I have an Orbi RBR50 running Firmware Version V2.5.1.16. I'm using its DHCP feature. The problem is that no matter what settings I try in the configuration, it always hands out client leases with the gateway address as the DHCP address. I guess this works, if inefficiently, in many cases. But it's a real problem now that Microsoft is adding DNS over HTTPS capabilities to Windows. (It's already in the Insider previews, they'll be rolling it out in release versions in an update.) It automatically detects whether DNS servers can do DNS over HTTPS, which of course the router does not. Is there a way to make the Orbi tell DHCP devices to use the DNS servers specified in the configuration? If not, it will become a major hindrance to security as DoH gets widely rolled out.

Mstrbig wrote:Unfortunately, you are mixing up the scenario and are confused with regard to DoH and DNS proxying. You accessing your ISP's DNS is elemetary, as many user can and have been using their provider's or third party DNS servers for a very long time. However, if the DNS servers used don't support DoH, there will be no DoH. With regard to the whole DoH implementation on the Orbi or any other router, the manufacturer would have to update their firmware as that is where the OS resides running the Orbi or any other router's program. This is why third party companies like Cisco, offer DoH for those who need it. Software based, like in Microsoft's new OS, will allow users to set it up on each of their PCs, if needed. However for full network, you would need a dedicated server, switch, or ISP that supports DoH.And back to the argument of protection, once DoH is implemented, users may have to up their game of virus, malware, etc. protection as a trade off.I'm not confused at all. I've been writing networking code for over 30 years, and understand perfectly well how these systems work. I'm just not understanding the points that you're making. You said that the minor change of having the router not proxy DNS would require reprogramming every ISP's DNS. I was pointing out that that is most definitely not the case. There are already routers that don't proxy DNS. Obviously, DNS servers have to support DoH in order for DoH to work. But the implementation Microsoft decided on simply tests whether there's a DoH server at the standard port and address accessible at the same address as the regular DNS server, and if so automatically switches to using DoH. Again, that doesn't require reprogramming ISP's servers -- if it doesn't work, Windows will revert to standard DNS. But suppose that someone wants to use a DoH service, whether that's from the ISP or (more likely) from a third party that provides additional security features. If it weren't for DNS proxying, a person could simply set up their third party DoH-supporting DNS server address on their router and all attached computers (with the upcoming Windows release) would automatically use it. As it is, they have to set up every computer individually just to bypass the proxy. I also don't understand why you keep talking about this like it's a trade-off between DoH and having security features. All of the major providers of filtering and security DNS services provide DoH as well (OpenDNS, Quad9, etc.). Presumably people like me who use such a service and also want DoH will keep the same service and just switch protocols. You said "However for full network, you would need a dedicated server, switch, or ISP that supports DoH." Why do you say that? It's not as if the Orbi is caching anything. (Try setting norecurse in nslookup and you can verify that.) Having each computer in a SOHO network going directly against, say, Quad9's DoH or DNS servers does not result in any more Internet traffic than proxying it through the Orbi. It would work exactly the same, just faster (and albeit without the rather questionable feature of resolving the pseudodomain for the Orbi management page).

FURRYe38 wrote:Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products. If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well. Well, I agree that it's working as designed. But given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design. I believe that they've done this forever, but, just like their use of basic authentication for their management console login, it's an outdated decision that they should change. As it happens, I swtiched to Orbi from a D-Link router over the weekend. I know D-Link works perfectly fine in this scenario. I was trying to get rid of it since it's old equipment. But just that incredibly insecure login authentication approach makes me seriously doubt my purchase. It suggests that their routers are still using code written decades ago and never updated.

Mstrbig wrote:The router's DNS server is an internal server. The Orbi uses the ISP or user provided 3rd party DNS servers, such as Google, Level 3, Open DNS, etc.. DNS over HTTPS server implementations are already available free of charge by some public DNS providers.That wasn't my question. A DHCP server gives DNS addresses to devices. Orbi's DHCP server is broken and always gives the router's address as the DNS address. So my Windows computer thinks that the DNS address is 192.168.1.1, rather than the address I configured. I use a service that supports DoH. But Windows (again, for now I'm talking about the Insider versions, but this will soon be true for release versions as well) detects that by just trying to do a DoH request. And that will always fail, because the Orbi doesn't support DoH. I'm not expecting the Orbi to support DoH. But its DHCP server should be able to correctly pass along the correct DNS servers rather than incorrectly giving its own address.

SunriseMan wrote:That's only true because people have to set up the DoH manually rather than having it be supported by the underlying OS. With the implementation in the Preview version of Windows, it still uses the DNS server provided by DHCP, it just tests that server to see if DoH will work. So the security or content controls of the DNS provider will still apply. This applies to the concerns CrimpOn mentioned as well. However, I don't understand why DoH adoption would have an impact on the need for router firmware updates. It'll probably increase the urgency for one update to provide an option to avoid DHCP proxying, but I don't see any reason there would be less need for updates after that.Having just become aware of this development today, it seems to me that this is going to a long, complicated rollout. There must be 100's of different consumer router models installed. Even a "simple" router update to avoid DNS proxying has to be developed, tested, and rolled out by manufacturers who have shown little interest in updating firmware. (Verizon sold the Orbi to customers and has never issued a firmware update.) Suppose the default changes from "DNS Proxy" to "include the DNS server we got from the ISP in our DHCP response." That means every ISP DNS proxy has to be reprogrammed. This is sort of "Deja Vu" for me. When was IPv6 announced as the "solution to IPv4 running out of numbers"? And here we are in the middle of 2020. DoH is going on my list of "things to watch out for."

CrimpOn wrote: Suppose the default changes from "DNS Proxy" to "include the DNS server we got from the ISP in our DHCP response." That means every ISP DNS proxy has to be reprogrammed.I don't understand what you mean. All home routers, including the Orbi, can do the necessary NAT to let computers access the ISP's DNS servers directly. Look at the attached screenshot -- that's me accessing my ISP's DNS going through my Orbi. (10.10.10.1 is the address of my Orbi, which is why it's my default DNS server.) I've also used routers that don't do DNS proxying, gone through periods where I had a separate server running DHCP that passed my ISP's DNS servers, and have had computers with static addresses that used the ISP's DNS servers. I assure you that all of these scenarios work, and have worked since I got my first home router decades ago.

How to get Orbi to pass through DNS information in DHCP?

23 Replies

FURRYe38
Guru
Aug 30, 2020
Most of NG routers don't allow for DNS proxy bypass. So you can set DNS on the router for any kind of DNS you want to use, however all clients will only get the routers IP address for there DNS entries.
Mstrbig
Master
Aug 30, 2020
SunriseMan wrote:
I have an Orbi RBR50 running Firmware Version V2.5.1.16. I'm using its DHCP feature. The problem is that no matter what settings I try in the configuration, it always hands out client leases with the gateway address as the DHCP address.

I guess this works, if inefficiently, in many cases. But it's a real problem now that Microsoft is adding DNS over HTTPS capabilities to Windows. (It's already in the Insider previews, they'll be rolling it out in release versions in an update.) It automatically detects whether DNS servers can do DNS over HTTPS, which of course the router does not.

Is there a way to make the Orbi tell DHCP devices to use the DNS servers specified in the configuration? If not, it will become a major hindrance to security as DoH gets widely rolled out.
The router's DNS server is an internal server. The Orbi uses the ISP or user provided 3rd party DNS servers, such as Google, Level 3, Open DNS, etc.. DNS over HTTPS server implementations are already available free of charge by some public DNS providers.
- SunriseMan
  Guide
  Aug 30, 2020
  Mstrbig wrote:
  The router's DNS server is an internal server. The Orbi uses the ISP or user provided 3rd party DNS servers, such as Google, Level 3, Open DNS, etc.. DNS over HTTPS server implementations are already available free of charge by some public DNS providers.
  That wasn't my question.
  
  A DHCP server gives DNS addresses to devices. Orbi's DHCP server is broken and always gives the router's address as the DNS address. So my Windows computer thinks that the DNS address is 192.168.1.1, rather than the address I configured.
  
  I use a service that supports DoH. But Windows (again, for now I'm talking about the Insider versions, but this will soon be true for release versions as well) detects that by just trying to do a DoH request. And that will always fail, because the Orbi doesn't support DoH.
  
  I'm not expecting the Orbi to support DoH. But its DHCP server should be able to correctly pass along the correct DNS servers rather than incorrectly giving its own address.
  - Mstrbig
    Master
    Aug 30, 2020
    SunriseMan wrote:
    That wasn't my question.
    
    A DHCP server gives DNS addresses to devices. Orbi's DHCP server is broken and always gives the router's address as the DNS address. So my Windows computer thinks that the DNS address is 192.168.1.1, rather than the address I configured.
    
    I use a service that supports DoH. But Windows (again, for now I'm talking about the Insider versions, but this will soon be true for release versions as well) detects that by just trying to do a DoH request. And that will always fail, because the Orbi doesn't support DoH.
    
    No I understood what you were saying. Most all home user routers are, as you stated, broken.
    And I am currently on Windows 10 Preview Build 20201.
    There's still a lot of debate over whether DoH is good or not, and I'm sure a lot will change before it is available in public versions of Windows 10.
    Most people rely on DNS to block malware, enable parental controls, or filter the browser’s access to websites. When DoH is enabled, it bypasses the local DNS resolver and defeats these special policies.
jayell1
Initiate
Mar 21, 2021
I was trying to do the same thing to get a pihole to act as an intermediary DNS. I finally decided to let the pihole handle DHCP because it is better able to do that -- so I turned off DHCP on the Orbi and turned it on on the pihole -- now everything works great.

Forum Discussion

How to get Orbi to pass through DNS information in DHCP?