Hello SNB community!! This is my first post but I hope to learn a lot from you all! I just got an ASUS RT-AX88u a few days ago and installed the latest Merlin firmware so I am new to the router and it's software. I have been playing around in the settings and have configure DDNS and I set up a VPN Client profile for my VPN (VPN Unlimited - Purchased lifetime subscription a few years ago for about $35. It's average. Good deal but looking for something better in the future).
I have Diversion and Skynet installed and enabled. (more questions on those once I read up on them more.)
My goal: To have my LG Smart TV route through the VPN and either a.) use only the vpn dns or b.) use my router as DNS and ignore the VPN dns. Whichever is better for personal privacy because I believe smartTVs collect a lot of personal data and send it to 3rd parties.
In the community's opinion, what is a better configuration when it comes to security/privacy:
a.) When the TV is connected to the VPN as a client, route all traffic through the VPN and accept the VPN provider's DNS settings.
OR
b.) When the TV is connected to the VPN as a client, ignore the VPN DNS and use my own DoT or Cloudflare or Quad9 DNS. This in my opinion would be a better choice as I would like Diversion to work on the SmartTV as well.
I currently have tried to implement option b. However, I am having trouble confirming my DNS settings are being used by the LG TV. Currently, I have the VPN client connected with a policy rule to route all traffic from the TV through the VPN. Other devices on the network currently do not use the VPN. I have "Accept DNS Configuration" in the VPN settings set to "Disabled" to try and use my own DoT and hopefully the Diversion ad blocking. Not sure if those two work together?
I set DoT in the WAN settings to use Quad9. I left DNS 1 and 2 in the LAN blank and have just the router set to advertise as a DNS server . I then visit https://www.routersecurity.org/testdns.php from the TVs web browser to test various things to see if my clients are using the DNS settings I set. IP tests show I'm coming from the VPN's public IP so that's working. The results from dnsleaktest.com show I am using 107.170.208.31 as a DNS server from Digital Ocean. It's also the public IP of the VPN I'm coming from. This leads me to believe the TV is using the VPN DNS and not my Quad9 DoT. How can I validate/verify that devices are using the DoT settings?
I have a lot more questions sadly but I don't want to ask too many all at once.
Thanks all for your help and support! I'm here to provide more settings I have or post screenshots, whatever is needed!
EDIT1:
I found a post here that referenced this link: https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/
Reading the "DNS Behavior" section, the second paragraph states:
"Diversion will work over the VPN tunnel when “Accept DNS configuration” is set to “Exclusive” and Policy Rules are disabled by setting “Redirect Internet Traffic” to “All”."
This statement is confusing to me. Setting the "Accept DNS configuration" to "Exclusive" would force the use of the VPN DNS, thus bypassing the router dns and Diversion. In my router's GUI, I see the setting "Force Internet traffic through tunnel" but I don't see a "Redirect Internet Traffic" setting. Are these the same? If so, there is no "All" option. There is yes, no, Policy Rules, and Policy Rules(strict). Can someone explain this?
He also states that "My preferred recommendation is to set “Accept DNS Configuration” to “Disabled” and install Stubby DNS over TLS. Stubby DNS over TLS will encrypt DNS queries for all devices on the network."
Stubby is no longer necessary from what I understand as the newer versions of Asuswrt-Merlin have built in DoT support. Is this correct?
Thanks again!
I have Diversion and Skynet installed and enabled. (more questions on those once I read up on them more.)
My goal: To have my LG Smart TV route through the VPN and either a.) use only the vpn dns or b.) use my router as DNS and ignore the VPN dns. Whichever is better for personal privacy because I believe smartTVs collect a lot of personal data and send it to 3rd parties.
In the community's opinion, what is a better configuration when it comes to security/privacy:
a.) When the TV is connected to the VPN as a client, route all traffic through the VPN and accept the VPN provider's DNS settings.
OR
b.) When the TV is connected to the VPN as a client, ignore the VPN DNS and use my own DoT or Cloudflare or Quad9 DNS. This in my opinion would be a better choice as I would like Diversion to work on the SmartTV as well.
I currently have tried to implement option b. However, I am having trouble confirming my DNS settings are being used by the LG TV. Currently, I have the VPN client connected with a policy rule to route all traffic from the TV through the VPN. Other devices on the network currently do not use the VPN. I have "Accept DNS Configuration" in the VPN settings set to "Disabled" to try and use my own DoT and hopefully the Diversion ad blocking. Not sure if those two work together?
I set DoT in the WAN settings to use Quad9. I left DNS 1 and 2 in the LAN blank and have just the router set to advertise as a DNS server . I then visit https://www.routersecurity.org/testdns.php from the TVs web browser to test various things to see if my clients are using the DNS settings I set. IP tests show I'm coming from the VPN's public IP so that's working. The results from dnsleaktest.com show I am using 107.170.208.31 as a DNS server from Digital Ocean. It's also the public IP of the VPN I'm coming from. This leads me to believe the TV is using the VPN DNS and not my Quad9 DoT. How can I validate/verify that devices are using the DoT settings?
I have a lot more questions sadly but I don't want to ask too many all at once.
Thanks all for your help and support! I'm here to provide more settings I have or post screenshots, whatever is needed!
EDIT1:
I found a post here that referenced this link: https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/
Reading the "DNS Behavior" section, the second paragraph states:
"Diversion will work over the VPN tunnel when “Accept DNS configuration” is set to “Exclusive” and Policy Rules are disabled by setting “Redirect Internet Traffic” to “All”."
This statement is confusing to me. Setting the "Accept DNS configuration" to "Exclusive" would force the use of the VPN DNS, thus bypassing the router dns and Diversion. In my router's GUI, I see the setting "Force Internet traffic through tunnel" but I don't see a "Redirect Internet Traffic" setting. Are these the same? If so, there is no "All" option. There is yes, no, Policy Rules, and Policy Rules(strict). Can someone explain this?
He also states that "My preferred recommendation is to set “Accept DNS Configuration” to “Disabled” and install Stubby DNS over TLS. Stubby DNS over TLS will encrypt DNS queries for all devices on the network."
Stubby is no longer necessary from what I understand as the newer versions of Asuswrt-Merlin have built in DoT support. Is this correct?
Thanks again!
Last edited: