NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
br200 DHCP DNS server configuration
Dear community, I have a BR200 with firmware 5.10.0.5. I have succesfully setup multiple vlan's and corresponding DHCP services it is all working nicely. However, the iPhone complain that the...
Well, all Netgear and many other router products with DNS relays or the like make some iOS systems complain. None of these systems are supporting neither DNSSEC, nor DoH, not DoT.
Haaino wrote:
To compensate for this I want to use the public DNS server 9.9.9.9. I already configured this DNS service to be used in the BR200 in the WAN interface. How can I configure the DHCP service parameter that the DHCP clients also use this DNS service?
Nothing we can do for now. Supporting DNSSEC requires much more than just adding a DNSSEC capable DNS resolver.
Haaino wrote:
If I configure the DNS service on my iPhone manually to use 9.9.9.9, the iPhone no longer complains.
Keep in mind that DoH and/or DoT are not ready for prime time for various reasons - most ISPs don't offer the required discovery options (draft level at max), so no implementations in the real world.
Apple has a big trend in pushing privacy features into the world - like the cumbersome default "Private Address" making big problems in SOHO and business environments where the random MAC address (that's what it really is) is used for identification, access control, parental controls, ... assigning reserved IP addresses, .... and much more.
Thank you for your answer, although I was hoping for a solution. But situation is as it is unfortunately
however, something does make me wonder. If I manually configure the 9.9.9.9 as the dns service, my iPhone stops complaining. Why does this work?
and secondly, how can i configure any dhcp attributes in the br200? Or can I better use a different dhcp service?
Haaino wrote:
If I manually configure the 9.9.9.9 as the dns service, my iPhone stops complaining. Why does this work?
Because of DNSSec is an extension of the DNS protocol. While the DNSSec extensions are available on .9, the DNS resolver/relay on the Netgear routers (and many more) does not handle these.
For my curiosity, would you mind to share a screenshot of the iPhone complaint?
Overall, it's still not the world's greatest idea to send your own DNS queries to a business where most don't know anything about it. This is becoming more crucial when you think about DNS with DoH or DoT - the US NSA and CISA before published do's and don'ts for Adopting Encrypted DNS in Enterprise Environments (PDF) - most applies to DoG, too. DoH and DoT can impede analysis and monitoring of DNS traffic for cybersecurity purposes, DoH and DoT can be used to bypass parental controls which operate at the standard plain text DNS level, ...
Not everything Apple does suggest - lie the crazy random MAC address (they promote it as "Private Wi-Fi Address") - does make sense in an enterprise, business, small business and even at home.
Haaino wrote:
how can i configure any dhcp attributes in the br200? Or can I better use a different dhcp service?
Unfortunately, Netgear left out plenty of features on the BR500/BR200 specs.
Thank you very much that you are helping my out! I appreciate this.
It's in Dutch. Roughly translated: one picture says "privacy warning". And the other explains that the DNS service (a.k.a. the Netgear router) is intercepting the DNS traffic and could potentially monitor this.
I under your remark about external DNS services, and you are quite right about it! No denying about it. In this particular case the .9 DNS service has a relative good reputation and privacy restrictions.
My question still is: how can I configure the DHCP service on the BR200 router so that the clients get .9 DNS service automatically assigned? If I would like to host my own DNS service, that this question becomes more relevant.
Hartelijk bedankt! Don't worry, Swiss German reader here - somewhat familiar with Dutch.
Figured out - these DNS privacy warning does come up along with this "Private Wi-Fi" random MAC enabled. Apple managed to bring a little bit of thier lost trust back: Appears they understand now the Private Wi-Fi along with their privacy concerns affect more "public" Wi-Fi.
On your home or business network, one would assume your legal and trusted users have nothing to hide. Disable this "Private WI-Fi" ***** for your wireless network name(s) in your very own network.
If you operate multiple SSIDs on your wireless network(s) - you don't want to deal with random MAC addresses e.g. on the DHCP MAC-IP reservation tables, and you might want to see what device is connected, instead if some un-named, DEV-xx-yy-zz one, appearing as a different device on each network. Don't you? Yes it's an additional step after connecting to the SSID: Set this "Private WI-Fi" to off for your own networks!
The small privacy enhancement isn't (in my opinion) worth operating DNSSec on a client (ok, small advantage) but initially invented for trusted zone transfers and the like. Your ISP does certainly nicely operate thier DNS, blocking risk and malware sites, filtering illegal sites as per the Dutch legal requirements, and much more.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
