DNS configurations

[TanyaC]

I may have asked this question a couple of years ago, but I'm getting old and perhaps my memory is failing me.

I have an ASUS RT-AC88u. I have configured it in two places to use the OpenDNS servers.

I use a VPN for almost everything online, but not everyone here uses the VPN, particularly for ranked online games like DoTA 2

Using an ISPs DNS is never recommended, particularly with censorship, geolocation blockades, and in Australia in April 2017 the government introduced mass surveillance legislation. So ISP DNS servers are out.

So, for people not connected to the VPN I want them to use the OpenDNS Servers. This also enables me to add some limited parental controls. For people connected to the VPN I want to use the VPN providers DNS servers.

There are two places I can see in the router where DNS servers are configured and to be honest I have no idea which I should be using and why.

Under LAN > DHCP Server >DNS and Wins server settings
Under WAN > WAN DNS setting

Under Network and Sharing for my NIC and the VPN TAP adapters I have set manual metrics. 10 for the VPN and 20 for the motherboards NIC, but I was hoping to avoid having to visit all 10 PCs and make the same change.

Am I doing it right? If not, what changes should I make?

The more I think about it... I guess I am willing to forego OpenDNSs parental controls and monitoring as what I am doing is essentially the same censorship that I complain others do... In which case I guess I would just use the VPN providers DNS servers on and off VPN. But the question still is what is the best router configuration?

 

[OzarkEdge]

I may have asked this question a couple of years ago, but I'm getting old and perhaps my memory is failing me.

I have an ASUS RT-AC88u. I have configured it in two places to use the OpenDNS servers.

I use a VPN for almost everything online, but not everyone here uses the VPN, particularly for ranked online games like DoTA 2

Using an ISPs DNS is never recommended, particularly with censorship, geolocation blockades, and in Australia in April 2017 the government introduced mass surveillance legislation. So ISP DNS servers are out.

So, for people not connected to the VPN I want them to use the OpenDNS Servers. This also enables me to add some limited parental controls. For people connected to the VPN I want to use the VPN providers DNS servers.

There are two places I can see in the router where DNS servers are configured and to be honest I have no idea which I should be using and why.

Under LAN > DHCP Server >DNS and Wins server settings
Under WAN > WAN DNS setting

Under Network and Sharing for my NIC and the VPN TAP adapters I have set manual metrics. 10 for the VPN and 20 for the motherboards NIC, but I was hoping to avoid having to visit all 10 PCs and make the same change.

Am I doing it right? If not, what changes should I make?

The more I think about it... I guess I am willing to forego OpenDNSs parental controls and monitoring as what I am doing is essentially the same censorship that I complain others do... In which case I guess I would just use the VPN providers DNS servers on and off VPN. But the question still is what is the best router configuration?

The popup help in the router GUI should help.

>>Under LAN > DHCP Server >DNS and Wins server settings

Leave this blank.

>>Under WAN > WAN DNS setting

Set No and enter your preferred DNS servers for the router to use. I've been using Quad9 lately... seems to work ok:
9.9.9.9.
149.112.112.112

OE

 

[ColinTaylor]

Couldn't really follow how you've got everything setup.

1. The WAN DNS setting is what the router uses for its own lookups and for any clients that use the router as a DNS server.

2. The LAN settings are usually left at the default which means DHCP clients will use the router as their DNS server (see 1.). You can specify a different DNS server here if you want the DHCP clients to use something else.

Where is your VPN client(s)? Are you using the VPN client on the router, or do you have software installed on every PC? When using a VPN the DNS servers you use will depend on how you've configured the VPN software. The "metric" values effect routing priorities, not DNS.

 

[TanyaC]

The router is set up with DHCP reservations to give the clients their IP address. All client use DHCP settings (No DNS servers are defined on any clients' NIC's). They all get their settings from the router.

OpenVPN is installed on all PCs, but only autostarts with 3 PCs. There is no VPN configuration in the router. I do not use the VPN Provider's client software (typically bloated, buggy and resource heavy).

An ipconfig /all shows the OpenDNS servers as the DNS servers for the motherboard's NICs

OpenVPN software has no DNS settings Perse. The configuration files likewise have no DNS entries in there.

The TAP Adapter for the VPN uses automatic DNS settings too, but when connected to the VPN the TAP adapter is showing the VPNs DNS servers.

If the 'Metric' value has no bearing on DNS then I don't know which DNS servers are being used when surfing with the VPN connected.

I am about to set it up with the VPN providers DNS settings as per @OzarkEdge's recommendations.

Windows IP Configuration

Host Name . . . . . . . . . . . . : Tanya-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter NordVPN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-1C-B4-3A-4F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, 14 November 2018 11:16:30
Lease Expires . . . . . . . . . . : Thursday, 14 November 2019 11:16:30
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.254
DNS Servers . . . . . . . . . . . : 103.86.96.100
103.86.99.100
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Windows 10:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
Physical Address. . . . . . . . . : 30-9C-23-20-98-25
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.19(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, 14 November 2018 9:56:21
Lease Expires . . . . . . . . . . : Wednesday, 14 November 2018 21:56:20
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 208.67.222.222
208.67.220.220
192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

 

[ColinTaylor]

You appear to have everything setup the way you want it already.

Your LAN > DHCP Server >DNS settings will be used by your DHCP clients unless the VPN is active in which case they will use your VPN provider's DNS.

If your VPN client software doesn't have an option to override what DNS is used then it will use whatever is pushed to it from the VPN provider.

Personally I wouldn't setup your LAN DHCP servers that way but that's another discussion.

 

[TanyaC]

Having changed the LAN DNS Servers only (set to blanks). This is what I am now seeing....

Windows IP Configuration

Host Name . . . . . . . . . . . . : Tanya-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter NordVPN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-1C-B4-3A-4F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.8.0.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, 14 November 2018 11:27:57
Lease Expires . . . . . . . . . . : Thursday, 14 November 2019 11:27:57
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.254
DNS Servers . . . . . . . . . . . : 103.86.96.100
103.86.99.100
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Windows 10:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
Physical Address. . . . . . . . . : 30-9C-23-20-98-25
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.19(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, 14 November 2018 11:26:47
Lease Expires . . . . . . . . . . : Wednesday, 14 November 2018 23:26:46
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

An nslookup when connected to the VPN..

C:\Users\Tanya>nslookup
Default Server: UnKnown
Address: 103.86.96.100

> www.yahoo.com
Server: UnKnown
Address: 103.86.96.100

Non-authoritative answer:
Name: atsv2-fp-shed.wg1.b.yahoo.com
Addresses: 2406:2000:e4:a1a::10
2406:2000:e4:a1a::11
106.10.250.10
106.10.250.11
Aliases: www.yahoo.com

And when not connected to the VPN

C:\Users\Tanya>nslookup
Default Server: router.asus.com
Address: 192.168.1.254

> www.yahoo.com
Server: router.asus.com
Address: 192.168.1.254

Non-authoritative answer:
Name: atsv2-fp-shed.wg1.b.yahoo.com
Addresses: 2406:2000:e4:a1a::10
2406:2000:e4:a1a::11
106.10.250.11
106.10.250.10
Aliases: www.yahoo.com

 

[ColinTaylor]

Yes that's the way I would set it up.

Your non-VPN DHCP clients will use the router as their DNS server which gives them the benefit of being able to do local name resolution and getting faster responses from the local cache. What you set for the DNS server on the router's WAN page will dictate what upstream server they use for non-local queries.

 

[TanyaC]

Yay!

Thanks for your help.