br200 DHCP DNS server configuration

Question

Dear community,&nbsp;I have a BR200 with firmware 5.10.0.5. I have succesfully setup multiple vlan's and corresponding DHCP services it is all working nicely.&nbsp;However, the iPhone complain that the DNS service on the netgear router does not support DNSSEC.&nbsp;To compensate for this I want to use&nbsp; the public DNS server 9.9.9.9. I already configured this DNS service to be used in the BR200 in the WAN interface. How can I configure&nbsp; the DHCP service parameter that the DHCP clients also use this DNS service?&nbsp;If I configure the DNS service on my iPhone manually to use 9.9.9.9, the iPhone no longer complains.&nbsp;Any help is welcome.&nbsp;Best regards,Haaino

schumaku · Answer

Well, all Netgear and many other router products with DNS relays or the like make some iOS systems complain. None of these systems are supporting neither DNSSEC, nor DoH, not DoT.
&nbsp;
Haaino&nbsp;wrote:
To compensate for this I want to use&nbsp; the public DNS server 9.9.9.9. I already configured this DNS service to be used in the BR200 in the WAN interface. How can I configure&nbsp; the DHCP service parameter that the DHCP clients also use this DNS service?

Nothing we can do for now. Supporting DNSSEC requires much more than just adding a DNSSEC capable DNS resolver.&nbsp;
&nbsp;
Haaino&nbsp;wrote:
If I configure the DNS service on my iPhone manually to use 9.9.9.9, the iPhone no longer complains.

Keep in mind that DoH and/or DoT are not ready for prime time for various reasons - most ISPs don't offer the required discovery options&nbsp;(draft level at max), so no implementations&nbsp;in the real world.
&nbsp;
Apple has a big trend in pushing privacy features into the world - like the cumbersome default "Private Address" making big problems in SOHO and business environments where the random MAC address (that's what it really is) is used for identification, access control, parental controls, ...&nbsp; assigning reserved IP addresses, .... and much more.&nbsp;

Haaino · Answer

Thank you for your answer, although I was hoping for a solution. But situation is as it is unfortunately

however, something does make me wonder. If I manually configure the 9.9.9.9 as the dns service, my iPhone stops complaining. Why does this work?

and secondly, how can i configure any dhcp attributes in the br200? Or can I better use a different dhcp service?

schumaku · Answer

Haaino&nbsp;wrote:
If I manually configure the 9.9.9.9 as the dns service, my iPhone stops complaining. &nbsp;Why does this work?

Because of DNSSec is an extension of the DNS protocol. While the DNSSec extensions are available on .9, the DNS resolver/relay on the Netgear routers (and many more) does not handle these.
&nbsp;
For my curiosity, would you mind to share a screenshot of the iPhone complaint?
&nbsp;
Overall, it's still not the world's greatest&nbsp;idea to send your own DNS queries to a business where most don't know anything about it. This is becoming more crucial when you think about DNS with DoH or DoT - the US NSA and CISA before published do's and don'ts for&nbsp;Adopting Encrypted DNS in Enterprise Environments (PDF) - most applies to DoG, too.&nbsp;DoH and DoT can impede analysis and monitoring of DNS traffic for cybersecurity purposes,&nbsp;DoH and DoT can be used to bypass parental controls which operate at the standard plain text DNS level, ...
&nbsp;
Not everything Apple does suggest - lie the crazy random MAC address (they promote&nbsp;it as "Private Wi-Fi Address") - does make sense in an enterprise, business, small business and even at home.
&nbsp;
Haaino&nbsp;wrote:
how can i configure any dhcp attributes in the br200? Or can I better use a different dhcp service?

Unfortunately, Netgear left out plenty of features on the BR500/BR200 specs.
&nbsp;
&nbsp;

Haaino · Answer

&nbsp;Thank you very much that you are helping my out! I appreciate this.&nbsp;It's in Dutch. Roughly translated: one picture says "privacy warning". And the other explains that the DNS service (a.k.a. the Netgear router) is intercepting the DNS traffic and could potentially monitor this.&nbsp;I under your remark about external DNS services, and you are quite right about it! No denying about it. In this particular case the .9 DNS service has a relative good reputation and privacy restrictions.&nbsp;My question still is: how can I configure the DHCP service on the BR200 router so that the clients get .9 DNS service automatically assigned? If I would like to host my own DNS service, that this question becomes more relevant.&nbsp;

schumaku · Answer

Hartelijk bedankt! Don't worry, Swiss German reader here - somewhat familiar with Dutch.
&nbsp;
Figured out - these DNS privacy warning does come up along with this "Private Wi-Fi" random MAC enabled. Apple managed to bring a little bit of thier lost trust back: Appears they understand now the Private Wi-Fi along with their privacy concerns affect more "public" Wi-Fi.&nbsp;&nbsp;
&nbsp;
On your home or business&nbsp;network, one would assume your legal and trusted users have nothing to hide. Disable this "Private WI-Fi" ***** for your wireless&nbsp;network name(s) in your very own network.
&nbsp;
If you operate multiple SSIDs on your wireless network(s) - you don't want to deal with random MAC addresses e.g. on the DHCP MAC-IP reservation tables, and you might want to see what device is connected, instead if some un-named, DEV-xx-yy-zz one, appearing as a different device on each network. Don't you? Yes it's an additional step after connecting to the SSID: Set this&nbsp; "Private WI-Fi"&nbsp; to off for your own networks!
&nbsp;
The small privacy enhancement isn't (in my opinion) worth operating DNSSec on a client (ok, small advantage)&nbsp; but initially invented for trusted zone transfers and the like. Your ISP does certainly nicely operate thier DNS, blocking risk and malware sites, filtering illegal sites as per the Dutch legal requirements, and much more.

Forum Discussion

br200 DHCP DNS server configuration

8 Replies

Related Content

Zugriff auf Server hinter dem BR200 Router

TFTP Server First Configuration

BR200 /23 subnet issue

Port-Channel / MLAG Configuration for Ubuntu-Server on two M4500 switches

BR200 not "currently" working with existing OSX Server VPN

NETGEAR Academy

ProSupport for Business