What's new

RT-AX88U distributes itself as a DNS when set up otherwise

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Unbound is just switching the DNS resolution task from someone else (your ISP, Google, CloudFlare, etc.) to your own router. The requests are still sent in the clear, the meta data just aren't captured by a third party resolver (like Google DNS for example, if you use them, they have some info on you). That takes care of the privacy part, not the security part.
In short, if you are going to use an authoritative resolver such as cloudflare, Google, or quads (etc), it is better to do so encrypted with doh or dot. Keep in mind the traffic between the authoritative servers and root servers is not encrypted, in short it can still be manipulated. The encryption is only between you and the authoritative server. In short, there is no real difference between this and using unbound. With unbound you are the authoritative resolver reaching out to root servers without encryption between you and root servers or you are using an already cached response within unbound. With using dot or doh, your request are sent encryptedly to an external authoritative resolver. The resolver then receives the response and request answers from their cache or send out an unencrypted request from the root servers for the request you sent. The response is then sent back to you encrypted. With dot and doh you have to trust your authoritative resolver. With unbound you are your authoritative resolver. With dot and doh, the resolver may have faster responses from their already cached information. Unbound can also be fast with cached responses. It all boils down to a question of trust and who do you feel delivers the best performance.
 
In short, if you are going to use an authoritative resolver such as cloudflare, Google, or quads (etc), it is better to do so encrypted with doh or dot. Keep in mind the traffic between the authoritative servers and root servers is not encrypted, in short it can still be manipulated. The encryption is only between you and the authoritative server. In short, there is no real difference between this and using unbound. With unbound you are the authoritative resolver reaching out to root servers without encryption between you and root servers or you are using an already cached response within unbound. With using dot or doh, your request are sent encryptedly to an external authoritative resolver. The resolver then receives the response and request answers from their cache or send out an unencrypted request from the root servers for the request you sent. The response is then sent back to you encrypted. With dot and doh you have to trust your authoritative resolver. With unbound you are your authoritative resolver. With dot and doh, the resolver may have faster responses from their already cached information. Unbound can also be fast with cached responses. It all boils down to a question of trust and who do you feel delivers the best performance.

Well isn't the benefit of using unbound is to get an extra layer of privacy? - as you're directly contacting the responsive servers, no server can fully log the exact paths you're going, as e.g. the Google DNS servers will only be asked if you want to visit a Google website, but not if you visit the website of your favorite newspaper, etc.
 
Well isn't the benefit of using unbound is to get an extra layer of privacy? - as you're directly contacting the responsive servers, no server can fully log the exact paths you're going, as e.g. the Google DNS servers will only be asked if you want to visit a Google website, but not if you visit the website of your favorite newspaper, etc.
The security benefits of unbound include built in dnssec, and information minimization features that reduce your footprint. Your traffic with unbound goes through many pathways travels the path of the domain receiving request from root servers. While the pathway may be hard to track, this traffic is plaintext as would any traffic from any authoritative server to the root servers would be. Doh and Dot is just for encryption if the user decides to use a public authoritative resolver such as Google or cloudflare so the traffic between the user and the server is encrypted.
 
I disabled IPv6. My ISP is running IPv6 in beta mode at the moment and I couldn't be bothered with it.
 
Late to the game but you can absolutely change the router ip from being the secondary dns via NVRAM. I do just that so I can use two piholes. If you only have 1 pihole set both to the same ip.

##Show DHCP Settings##
nvram show | grep dhcp_dns

##Set DHCP Settings To Pi-Hole##
nvram set dhcp_dns1_x=192.168.1.37; nvram set dhcp_dns2_x=192.168.1.38; nvram commit; service restart_net;

##Set DHCP Settings Back##
nvram set dhcp_dns1_x=192.168.1.1; nvram set dhcp_dns2_x=; nvram commit; service restart_net;
 
Last edited:
Late to the game but you can absolutely change the router ip from being the secondary dns via NVRAM. I do just that so I can use two piholes. If you only have 1 pihole set both to the same ip.

##Show DHCP Settings##
nvram show | grep dhcp_dns

##Set DHCP Settings To Pi-Hole##
nvram set dhcp_dns1_x=192.168.1.37; nvram set dhcp_dns2_x=192.168.1.38; nvram commit; service restart_net;

##Set DHCP Settings Back##
nvram set dhcp_dns1_x=192.168.1.1; nvram set dhcp_dns2_x=; nvram commit; service restart_net;

Thanks.
I ended up flashing Merlin and bypassing this issue afterall.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top