RT-AX88u DNS problem

[Zastoff]

Regarding DNS.Watch, Well, I was looking for alternative, perhaps faster DNS servers and found this one as being a good one...I guess I should've checked it's location first. Haha!

I you have better suggestions, I'm open for it to try these also.

I see that DNS.Watch support DNSCrypt protocol ipv4 & ipv6 servers and can maybe be used with relays-->Anonymized DNSCrypt if wanted in DNSCrypt-proxy v2.1.0 (can be installed via amtm and easy to setup via dnscrypt installer)
Supports:
DNSCrypt protocol servers
Anonymized DNSCrypt
DNS over HTTPS servers
Oblivious DNS over HTTPS

If you want to find faster encrypted DNS servers you can try the automatic option in the dnscrypt installer(288 encrypted servers worldwide atm) for Asuswrt-Merlin and it is sorted by latency and a load balancing option, server type and if server supports DNSSec or if server is filtering or logging. (Displays this info in router syslog when the proxy starts or when it recheck latency every 4 hours or when a randomization check is done, the last one is a installer built in feature to randomize relays better )

Personally i like to use Anonymizied DNSCrypt with the automatic option first to try/test out fast combinations for servers/relays, and later manually set up 4-6 good/fast dnscrypt servers with 2-3 relays each and set load-balancing to = "random" together with dnscrypt ephemeral keys = "true" (makes it harder to fingerprint devices). I think this type of setup is confusing for anyone that try to get something from it..and further set specific devices in dns-filter(kids school computers and work related devices)
ISP can still get the SNI part, But it is a Encrypted SNI option in dnscrypt that can be configured with firefox i think (I have not tested) and ESNI is now renamed ECH (this is at very early stage very few support it, works on cloudflare`s servers/network) Link

 

[Tech9]

Pros and cons of each approach must be considered at the same time. If we look at cons only, no approach is offering total privacy and security. For Asus home routers popular filtering DNS service is enough, optional DoT on top, AiProtection. Few clicks in router's GUI without any additional scripts and configs. Then we wait for someone smarter to discover bugs and fix them. Dnsmasq as an example, used everywhere and bang - 7x vulnerabilities at once.

 

[RMerlin]

Please, explain with more details. Recursive resolver responds with cached data or sends a request to root nameservers.

Recursive resolution means your FQDN is dissected, and you contact multiple name servers to obtain the final result. Let's take, for example, www.google.com.

First level: COM
Second level: google.com
FQDN: www.google.com

First, your name server needs to know who is authoritative for .COM. Your DNS server has files that lists root servers. So you contact a root server, ask it "Who is authoritative for .COM?". To which you get pointed to another nameserver.

Next, your name server contacts that nameserver, asking: "Who is authoritative for google.com?". Which responds with "ns1 through ns4.google.com."

So next, you contact ns1.google.com, and ask: "What is the IP of www.google.com?", which returns the IP address.
Your resolver then responds to your client: www.google.com = 172.217.13.196 (or whichever IP is localized as per the EDNS you provide to ns1.google.com).

So in the process, you contacted (barring anything of these was already cached locally and still within TTL) between two and three different servers. Including a nameserver directly under the control of whoever owns that FQDN you tried to resolve. They could be using a provider/registrar nameserver (like Cloudflare), or they could also be running their own Bind server.

Yes, I agree that there is no perfect solution. But I just thought it was important for people to realize that running your own resolver does NOT fully address any privacy/security concern they may think it does. And it has a few other negative cons as well:

- Generally poor caching. You are more likely to run into a cache miss than if you use a public, well-fed nameserver. That means an increased chance of a single query taking a few seconds to respond.
- You become responsible for the security of that server. There has been a number of security flaws over the years where a maliciously crafted DNS packet could compromise/crash a recursive nameserver. So keeping that nameserver up to date becomes another security task you must take care of. How regularly is the Entware unbound updated, for example?

 

[Tech9]

Generally poor caching.

That depends on Internet usage type and number of users, I guess. I rarely reboot my firewall and most of queries are with 1ms response time. Unbound as resolver and forwarder is about the same performance on pfSense once the cache is built. There is a difference between Unbound as resolver and Dnsmasq as forwarder in Asuswrt though. Unbound definitely feels quicker, I've seen it. Folks around using Unbound in AMTM share the same experience.

You become responsible for the security of that server.

It was never an issue on pfSense/OPNSense systems. I've never heard anyone struggling with maintenance/security. Unbound is the default DNS server there. About responsibility - what's Google, Quad9, Cloudflare, XYZ free DNS service responsibility? Zero. If I use Asuswrt-Merlin with Dnsmasq and someone hits me who's responsible? You, Asus or Simon Kelley? This "responsibility" is good only for telling my wife "it wasn't me, it was Simon".

 

[RMerlin]

It was never an issue on pfSense/OPNSense systems. I've never heard anyone struggling with maintenance/security.

My point is, if you are the type of people who fire-and-forget, i.e. you install software and once it's working you never touch it again, then it means if security flaws are discovered in the software and you never take care updating it, then you are at risk of eventually running into a problem. See how many persons are getting their network compromised because they are running 5 years old router firmware. Just running your own resolver isn't going to make you more secure if you never update it.

Companies like Google or Cloudflare are probably very quick at applying Bind/Unbound/etc... security patches within their network.

 

[Tech9]

My point is, if you are the type of people who fire-and-forget, i.e. you install software and once it's working you never touch it again, then it means if security flaws are discovered in the software and you never take care updating it, then you are at risk of eventually running into a problem.

This is a valid point. What I don't agree is Unbound resolver users have more responsibilities than Dnsmasq forwarder users to Google, for example. Google may fix fast their resolver issues, but the user still may get hit via Dnsmasq, if it's outdated and not patched. It's the same thing - the user is always responsible. Developers and companies providing services/software for free may eventually do best effort to help. In consumer products auto update with option to disable is perhaps the best way to go. I see Asuswrt is moving in this direction.