I have a BR200 with firmware 5.10.0.5. I have succesfully setup multiple vlan's and corresponding DHCP services it is all working nicely.
However, the iPhone complain that the DNS service on the netgear router does not support DNSSEC.
To compensate for this I want to use the public DNS server 9.9.9.9. I already configured this DNS service to be used in the BR200 in the WAN interface. How can I configure the DHCP service parameter that the DHCP clients also use this DNS service?
If I configure the DNS service on my iPhone manually to use 9.9.9.9, the iPhone no longer complains.
Well, all Netgear and many other router products with DNS relays or the like make some iOS systems complain. None of these systems are supporting neither DNSSEC, nor DoH, not DoT.
To compensate for this I want to use the public DNS server 9.9.9.9. I already configured this DNS service to be used in the BR200 in the WAN interface. How can I configure the DHCP service parameter that the DHCP clients also use this DNS service?
Nothing we can do for now. Supporting DNSSEC requires much more than just adding a DNSSEC capable DNS resolver.
If I configure the DNS service on my iPhone manually to use 9.9.9.9, the iPhone no longer complains.
Keep in mind that DoH and/or DoT are not ready for prime time for various reasons - most ISPs don't offer the required discovery options (draft level at max), so no implementations in the real world.
Apple has a big trend in pushing privacy features into the world - like the cumbersome default "Private Address" making big problems in SOHO and business environments where the random MAC address (that's what it really is) is used for identification, access control, parental controls, ... assigning reserved IP addresses, .... and much more.
If I manually configure the 9.9.9.9 as the dns service, my iPhone stops complaining. Why does this work?
Because of DNSSec is an extension of the DNS protocol. While the DNSSec extensions are available on .9, the DNS resolver/relay on the Netgear routers (and many more) does not handle these.
For my curiosity, would you mind to share a screenshot of the iPhone complaint?
Overall, it's still not the world's greatest idea to send your own DNS queries to a business where most don't know anything about it. This is becoming more crucial when you think about DNS with DoH or DoT - the US NSA and CISA before published do's and don'ts for Adopting Encrypted DNS in Enterprise Environments (PDF) - most applies to DoG, too. DoH and DoT can impede analysis and monitoring of DNS traffic for cybersecurity purposes, DoH and DoT can be used to bypass parental controls which operate at the standard plain text DNS level, ...
Not everything Apple does suggest - lie the crazy random MAC address (they promote it as "Private Wi-Fi Address") - does make sense in an enterprise, business, small business and even at home.
Thank you very much that you are helping my out! I appreciate this.
It's in Dutch. Roughly translated: one picture says "privacy warning". And the other explains that the DNS service (a.k.a. the Netgear router) is intercepting the DNS traffic and could potentially monitor this.
I under your remark about external DNS services, and you are quite right about it! No denying about it. In this particular case the .9 DNS service has a relative good reputation and privacy restrictions.
My question still is: how can I configure the DHCP service on the BR200 router so that the clients get .9 DNS service automatically assigned? If I would like to host my own DNS service, that this question becomes more relevant.
Hartelijk bedankt! Don't worry, Swiss German reader here - somewhat familiar with Dutch.
Figured out - these DNS privacy warning does come up along with this "Private Wi-Fi" random MAC enabled. Apple managed to bring a little bit of thier lost trust back: Appears they understand now the Private Wi-Fi along with their privacy concerns affect more "public" Wi-Fi.
On your home or business network, one would assume your legal and trusted users have nothing to hide. Disable this "Private WI-Fi" ***** for your wireless network name(s) in your very own network.
If you operate multiple SSIDs on your wireless network(s) - you don't want to deal with random MAC addresses e.g. on the DHCP MAC-IP reservation tables, and you might want to see what device is connected, instead if some un-named, DEV-xx-yy-zz one, appearing as a different device on each network. Don't you? Yes it's an additional step after connecting to the SSID: Set this "Private WI-Fi" to off for your own networks!
The small privacy enhancement isn't (in my opinion) worth operating DNSSec on a client (ok, small advantage) but initially invented for trusted zone transfers and the like. Your ISP does certainly nicely operate thier DNS, blocking risk and malware sites, filtering illegal sites as per the Dutch legal requirements, and much more.
Indeed I have multiple SSD's and dito vlan's. For my "production" network I have now switched off "randomize MAC address" feature and I have reconnected to the SSID with the "compliant".
The complaint is still there I noticed. But I can imagine it takes some time for this warning to dissappear.
One thing I cannot explain at the moment, but this is not a netgear issue I guess, is that when I connect to one of my my other SSIDs the complaint is not there. The only differents between these 2 SSID's are that my production SSID has a WPA3 authentication and my IoT SSID has WPA2. For the rest is the configuration identical.
In my head this does not yet make sence 🙂 Any thoughs on this?
But still one question remains: how can I configure in the DHCP service the DNS server to be used? 🙂
One thing I cannot explain at the moment, but this is not a netgear issue I guess, is that when I connect to one of my my other SSIDs the complaint is not there. The only differents between these 2 SSID's are that my production SSID has a WPA3 authentication and my IoT SSID has WPA2.
Drop (forget) the network on your Apple mobile, and re-add it. Don't wory, your head is all fine!
