Multiple DNS Servers - How does the router decide which one to use?

[zakazak]

So in WAN Settings I can add multiple DNS Servers.

How does the router decide which one to use or which one to use first?
Does it rotate through the list?
Does it randomly pick one out of the list and stays with it until that DNS goes offline?

Thanks!

 

[JJohnson1988]

If you're referring to the DNS-over-TLS mode, it round-robins the servers due to how Stubby is configured. So to answer the question, it rotates through the list.

 

[zakazak]

Thanks! Yes I was referring to DNS over TLS/HTTPS.

So it roates. And do you happen to know approx. how often?

 

[JJohnson1988]

I /believe/ the servers rotate after each request, but I'm not 100% sure.

 

[zakazak]

Oki, thanks! I will try figuring it out by adding two different nextdns accounts with empty protocolls and see how they both fill up.

 

[bbunge]

Log into the router with a terminal and run "stubby -l" and you can watch the connections.

 

[ColinTaylor]

Thanks! Yes I was referring to DNS over TLS/HTTPS.

The router only supports DNS over TLS, not HTTPS.

 

[cptnoblivious]

I noticed that his behaviour is configurable in AdGuardHome's settings (in case you're looking for an easy way to change the DoT behaviour)
Since you're already running Merlin ...

Just FYI.

 

[JJohnson1988]

I noticed that his behaviour is configurable in AdGuardHome's settings (in case you're looking for an easy way to change the DoT behaviour)
Since you're already running Merlin ...

Just FYI.

Or just create a stubby.postconf script and simply override the behavior. Assuming we are still talking about round-robin vs sequential order.

 

[zakazak]

I noticed that his behaviour is configurable in AdGuardHome's settings (in case you're looking for an easy way to change the DoT behaviour)
Since you're already running Merlin ...

Just FYI.

Thanks but I guess I will go with NextDNS

Adguard Home doesn't have any big advantages over NextDNS?
Except maybe, that requests are processed locally and should there for be faster than sending them to NextDNS?

 

[JJohnson1988]

Thanks but I guess I will go with NextDNS

Adguard Home doesn't have any big advantages over NextDNS?
Except maybe, that requests are processed locally and should there for be faster than sending them to NextDNS?

It mayyy be a tad faster in regards to latency, but it's difficult to notice in real situations. And AGH uses a lot of memory, which not everyone can afford to spare on their routers.

 

[Mogsy]

Thanks but I guess I will go with NextDNS

Adguard Home doesn't have any big advantages over NextDNS?
Except maybe, that requests are processed locally and should there for be faster than sending them to NextDNS?

There will be an issue with DNS rebinding protection. If you do locally, some tweaking about rebinding protection needed. Maybe someone using NextDNS TLS with local dns services like dnsmasq/unbound/diversion can post their settings?

 

[JJohnson1988]

There will be an issue with DNS rebinding protection. If you do locally, some tweaking about rebinding protection needed. Maybe someone using NextDNS TLS with local dns services like dnsmasq/unbound/diversion can post their settings?

If using NextDNS directly in the DoT servers section, DNS rebinding protection in the GUI/Dnsmasq needs to be disabled. Along with DNSSEC.

If you're using the NextDNS CLI that uses DoH, it disables the settings for you, so nothing to do there.

 

[ColinTaylor]

If using NextDNS directly in the DoT servers section, DNS rebinding protection in the GUI/Dnsmasq needs to be disabled. Along with DNSSEC.

Why is that? It appears to work fine for me with those settings enabled.

 

[zakazak]

Why is that? It appears to work fine for me with those settings enabled.

I have those enabled as well and no problems so far.

 

[JJohnson1988]

NextDNS doesn't play nicely with rebinding protection, and your log will be spammed with problems if you leave it enabled (likely due to NextDNS offering up a feature that also protects against rebinding -- it's in your profile's Security tab). In addition, NextDNS already does DNSSEC validation on their end, so by leaving it enabled you're essentially double checking the validity of requests.

See this for DNSSEC: DNSSEC and blocked domains - Discussions - NextDNS Help Center

 

[zakazak]

Hm I have DNS Rebinding protection disabled in NextDNS.
Can I then do it on my router or would it be better to let NextDNS handle this?

 

[JJohnson1988]

I just let NextDNS handle it, personally.

 

[ColinTaylor]

NextDNS doesn't play nicely with rebinding protection, and your log will be spammed with problems if you leave it enabled (likely due to NextDNS offering up a feature that also protects against rebinding -- it's in your profile's Security tab). In addition, NextDNS already does DNSSEC validation on their end, so by leaving it enabled you're essentially double checking the validity of requests.

See this for DNSSEC: DNSSEC and blocked domains - Discussions - NextDNS Help Center

Thanks for the info. I can't say that I've ever had a problem with the logs being (incorrectly) spammed because of rebind protection. It seems to work exactly as expected regardless of the NextDNS setting. I don't normally have DNSSEC enabled but I tried testing with it enabled and still couldn't generate any abnormal log entries. Everything seems fine. Perhaps it's some specific use case.

Hm I have DNS Rebinding protection disabled in NextDNS.
Can I then do it on my router or would it be better to let NextDNS handle this?

I've always just used the rebind protection on the router. It's so rare that such a query happens on my network that it's rather academic which way is better IMHO.

 

[zakazak]

I can't find any errors in my log as well.

Rebind Protection:
NextDNS: Disabled
Router: Enabled

DNSSEC:
NextDNS: Enabled
Router: Disabled

Does that configuration make sense?
My thoughts were:
I want rebind protection to be enforced/secured locally.
DNSSEC externally to save my own hardware ressources (I know it doesn't use a lot).

Edit: I am blind, there is no DNSSEC option in nextdns?