What's new

Multiple DNS Servers - How does the router decide which one to use?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

zakazak

Regular Contributor
So in WAN Settings I can add multiple DNS Servers.

How does the router decide which one to use or which one to use first?
Does it rotate through the list?
Does it randomly pick one out of the list and stays with it until that DNS goes offline?

Thanks!
 
If you're referring to the DNS-over-TLS mode, it round-robins the servers due to how Stubby is configured. So to answer the question, it rotates through the list.
 
Thanks! Yes I was referring to DNS over TLS/HTTPS.

So it roates. And do you happen to know approx. how often?
 
Oki, thanks! I will try figuring it out by adding two different nextdns accounts with empty protocolls and see how they both fill up.
 
Log into the router with a terminal and run "stubby -l" and you can watch the connections.
 
I noticed that his behaviour is configurable in AdGuardHome's settings (in case you're looking for an easy way to change the DoT behaviour) :)
Since you're already running Merlin ...

Just FYI.
 
I noticed that his behaviour is configurable in AdGuardHome's settings (in case you're looking for an easy way to change the DoT behaviour) :)
Since you're already running Merlin ...

Just FYI.
Or just create a stubby.postconf script and simply override the behavior. Assuming we are still talking about round-robin vs sequential order.
 
I noticed that his behaviour is configurable in AdGuardHome's settings (in case you're looking for an easy way to change the DoT behaviour) :)
Since you're already running Merlin ...

Just FYI.

Thanks but I guess I will go with NextDNS :)

Adguard Home doesn't have any big advantages over NextDNS?
Except maybe, that requests are processed locally and should there for be faster than sending them to NextDNS?
 
Thanks but I guess I will go with NextDNS :)

Adguard Home doesn't have any big advantages over NextDNS?
Except maybe, that requests are processed locally and should there for be faster than sending them to NextDNS?
It mayyy be a tad faster in regards to latency, but it's difficult to notice in real situations. And AGH uses a lot of memory, which not everyone can afford to spare on their routers.
 
Thanks but I guess I will go with NextDNS :)

Adguard Home doesn't have any big advantages over NextDNS?
Except maybe, that requests are processed locally and should there for be faster than sending them to NextDNS?
There will be an issue with DNS rebinding protection. If you do locally, some tweaking about rebinding protection needed. Maybe someone using NextDNS TLS with local dns services like dnsmasq/unbound/diversion can post their settings?
 
There will be an issue with DNS rebinding protection. If you do locally, some tweaking about rebinding protection needed. Maybe someone using NextDNS TLS with local dns services like dnsmasq/unbound/diversion can post their settings?
If using NextDNS directly in the DoT servers section, DNS rebinding protection in the GUI/Dnsmasq needs to be disabled. Along with DNSSEC.

If you're using the NextDNS CLI that uses DoH, it disables the settings for you, so nothing to do there.
 
NextDNS doesn't play nicely with rebinding protection, and your log will be spammed with problems if you leave it enabled (likely due to NextDNS offering up a feature that also protects against rebinding -- it's in your profile's Security tab). In addition, NextDNS already does DNSSEC validation on their end, so by leaving it enabled you're essentially double checking the validity of requests.

See this for DNSSEC: DNSSEC and blocked domains - Discussions - NextDNS Help Center
 
Last edited:
Hm I have DNS Rebinding protection disabled in NextDNS.
Can I then do it on my router or would it be better to let NextDNS handle this?
 
NextDNS doesn't play nicely with rebinding protection, and your log will be spammed with problems if you leave it enabled (likely due to NextDNS offering up a feature that also protects against rebinding -- it's in your profile's Security tab). In addition, NextDNS already does DNSSEC validation on their end, so by leaving it enabled you're essentially double checking the validity of requests.

See this for DNSSEC: DNSSEC and blocked domains - Discussions - NextDNS Help Center
Thanks for the info. I can't say that I've ever had a problem with the logs being (incorrectly) spammed because of rebind protection. It seems to work exactly as expected regardless of the NextDNS setting. I don't normally have DNSSEC enabled but I tried testing with it enabled and still couldn't generate any abnormal log entries. Everything seems fine. Perhaps it's some specific use case.

Hm I have DNS Rebinding protection disabled in NextDNS.
Can I then do it on my router or would it be better to let NextDNS handle this?
I've always just used the rebind protection on the router. It's so rare that such a query happens on my network that it's rather academic which way is better IMHO.
 
I can't find any errors in my log as well.

Rebind Protection:
NextDNS: Disabled
Router: Enabled

DNSSEC:
NextDNS: Enabled
Router: Disabled

Does that configuration make sense?
My thoughts were:
I want rebind protection to be enforced/secured locally.
DNSSEC externally to save my own hardware ressources (I know it doesn't use a lot).

Edit: I am blind, there is no DNSSEC option in nextdns?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top