Which DNS Do You Use? And other newb queries.

bbunge

Part of the Furniture
Any drawback (or benefit) to setting a bunch of DNS servers in the GUI? For example setting up Cloudflare secure (1&2), Quad9 (1&2), and Adguard (1&2) all for DoT...

Thanks!
Seems like overkill but you can try it if you want to. There is no benefit other than having extra upstream resolvers in case one system goes down. The underlying software that does this is Stubby and GetDNS. They will cycle through all the DoT resolvers in the list and repeat. For me I stick with Cloudflare Secure (1.1.1.2 and 1.0.0.2) as they are the closest, mile wise, to my residence. Just about 100 miles away. For me Quad9 is almost 1000 miles away and at times this does make a difference.
 

redsandvb

Occasional Visitor
Seems like overkill but you can try it if you want to. There is no benefit other than having extra upstream resolvers in case one system goes down. The underlying software that does this is Stubby and GetDNS. They will cycle through all the DoT resolvers in the list and repeat. For me I stick with Cloudflare Secure (1.1.1.2 and 1.0.0.2) as they are the closest, mile wise, to my residence. Just about 100 miles away. For me Quad9 is almost 1000 miles away and at times this does make a difference.
Got it. Thanks for the explanation!
 

Luciferikass

Occasional Visitor
A pleasure, and yes, SkyNet is a good firewall that compliments diversion's activities.

AMTM makes installing the scripts very easy, and they all play well with each other, BUT depending on your use case you can find yourself in fast, deep water quite easily as @ColinTaylor reminded me.

(Just out of personal curiosity, does your ISP offer native IPv6 at this point in time? Are you using it; do you have the router set to use it? A foray into DDNS/tunnelling might be a good way to lay something of a foundation for moving deeper into some of the intricacies and advanced functionalities of some of the scripts, or at the very least get a better idea of how some of this "internet stuff" works, to better understand how cool the scripts are beyond blocking ads and keeping users of your network more private from companies who collect data on you and sell it ...if you're so inclined, that is)

So IF you're feeling confident, most people wade into these waters with diversion. unbound for DNS is one to move on to IF you feel confident with editing config files...which can lead to ntpMerlin, and then SkyNet. I think a better way for you to start might be installing spdMerlin, because then you can have some baseline speeds to use for cakeQoS (if your ISP package speed is below about 300Mbps down - it's built into Merlin and with a GUI implementation) or FlexQoS, then you can set up diversion, ntpMerlin, unbound...

sorry for my rambling...hope something I've written helps
My real goal is data collection and privacy, but also a bit of set it and forget it, two jobs, kids, etc so just want something I can set up and not think about for a while. I pay for 400Mbps, but have rural spectrum cable internet and it is sketchy. I had to order a 8gb usb stick so we'll see what I can blow up tomorrow when I get it. Thanks again!
 

Tech9

Part of the Furniture
OpenDNS offers good protection and customizations for free, @Luciferikass. Create a free account, register your home network, select the categories you want to be blocked. It also offers good stats for 2-week period - total, blocked, unique requests, etc. Many servers around the world.
 

Pademelon

New Around Here
I'd like to use this thread to ask how we can add custom DNS servers on the WAN page. It seems to be just a drop-down list at the moment:


PS: I know I can add the DNS servers in the OpenVPN page. But I like to use the routers DNS as I'm running Diversion.
 

dave14305

Part of the Furniture
I'd like to use this thread to ask how we can add custom DNS servers on the WAN page. It seems to be just a drop-down list at the moment:


PS: I know I can add the DNS servers in the OpenVPN page. But I like to use the routers DNS as I'm running Diversion.
Ignore the red arrow and just type your preferred DNS IPs in the DNS fields.
 

AntonK

Very Senior Member
A pleasure, and yes, SkyNet is a good firewall that compliments diversion's activities.

AMTM makes installing the scripts very easy, and they all play well with each other, BUT depending on your use case you can find yourself in fast, deep water quite easily as @ColinTaylor reminded me.

(Just out of personal curiosity, does your ISP offer native IPv6 at this point in time? Are you using it; do you have the router set to use it? A foray into DDNS/tunnelling might be a good way to lay something of a foundation for moving deeper into some of the intricacies and advanced functionalities of some of the scripts, or at the very least get a better idea of how some of this "internet stuff" works, to better understand how cool the scripts are beyond blocking ads and keeping users of your network more private from companies who collect data on you and sell it ...if you're so inclined, that is)

So IF you're feeling confident, most people wade into these waters with diversion. unbound for DNS is one to move on to IF you feel confident with editing config files...which can lead to ntpMerlin, and then SkyNet. I think a better way for you to start might be installing spdMerlin, because then you can have some baseline speeds to use for cakeQoS (if your ISP package speed is below about 300Mbps down - it's built into Merlin and with a GUI implementation) or FlexQoS, then you can set up diversion, ntpMerlin, unbound...

sorry for my rambling...hope something I've written helps
I'm wondering how Skynet's inbound blocking enhances network security, assuming you are not running with open ports for some reason. Wouldn't the router's firewall block all inbound unsolicited traffic? Currently, I have my Skynet set to block outbound traffic.

Thanks for any thoughts.

Anton
 

Tech9

Part of the Furniture
Currently, I have my Skynet set to block outbound traffic.

You're correct, it only limits you accessing IPs flagged as malicious by community block lists.
 

cptnoblivious

Senior Member
I'm wondering how Skynet's inbound blocking enhances network security, assuming you are not running with open ports for some reason. Wouldn't the router's firewall block all inbound unsolicited traffic? Currently, I have my Skynet set to block outbound traffic.

Thanks for any thoughts.

Anton

Exactly, the build in NAT drops all 'non-solicited' inbound packets, the benefit comes from blocking outbound traffic to 'known-bad IPs'. I put that in quotes because it is wrong at times. Ex. a while back one of the default Skynet block lists blocked IPs for MS onenote. So there is a chance of false positive outbound blocks that may need to be corrected from time to time :)
 

Tech9

Part of the Furniture
I put that in quotes because it is wrong at times.

Folks on SNB were complaining about Google, Cloudflare, Quad9 IPs blocked. Skynet may go bad when the "admin" is not around.
 

heysoundude

Part of the Furniture
My real goal is data collection and privacy, but also a bit of set it and forget it, two jobs, kids, etc so just want something I can set up and not think about for a while. I pay for 400Mbps, but have rural spectrum cable internet and it is sketchy. I had to order a 8gb usb stick so we'll see what I can blow up tomorrow when I get it. Thanks again!
a QoS scheme (Flex in your case, because of package speed - you may, on occasion, actually get it or above) should help to smooth out some of the sketchiness.
if you want to protect yourself and your users, diversion and unbound on the router (and brave as default browser (as a failsafe) on those devices) should help considerably...
these 3(4) things will make you wonder how you got along without them for so long.
 

cptnoblivious

Senior Member
Folks on SNB were complaining about Google, Cloudflare, Quad9 IPs blocked. Skynet may go bad when the "admin" is not around.

Given that skynet simply updates the lists that are configured on a schedule, I don't think that the 'admin', which should probably read 'developer', not being around is the issue. The person who developed the software isn't also maintaining the block lists, right?
 

Tech9

Part of the Furniture
Ah, okay - not that "admin". I mean the home "admin". :)
If the updated lists contain false positives and something stops working, your wife and kids may have to wait.
 

New2This

Senior Member
Running Unbound here, have never look at running anything else
 

Tech9

Part of the Furniture
Indeed. I know the story from my Skynet tests and related threads. :(
 

Luciferikass

Occasional Visitor
OpenDNS offers good protection and customizations for free, @Luciferikass. Create a free account, register your home network, select the categories you want to be blocked. It also offers good stats for 2-week period - total, blocked, unique requests, etc. Many servers around the world.
Cheers! Thanks very much, I will look into them.
 

Luciferikass

Occasional Visitor
a QoS scheme (Flex in your case, because of package speed - you may, on occasion, actually get it or above) should help to smooth out some of the sketchiness.
if you want to protect yourself and your users, diversion and unbound on the router (and brave as default browser (as a failsafe) on those devices) should help considerably...
these 3(4) things will make you wonder how you got along without them for so long.
Sounds good. Thanks very much for all your help.
 

heysoundude

Part of the Furniture
Sounds good. Thanks very much for all your help.
that's what this place is here for...

one last: check with your ISP to see if they are IPv6 on your connection. express disappointment if not, and be happy (and enable it on the router) if they do.
 

Tech9

Part of the Furniture
and be happy (and enable it on the router) if they do.

Why? With IPv6 enabled DNS filtering may not be as efficient or may not work at all; VPN in Asuswrt-Merlin may have IPv6 leaks. IPv6 doesn't improve speeds, just makes things more complicated and that's in case different firmware components and scripts support IPv6 at all.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top