Setting up correct DNS settings

[Chrisgtl]

Can anyone help me with some basic (not to me) questions..?

I am trying to setup my 86U running latest beta of Merlins firmware.

So far, I have Skynet and Diversion via AMTM installed to a USB device plugged into the router.

My network is as follow; 192.168.0.1 (router, 86U), 192.168.0.8 (VDSL modem). All clients are on DHCP apart from my NAS (192.168.0.2) and Nvidia Shield (192.168.0.11).

When I installed Diversion and it asked me where to put pixelserv-tls I said 192.168.0.9

Now, what do I set my router DNS settings to? I see I have DNS settings in both LAN and WAN pages but no idea what these should be set to.

I have set DNS Privacy Protocol to DoT and used 1.1.1.1 as the preset server.

 

[ColinTaylor]

My network is as follow; 192.168.0.1 (router, 86U), 192.168.0.8 (VDSL modem).

Is 192.168.0.8 some sort of admin interface to the VDSL modem? I would expect the modem to be connected to your WAN interface and have a completely different subnet.

 

[dave14305]

Now, what do I set my router DNS settings to? I see I have DNS settings in both LAN and WAN pages but no idea what these should be set to.

LAN DNS settings should be blank, plus you should select the option to advertise the router IP as DNS on that page.

As long as your clients use the router as the DNS server, they will benefit from Diversion automatically and anything not blocked will be sent to Cloudflare over DoT.

If you want to force all clients to use Diversion and DoT, go to the DNSFILTER tab and set the global mode to “Router” after you’ve ensured no DNS entries LAN DHCP page.

+1 on @ColinTaylor’s question above.

 

[Chrisgtl]

Is 192.168.0.8 some sort of admin interface to the VDSL modem? I would expect the modem to be connected to your WAN interface and have a completely different subnet.

Yes, sorry I should have been clearer on that. 192.168.0.8 is purely the admin GUI interface.

 

[ColinTaylor]

... plus you should select the option to advertise the router IP as DNS on that page.

This is unnecessary when the LAN DNS server fields are empty (in fact that setting is ignored). The option is "Advertise router's IP in addition to user-specified DNS". When there are no user-specified DNS servers the router's address is always advertised.

 

[Chrisgtl]

If you want to force all clients to use Diversion and DoT, go to the DNSFILTER tab and set the global mode to “Router” after you’ve ensured no DNS entries LAN DHCP page.

OK - once I set DNSFILTER to Router it says > Custom (user-defined) DNS 1,2 & 3. Should these be blank or leave as 8.8.8.8?

 

[ColinTaylor]

OK - once I set DNSFILTER to Router it says > Custom (user-defined) DNS 1,2 & 3. Should these be blank or leave as 8.8.8.8?

If you have set the Global Filter Mode to Router you can ignore the settings below it. They are only used if you want to create exceptions for specific clients.

 

[Chrisgtl]

If you have set the Global Filter Mode to Router you can ignore the settings below it. They are only used if you want to create exceptions for specific clients.

Brilliant! Thanks very much for your help. Also, I'd like to manually assign IP's to the kids devices and create additional filtering so no adult sites can be found via google - what is the best method to achieve this? I know how to assign manual IP's but unsure how to add filters for specific devices.

 

[ColinTaylor]

Brilliant! Thanks very much for your help. Also, I'd like to manually assign IP's to the kids devices and create additional filtering so no adult sites can be found via google - what is the best method to achieve this? I know how to assign manual IP's but unsure how to add filters for specific devices.

Use the Client List at the bottom of the DNS Filter page. Select the client and the "safe" DNS provider you want it to use from the drop-down selection (Filter Mode), then add it to the list. If your preferred DNS provider is not in that list you can create a "custom" entry for it.

 

[dave14305]

This is unnecessary when the LAN DNS server fields are empty (in fact that setting is ignored). The option is "Advertise router's IP in addition to user-specified DNS". When there are no user-specified DNS servers the router's address is always advertised.

Interesting, I went to the code to see how this works, and I think it’s a feature disparity between Merlin and John’s fork. I see the behavior you describe on John’s fork, but the code for Merlin doesn’t seem to read that way (but I may be misreading the code).

Merlin: https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/services.c#L1509
Johns fork: https://github.com/john9527/asuswrt...-update/release/src/router/rc/services.c#L808

Might need to flash back to Merlin to confirm with my own eyes.

 

[tarassippo]

Use the Client List at the bottom of the Parental Control page. Select the client and the "safe" DNS provider you want it to use from the drop-down selection (Filter Mode), then add it to the list. If your preferred DNS provider is not in that list you can create a "custom" entry for it.

I assume you mean "...the client list at the bottom of the DNSFilter tab..." in the LAN section and not in the Parental Controls section as that is within AiProtection...

 

[ColinTaylor]

Interesting, I went to the code to see how this works, and I think it’s a feature disparity between Merlin and John’s fork. I see the behavior you describe on John’s fork, but the code for Merlin doesn’t seem to read that way (but I may be misreading the code).

Merlin: https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/services.c#L1509
Johns fork: https://github.com/john9527/asuswrt...-update/release/src/router/rc/services.c#L808

Might need to flash back to Merlin to confirm with my own eyes.

Interesting difference. Well spotted, I just assumed they would be identical.

AFAICT the Merlin code you highlighted is only executed when either (or both) of the user-specified DNS servers exist. I can find no other reference to dhcp-option 6 being set (by default). This makes me think that (by default) that option is not present in dnsmasq.conf. In such a case dnsmasq will advertise itself without the need to explicitly configure it:

By default, dnsmasq sends some standard options to DHCP clients, the netmask and broadcast address are set to the same as the host running dnsmasq, and the DNS server and default route are set to the address of the machine running dnsmasq.

I've just tested this and it works.

 

[ColinTaylor]

I assume you mean "...the client list at the bottom of the DNSFilter tab..." in the LAN section and not in the Parental Controls section as that is within AiProtection...

Yes, sorry. Those options have been moved around over time. In John's firmware they're in a different place.

 

[truglodite]

...I have set DNS Privacy Protocol to DoT and used 1.1.1.1 as the preset server.

So your "router" dns will be cloudflare...

Brilliant! Thanks very much for your help. Also, I'd like to manually assign IP's to the kids devices and create additional filtering so no adult sites can be found via google - what is the best method to achieve this? I know how to assign manual IP's but unsure how to add filters for specific devices.

...not google. Hope I don't sound too pedantic, but it's important to know where your dns comes from. Colin Taylor posted the correct answer for your actual question above... use the "dns filter" custom settings.

That's what I'm doing for my kids; I caught some smut on my younger daughter's tablet, then realized cloudflare+diversion medium+ was not enough for them. By default all of the devices on my lan get skynet+diversion+cloudflare DoT (global = router). To eliminate the smut from my kid's devices, I add them to the client list below, using opendns family.

Alternatively (this just to help illustrate usage of "custom" entries), my older daughter has a laptop given to her by her highschool. It's managed by the school, and it is setup so it will not work unless it uses google dns. So in the dns filter client list, I filled out "custom 1" with 8.8.8.8, then added her school laptop to the client list using "custom 1". This way, you can go really crazy granular with device/dns mapping on your network, if you wanted to.

On a sidenote, another user recently mentioned "cleanbrowsing"... which is a DoT server that may work out better for kids. The only problem with that, is it may be too much filtering for some devices (for example, if I needed 8.8.8.8 to view a non-kid friendly page on my computer, I would have to use 'custom dns filtering client'... which means my computers would bypass DoT. Since security for my devices is more critical, I'm using non-dot opendns family for the kids, and keeping the DoT for 'mission critical' operations. ;P

 

[Chrisgtl]

So your "router" dns will be cloudflare...


...not google. Hope I don't sound too pedantic, but it's important to know where your dns comes from. Colin Taylor posted the correct answer for your actual question above... use the "dns filter" custom settings.

That's what I'm doing for my kids; I caught some smut on my younger daughter's tablet, then realized cloudflare+diversion medium+ was not enough for them. By default all of the devices on my lan get skynet+diversion+cloudflare DoT (global = router). To eliminate the smut from my kid's devices, I add them to the client list below, using opendns family.

Alternatively (this just to help illustrate usage of "custom" entries), my older daughter has a laptop given to her by her highschool. It's managed by the school, and it is setup so it will not work unless it uses google dns. So in the dns filter client list, I filled out "custom 1" with 8.8.8.8, then added her school laptop to the client list using "custom 1". This way, you can go really crazy granular with device/dns mapping on your network, if you wanted to.

On a sidenote, another user recently mentioned "cleanbrowsing"... which is a DoT server that may work out better for kids. The only problem with that, is it may be too much filtering for some devices (for example, if I needed 8.8.8.8 to view a non-kid friendly page on my computer, I would have to use 'custom dns filtering client'... which means my computers would bypass DoT. Since security for my devices is more critical, I'm using non-dot opendns family for the kids, and keeping the DoT for 'mission critical' operations. ;P

Perfect explanation. I have set mine up exactly the same. Just need to check my Diversion now as I'm not sure if it is medium or not.

 

[martinr]

I don’t want to confuse things, and you seem to have everything set up exactly to suit your needs, but there’s a feature in Skynet that allows you to “fast switch” to a more relaxed filter list should you wish. I don’t use it myself - no need. You’ll find it under Settings (11) and Fast switch (9). There’s a brief explanation here:

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-170#post-440886

Disregard the term ‘wife mode’: that was a phrase used during its development.

Might be worth bearing in mind just in case, in the future, you find you need to make a further tweak or 2.

 

[Chrisgtl]

I don’t want to confuse things, and you seem to have everything set up exactly to suit your needs, but there’s a feature in Skynet that allows you to “fast switch” to a more relaxed filter list should you wish. I don’t use it myself - no need. You’ll find it under Settings (11) and Fast switch (9). There’s a brief explanation here:

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-170#post-440886

Disregard the term ‘wife mode’: that was a phrase used during its development.

Might be worth bearing in mind just in case, in the future, you find you need to make a further tweak or 2.

Hi, thanks for that.

I updated the Diversion block list to 'Medium' and now a site my OH visits won't load. Using the fast switch with normal list can I tell certain clients on my network to use the more relaxed list? I'm navigating through the menus but can't find how to do it.

 

[truglodite]

AFAIK, no, fast switching affects all clients using diversion/skynet. It's just a quick way to swap blocking lists, but you still have to ssh in to do it.

To handle this situation with my wife+kids, I make use of 2 methods depending on the situation. 1) Simply whitelist the site in Diversion, or 2) add your OH's device to the lan client filter list for direct dns (no diversion/skynet). In general method 1 is best since it maintains diversion/skynet protection of your OH's devices. 2 may be more suitable if the list of blocked sites is too large to deal with, you have troubles finding the correct whitelist entries (some sites/services can be tricky to figure out), or there is something else about diversion/skynet that your OH doesn't like... believe it or not some folks actually prefer to see more ads.

 

[martinr]

Hi, thanks for that.

I updated the Diversion block list to 'Medium' and now a site my OH visits won't load. Using the fast switch with normal list can I tell certain clients on my network to use the more relaxed list? I'm navigating through the menus but can't find how to do it.

Don’t relax the list: whitelist the offending site PROVIDING you’ve done a bit of research first and are happy it’s safe to whitelist and wasn’t being blocked for good reason.

Some links, to keep you busy:

https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-69#post-446586

https://www.snbforums.com/threads/a-few-concerns.54278/#post-458826


This one’s for Skynet:
https://www.snbforums.com/threads/r...wall-security-enhancements.16798/#post-115872

This one Skynet as well:
https://github.com/Adamm00/IPSet_ASUS/wiki#applicationexe-or-websitecom-is-blocked

 

[thelonelycoder]

Hi, thanks for that.

I updated the Diversion block list to 'Medium' and now a site my OH visits won't load. Using the fast switch with normal list can I tell certain clients on my network to use the more relaxed list? I'm navigating through the menus but can't find how to do it.

Diversion also has a fast switch (fs). It switches between blocking files. If Skynet's fastswitch is configured, it will switch it too at the same time if enabled.
And then there's the alternate blocking file that can be used along with fs. Fs only switches the primary blocking file while the secondary remains at the set file. Clients can be directed to use the secondary blocking file.
https://diversion.ch/diversion/manual/alternate-blocking-file.html