't using the internet I think I'll have a play and try and get it working independently with DNSFilter. I'll let you know how I get on.

 

[DroidST]

Even though the AC86U is listed as not yet supported, keep an eye on this thread to know when you can set it up as you wish (mentioned in #5 in my previous post):

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/

Thank you for the link.

I think if Cloudflare HTTPS (and/or TLS) options were available in DNSFilter, you could do global or assign it on each added Client's Filter Mode on the bottom of the DNSFilter page. Would be pretty flexible.

 

[john9527]

I think DoT is the way to go rather than DoH. I know Merlin is not a fan of DoH (and I concur).

I don't what the situation is with Merlin's firmware, but with John's which I use DoT is already integrated and working. At the moment stubby only runs if enabled for the WAN. Tomorrow when the family aren't using the internet I think I'll have a play and try and get it working independently with DNSFilter. I'll let you know how I get on.

It could probably be implemented on my fork
- Would have to double check if the stubby config supports multiple listening ports to be able to support both router and DNSFilter queries
- Only for ARM routers (need to nat to localhost which isn't supported on the MIPS kernel, I had to patch the ARM kernel to support it and you need to activate it with a kernel write to /proc)
- Those clients would be like any DNSFilter client, and couldn't use things like Diversion

 

[DroidST]

I think DoT is the way to go rather than DoH. I know Merlin is not a fan of DoH (and I concur).

I'd be fine with a Cloudflare TLS | Cloudflare DoT option instead of a HTTPS / DoH option. Firefox only supports HTTPS but I didn't even realize the 1.1.1.1 android app supports both.

I'll read up on why DoT may be better and switch accordingly.

Regardless, the router would handle this. The local client's would be configured as they are now with the router intercepting the requests (except the phones/tablets running the 1.1.1.1 app).

 

[DroidST]

In my opinion, the better scenario would be to set:

1. WAN DNS servers to OpenDNS Home IPs.
2. DNSFilter global mode to Router.
3. Individual clients set to “No filtering” or “Custom” to avoid OpenDNS if necessary.

This allows:

1. DNS resolution for your LAN device names.
2. LAN-wide protection with OpenDNS by default.
3. Ability to use Diversion for network level Ad-blocking.
4. Ability to bypass OpenDNS or Diversion for individual clients.
5. Ability to use Stubby for DNS over TLS if installed.

Yes, already have the OpenDNS Home IP's config'd under WAN DNS so just need to change the Global Filter Mode but I don't have a need for #1 or #3 and you can do #4 by adding clients to DNSFilter | No Filter (or another option). I think I had seen in the code another branch once you select Router under Global Filter Mode vs selecting OpenDNS directly there.. not a big deal at all.

I have Seniors here as well (2nd home on property aka Guest House) that like to click on all the links in their emails and OpenDNS has helped blocking domains that are showing malicious activity. I'm amazed on how much they have stopped.

So that is one thing that probably won't happen with Cloudflare, will have to rely on Trend Micro router options and each client's protection or force that person to OpenDNS.