Secure/Alternate DNS Server Config Questions on WAN tab (AX86U Pro)

[SR-71]

Hi everyone, I've configured the secure DNS settings per the attached screenshot, and I'm confused by the two DNS server IP sections in the WAN tab.

Specifically, I'm confused about when the top "DNS Server" section applies (takes precedence) over the "Preset servers" list at the bottom. Can someone kindly explain this?

Trying to "logic" my way through it, it occurs to me to ask whether the top DNS server pair would be used when there's no DNS security used by the end client, but bottom list used when it is? If not, then why have both sections?

The end goal is enhanced security and privacy, while using "reasonably" fast DNS servers:

• I want to have all the DNS security including DoT enabled, using Quad9's servers as primary.
• I've read they supposedly block more known malware sites than Cloudflare from what I've found online.
• Definitely don't want to use Google's or ISP's DNS servers for privacy, as they are notorious for selling data.

Will this config satisfy the goal? Any suggested changes, and if so, why?

Not knowing which is the best order for the bottom table, I first selected Quad9's IP4 servers, then their IP6 servers, then the same order for Cloudflare's servers. If overkill, very easy to shorten the list if it makes sense.

Other questions:

• Am I correct in assuming that regarding the bottom list, it will use the first IP address listed, then if one set of DNS servers are down or inaccessible, it will go to the next in the list? (Realize it's unlikely given how robust these DNS networks are, but "stuff" happens.)
• Is there any need to specify the IP6 servers if IP4 are already included, or vice versa? (ISP is Xfinity)

 

[ColinTaylor]

The short answer is the top DNS servers are what the router uses for itself (e.g. to set the time and check internet connectivity). The lower DNS servers are what the clients will use.

 

[dave14305]

Cloudflare 1.1.1.1 doesn’t block anything. You can manually enter the Cloudflare Security IPs:

1.1.1.2
1.0.0.2
2606:4700:4700::1112
2606:4700:4700::1002

Use security.cloudflare-dns.com as the TLS Hostname.

 

[bbunge]

Your IPV4 DNS Server settings (in what you call the upper block) are fine. The reason there are two are for backup.

Your DoT settings need to be changed. If you plan to use Quad9 just use their servers (also called resolvers).
But, do them in this order:
9.9.9.9
2620:fe::fe
149.112.112.112
2620:fe::9

The program the router uses to do DoT is called Stubby. Stubby has a feature called Round Robbin that will cycle through the DoT servers chosen to help reduce the load and improve response. Using these settings the requests will go to the first server over IPV4 then IPV6 then switch to the second server over IPV4 then IPV6. If you do not need to use IPV6 on the router I recommend you not enable it and just use IPV4.

Do not use servers from another provider. Keep them all the same. There is a chance you could get unpredictable results if you do.
Also disable DNSSEC. With DoT you really do not gain anything by adding DNSSEC.

FWIW: I use Cloudflare Security as I have had periodic connection failures with Quad9. Your results may be better than mine.

 

[Tech9]

then their IP6 servers

Only if you have IPv6 enabled for whatever reason.