Proper DNS setting?

[BamaInArk]

Running a AX6000 router and really no issue I am aware of. Also running Merlin firmware 388.2_2_rog. Under DNS and WINS Server Setting I have DNS Server 1 and 2 as 1.1.1.1/1.0.0.1. Then under Manual Assignment Enable Manual Assignment is checked YES.

However under WAN DNS Setting under DNS Privacy Protocol I see a note that says "You router's DHCP server is configured to provide a DNS server that's different from your touter's IP address. This will prevent clients from using the DNS Privacy servers."

I'm not quite sure what that statement means.

 

[drinkingbird]

Running a AX6000 router and really no issue I am aware of. Also running Merlin firmware 388.2_2_rog. Under DNS and WINS Server Setting I have DNS Server 1 and 2 as 1.1.1.1/1.0.0.1. Then under Manual Assignment Enable Manual Assignment is checked YES.

However under WAN DNS Setting under DNS Privacy Protocol I see a note that says "You router's DHCP server is configured to provide a DNS server that's different from your touter's IP address. This will prevent clients from using the DNS Privacy servers."

I'm not quite sure what that statement means.

Set your WAN DNS to the ones you want to use (1.1.1.1 and 1.0.0.1). Leave the LAN/DHCP ones blank. The "advertise router IP in addition" can be checked or unchecked, in that setup it doesn't matter, I just leave it checked. Clients will receive your router IP as their DNS, then the router will decide whether to serve the request (if it is a local host) or send it upstream (if it is a remote host and not already cached). It will then cache that upstream lookup so that clients will get better response time for DNS queries for that host until the TTL expires. The router will also automatically monitor both DNS servers and choose the fastest one in this setup.

 

[Davidncali001]

Remove the dns settings from DNS and Win Server and leave the box blank.

Go to WAN DNS settings and choose Yes to enable DNS Rebind Protection, Yes to Enable DNSSEC support, and go to DNS Privacy Protocol and choose DNS OVER TLS DoT.

Then go to DNS over TLS and set it to strict.

Click yes to Validate unassigned DNSSEC replies.

Then go to preset servers and select cloudflair 1.1.1.1 and then click the little + button to add it and then go back to preset servers and choose cloudflair 1.0.0.1 and choose the little + button to add that.

Click apply at the bottom of the screen and you should be set.

 

[drinkingbird]

Remove the dns settings from DNS and Win Server and leave the box blank.

Go to WAN DNS settings and choose Yes to enable DNS Rebind Protection, Yes to Enable DNSSEC support, and go to DNS Privacy Protocol and choose DNS OVER TLS DoT.

Then go to DNS over TLS and set it to strict.

Click yes to Validate unassigned DNSSEC replies.

Then go to preset servers and select cloudflair 1.1.1.1 and then click the little + button to add it and then go back to preset servers and choose cloudflair 1.0.0.1 and choose the little + button to add that.

Click apply at the bottom of the screen and you should be set.

DOT and DNSSEC are fairly useless on a recursive DNS server, and I've seen a pretty significant performance impact. I would not recommend using either.

 

[BamaInArk]

I made the appropriate settings changes and now that little "note" is not there anymore. Thanks

 

[heysoundude]

DOT and DNSSEC are fairly useless on a recursive DNS server, and I've seen a pretty significant performance impact. I would not recommend using either.

I agree with DoT being...a complexity.
unbound handles the DNSSEC stuff iirc, if OP would like to give that a spin. (Querying the AUTH servers directly rather than CloudFlare's recursive ones - unbound makes your router a local, personal DNS server on par with cloudflare, and my router is only a microsecond away from my client machines rather than milliseconds to cloudflare and back)

 

[drinkingbird]

I agree with DoT being...a complexity.
unbound handles the DNSSEC stuff iirc, if OP would like to give that a spin. (Querying the AUTH servers directly rather than CloudFlare's recursive ones - unbound makes your router a local, personal DNS server on par with cloudflare, and my router is only a microsecond away from my client machines rather than milliseconds to cloudflare and back)

Except the authoritative servers are probably much further away from you than Cloudflare or even your ISP, and each DNS lookup now needs two lookups instead of one. Thinking your little asus router is going to be on par with a nationwide system of high powered anycast server clusters (or even a couple powerful servers from your ISP) is a bit of a misconception.

But you do eliminate the man in the middle potential and can validate the DNSSEC signatures yourself in that case, so technically more secure, if you don't mind the performance hit for the first lookup every TTL interval.

I use one of my ISP's servers as primary as it is fastest and one of the Level 3 ones as backup as it is nearly as fast. Every so often I check the most common ones with namebench and the GRC DNS Benchmark but the results are typically always about the same.

Would be interested to see how your asus querying authoritative servers directly (after querying the Roots for the authoritative NS) performs in one or both of those benchmarks?

 

[heysoundude]

I'm just going by the chart ("Performance Histogram") - the DNS lookups performed by unbound on my router:
there's a massive spike in the 0-1 usec range, which is clearly the cache.
The next highest (currently) is centered on the 65-131 msec range, which is what I consider the recursive query timeframe, but the 32-65 msec range eventually supercedes it as the cache builds. (Historically, I have seen it fall into the 8-16 ms range over time)
If I add up the values of the bars on my chart, its clear that the majority of DNS lookups on my network go to my unbound instance more often than not, and the average lookup time of that majority is below the "recursive query average".
This is the (likely highly glossed over & pedestrian) perspective I've got from years with unbound on this router. I'd have to do some napkin math, but I'd wager my "average of averages" DNS lookup probably works its way down into the sub-10ms range. What's a ping to cloudflare for me? 8.996ms IPv4 and 9.126ms IPv6 (which is within usec of my own ISP - they're within the same datacenter, along with HE and a bunch of other heavy hitters, so it would take some doing to get faster, if that's possible )
To me, that's close enough to call at least a draw in terms of time. In terms of privacy, it's no contest. Put another way: pinging cloudflare (or my ISP's DNS, or HE or or or) is no faster than running unbound on my router.

Here's a thread that may help...https://www.snbforums.com/threads/understanding-unbound.84785/

 

[drinkingbird]

I'm just going by the chart ("Performance Histogram") - the DNS lookups performed by unbound on my router:
there's a massive spike in the 0-1 usec range, which is clearly the cache.
The next highest (currently) is centered on the 65-131 msec range, which is what I consider the recursive query timeframe, but the 32-65 msec range eventually supercedes it as the cache builds. (Historically, I have seen it fall into the 8-16 ms range over time)
If I add up the values of the bars on my chart, its clear that the majority of DNS lookups on my network go to my unbound instance more often than not, and the average lookup time of that majority is below the "recursive query average".
This is the (likely highly glossed over & pedestrian) perspective I've got from years with unbound on this router. I'd have to do some napkin math, but I'd wager my "average of averages" DNS lookup probably works its way down into the sub-10ms range. What's a ping to cloudflare for me? 8.996ms IPv4 and 9.126ms IPv6 (which is within usec of my own ISP - they're within the same datacenter, along with HE and a bunch of other heavy hitters, so it would take some doing to get faster, if that's possible )
To me, that's close enough to call at least a draw in terms of time. In terms of privacy, it's no contest. Put another way: pinging cloudflare (or my ISP's DNS, or HE or or or) is no faster than running unbound on my router.

Here's a thread that may help...https://www.snbforums.com/threads/understanding-unbound.84785/

But you have to keep in mind the cache is not infinite, as soon as the TTL expires, another lookup is needed. If you're on a website with lots of images, ads, calls to other sites, etc, that really can have a major impact. Try the two tools I mentioned, you can run them against your unbound DNS, first with it set to look up to the authoritative servers and then clear its cache and set it set to your ISP or some other good performing server near you (those tools will tell you the best performing ones). They can differentiate between cached and uncached lookups etc so you get the full picture.

For me, the local Verizon DNS (I have FIOS) is the fastest and L3's 4.2.2.6 is almost as fast.

 

[sfx2000]

DOT and DNSSEC are fairly useless on a recursive DNS server, and I've seen a pretty significant performance impact. I would not recommend using either.

I respectfully disagree - I suggest you put up some info to back your claim - latency over time would be a good start...

RRD over time - that would be a great example...

Your graphs would be good - a single pic can explain a thousand posts here...

 

[drinkingbird]

I respectfully disagree - I suggest you put up some info to back your claim - latency over time would be a good start...

RRD over time - that would be a great example...

Your graphs would be good - a single pic can explain a thousand posts here...

I disabled both features not long after enabling, was night and day for me. I did not track statistics over that small time, but did test with a couple DNS benchmarks and the difference was huge, and even without that it was highly noticeable to me in everyday use. Obviously a more powerful router or dedicated machine could reduce or eliminate the latency penalty. But in reality, DOT simply hides your DNS request, if someone is monitoring you they just need to watch what IP you go to after the encrypted DNS request. DNSSEC is done between the auth server and the first recursive server querying it. Between two recursive servers the best you can hope for (if the upstream server passes the data to you) is to re-authenticate what they've already authenticated. And if you don't trust that server or it has been hijacked for MITM, re-authenticating a fake DNSSEC response doesn't help you.

Even just using Cleanbrowsing and Quad9 with no DOT or DNSSEC has a noticeable impact for me as neither had very good latency from where I am. So I'm back to just plain normal DNS servers with no security, I have other layers of security that are more effective anyway.

I used to run my own authoritative server, before either protocol was commonly used, if I still had that running I'd probably have them enabled as it was more than powerful enough to handle it, but my router isn't (nor do I see much need for either one).

 

[sfx2000]

I did not track statistics over that small time, but did test with a couple DNS benchmarks and the difference was huge

So... it's kind of subjective - e.g. it's feels faster...

 

[drinkingbird]

So... it's kind of subjective - e.g. it's feels faster...

I'm a car guy, I'm the first to admit the "Seat of the Pants" feeling is often in your head. In this case there was no doubt, and the benchmarks backed it up easily. Again though, my router is fairly old, maybe newer ones will perform better, but given the relatively low powered processor in all these routers, I doubt there would be 0 impact (not to mention the overhead on the other end, though assuming they have decent servers and/or TLS offloading, that should be negligible).

More importantly, the benefits are little to none, so why bother/chance it.

 

[heysoundude]

But you have to keep in mind the cache is not infinite, as soon as the TTL expires, another lookup is needed. If you're on a website with lots of images, ads, calls to other sites, etc, that really can have a major impact. Try the two tools I mentioned, you can run them against your unbound DNS, first with it set to look up to the authoritative servers and then clear its cache and set it set to your ISP or some other good performing server near you (those tools will tell you the best performing ones). They can differentiate between cached and uncached lookups etc so you get the full picture.

For me, the local Verizon DNS (I have FIOS) is the fastest and L3's 4.2.2.6 is almost as fast.

impact on DNS speed, or page load speed? Sir/Ma'am/friend, I'm on 50/10 DSL over copper phone lines. Plenty good for the 6 devices the two of us have going, one of which is a kodi HTPC for Netflix etc. Page loads take as long as they take - which is pretty damned speedy, especially with diversion blocking the ads (and Brave as the browser on 3 of the devices). I'm not wasting precious minutes of my life waiting, if that's what you're suggesting. (If I can just get the other user off The Facebook and The Google...and Windows in general...)
I've proven to (convinced?) myself that unbound is at least as fast as Cloudflare, which may or may not be the case by more precise/scientific methodology, but I'm being somewhat more careful with how I advertise my activities to monetizing agents of the interwebz, which is a fair tradeoff and all an average user can ask for. DNS isn't gonna win many races; if I were wanting to race, I'd have a higher speed package.

 

[ColinTaylor]

So... it's kind of subjective - e.g. it's feels faster...

I don't do "subjective" so I actually measured it (DNS vs. DoT) against the top 6 providers back when DoT was first implemented on the router and the DoT responses were hugely slower. Sorry I can't remember that actual numbers. There were also occasionally even bigger delays when the TLS renegotiations happened. I think the TLS issue may have been addressed recently.

If you or @heysoundude want to use the tools that @drinkingbird suggested you can see whether or not that's that case for your own setup (YMMV). Only use the uncached queries though otherwise you'll get false results.

 

[drinkingbird]

I don't do "subjective" so I actually measured it (DNS vs. DoT) against the top 6 providers back when DoT was first implemented on the router and the DoT responses were hugely slower. Sorry I can't remember that actual numbers. There were also occasionally even bigger delays when the TLS renegotiations happened. I think the TLS issue may have been addressed recently.

If you or @heysoundude want to use the tools that @drinkingbird suggested you can see whether or not that's that case for your own setup (YMMV). Only use the uncached queries though otherwise you'll get false results.

Actually I like to look at both cached and uncached (the GRC one differentiates, google's doesn't but is an average of the two just by nature) and playing with clearing the router's cache, leaving it in place, etc. Since real life will be a mix of cached and uncached (in actuality, if you're using a popular DNS service, a lot probably will be cached) I try to find the ones that handle both well. Luckily for me at least the ones that are fastest with cached are either fastest or tied with others for uncached.

I've done tests directly to the recursive servers as well as to my router pointing to those recursive servers, and based on all those picked the two that has the best overall performance over several tests/several weeks.

When I had comcast, their DNS was pretty lousy, response time varied all over the place and they had several massive outages. I switched to Level3 exclusively when using them (I think 4.2.2.6 primary and 4.2.2.2 secondary). Verizon has been very good, they're using the old UUNET infrastructure which was well designed from the start, so I use them for primary and 4.2.2.6 as secondary as it is almost as fast, and provides redundancy.

I guess everyone can decide what their priorities are. If having a filtering DNS is important, the latency penalty may be worth it. I've just found, even with uBlock blocking hundreds/thousands of lookups on a page, everything was so much more sluggish with any of these features (DOT, DNSSEC, filtering DNS provider, etc).

 

[drinkingbird]

impact on DNS speed, or page load speed? Sir/Ma'am/friend, I'm on 50/10 DSL over copper phone lines. Plenty good for the 6 devices the two of us have going, one of which is a kodi HTPC for Netflix etc. Page loads take as long as they take - which is pretty damned speedy, especially with diversion blocking the ads (and Brave as the browser on 3 of the devices). I'm not wasting precious minutes of my life waiting, if that's what you're suggesting. (If I can just get the other user off The Facebook and The Google...and Windows in general...)
I've proven to (convinced?) myself that unbound is at least as fast as Cloudflare, which may or may not be the case by more precise/scientific methodology, but I'm being somewhat more careful with how I advertise my activities to monetizing agents of the interwebz, which is a fair tradeoff and all an average user can ask for. DNS isn't gonna win many races; if I were wanting to race, I'd have a higher speed package.

DNS speed directly impacts page load speed. You might be amazed at how many DNS queries a single, relatively simple site requires. Using ublock or similar helps a lot, but there are still a lot of queries needed in many cases. A few msec adds up when you multiply it by dozens or hundreds. I guess that isn't 100% accurate since many of the requests can be sent in parallel but they don't all happen at once and things get queued etc. For me it was quite noticeable. Something like netflix won't be impacted, but general browsing is.

Not saying not to use unbound, but it may give you better performance if you make it use recursive servers instead of going directly to authoritative ones. Unless you're really concerned about the recursive public servers being hacked, there isn't much benefit of going direct. Many auth servers also rate limit queries from everything but a defined list of public servers, they don't want everyone pointing to them and have to protect themselves from DOS attacks etc.

If what you have works well for you, by all means, you're good. This is just information from my observations, do with it what you will.