Reply

Re: Router should not be DNS Server

MatM
Guide

Router should not be DNS Server

If I check ipconfig/all on my PC I see that 192.168.1.1 is used as DNS Server.

So I setup my Router ton no get DNS Server automatically and give in the DNS Servers I want to use.

But if I now check my PC it´s the same. my PC and all other devices use always 192.168.1.1 and only this.

On my old Router the new DNS Server was given to the devices. Is there an option that the Netgear router does the same?
Message 1 of 26
fordem
Mentor

Re: Router should not be DNS Server

The router does not act as a DNS server, it acts as a DNS forwarder or proxy - it will forward the DNS requests to the DNS server of your choice.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 2 of 26
MatM
Guide

Re: Router should not be DNS Server

Thank you for your answer.

I know that my Router forwards it - but the DNS Server on my PC is my Router. On my old Router my DNS was given to all devices. So if I look on DNS Server used by my PC it was NOT my Router - now it is my Router.

Is it change able? I want to see that the DNS Server of my PC is NOT 192.168.1.1.
Message 3 of 26

Re: Router should not be DNS Server

What fordem says is true, but if it makes you feel better, set static DNS on the adapters properties and these will override and show as DNS when you perform IPCONFIG from a command prompt.
~Comcast 1 Gbps/50 Mbps SB8200 > R8000P
~R8000P FW:1.4.1.68 ~R7000 FW:1.0.9.42
~R6400 FW:1.0.1.52 ~Orbi-AC3000 FW:2.5.1.8
~EX3700 FW:1.0.0.84

Message 4 of 26
fordem
Mentor

Re: Router should not be DNS Server

MatM,

Does it make a difference? The DNS server of your choice will be the one to resolve the query.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 5 of 26
MatM
Guide

Re: Router should not be DNS Server

I´m not sure - but I use to test my DNS Servers with this tool:

https://www.grc.com/dns/benchmark.htm

after the test it say´s:
---------------------------------------------------------------------------------
System has only ONE (router based) nameserver configured.
It appears that only one local (router gateway) DNS nameserver, with the IP address of [192.168.1.1], is currently providing all DNS name resolution services to this system. This configuration is not recommended because most consumer-grade routers provide inefficient and under-powered DNS resolution services.

Unless the DNS resolvers your router is using is under your control, it may not be providing the best or complete name resolution services. For example, is it using multiple redundant DNS nameservers?

Users of GRC's DNS Spoofability system have determined that consumer-grade routers can be crashed by the receipt of specific DNS reply packets from the Internet. This opens the possibility that Internet-based criminals could acquire access to your router from the Internet as well as to the private network in controls.

Many consumer-grade routers fail to provide the full range of DNS lookup services. This may have been detected by the benchmark and noted below.

Recommended Actions:

Unless you have some specific reason not to, you should give serious thought to disabling your router's provisioning of DNS services (which it is providing for all computers on your local network). After this is done, a fresh reboot of your computers will likely reveal the multiple DNS nameservers provided by your ISP. This is a superior configuration, without an under-powered router acting as a incompetent middleman and impeding all DNS access.

Note that if you can determine the IP addresses of your ISP-provided nameservers (which may be visible in your router's web configuration) you could manually add them to the nameservers being tested by this benchmark, while also leaving your router providing DNS. This would allow you to compare the performance when running through your router versus "going direct".
-------------------------------------------------------------------------------------------------

on my old Router the DNS was given to all clients: if I then looked with ipconfig/all I saw 2 DNS Servers and noone was the Router.

So I thought I could have this back without configuring every single client.
Message 6 of 26
LeeH
Prodigy

Re: Router should not be DNS Server

I just ran DNS Benchmark again and found a new set of sightly faster DNS servers and changed the R7000 configuration to use them. I reran DNS Benchmark and found the R7000 resolving identically to the new servers. My R7000 seems to be proxying plenty fast for me.
Maybe you don't need to worry about using the R7000 for DNS if you are concerned about slow response.
Message 7 of 26
MatM
Guide

Re: Router should not be DNS Server

no speed is not my Problem.

My "Problem" is:

"Users of GRC's DNS Spoofability system have determined that consumer-grade routers can be crashed by the receipt of specific DNS reply packets from the Internet. This opens the possibility that Internet-based criminals could acquire access to your router from the Internet as well as to the private network in controls."

And as I said before my old router gave the DNS Server to all clients - this Problem (if it is one) was not there.
Message 8 of 26
LeeH
Prodigy

Re: Router should not be DNS Server

I wonder if DD-WRT can be configured to pass the external DNS IP addresses? RogerSC would probably be the best person to ask.
If not DD-WRT then you would need to run your own DHCP server configured like you desire. Maybe Solaris or FreeBSD.
Message 9 of 26
JAMESMTL
Novice

Re: Router should not be DNS Server

Yes by passing dhcp option 6 example

dhcp-option=br0,6,8.8.8.8,8.8.4.4

That being said you will get better performance by having dnsmasq act as a caching dns server.

Namebench gives me 17.60 ms avg, 0.6 ms min, 155.7 max using google and he.net servers since my ISP is not fully ipv6

vs 30.02, 3.6, 246.9 which would be the fastest server near me (which I don't use)
Message 10 of 26
JAMESMTL
Novice

Re: Router should not be DNS Server

*** edit when I said dnsmasq acts as a caching dns server I probably should have said caching dns forwarder. That being said if your truly paranoid you can run the full version of dnsmasq with DNSSEC validation. Full version is available as an opkg package.
Message 11 of 26
MatM
Guide

Re: Router should not be DNS Server

you can do Smiley Happy
I´m not able to do those things Smiley Sad

I wonder because my old Router gave the DNS to all clients, and I would like to have the same on Netgear Smiley Happy
Message 12 of 26
fordem
Mentor

Re: Router should not be DNS Server

Personally I don't see it as a security issue, but, if it'll make you more comfortable you can manually set the DNS servers on each computer.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 13 of 26
Temporel
Novice

Re: Router should not be DNS Server

LeeH wrote:
I wonder if DD-WRT can be configured to pass the external DNS IP addresses? RogerSC would probably be the best person to ask.
If not DD-WRT then you would need to run your own DHCP server configured like you desire. Maybe Solaris or FreeBSD.


the best place to get support for DD-WRT is here: http://www.dd-wrt.com/phpBB2/viewforum.php?f=1

This thread is a non sense anyway. You can force your DNS servers address where ever you want (which is useless unless your ISP has terrible DNS servers).

And who cares if your hardware DNS route to your Netgear first ? You think 2 or 3 ms will make a difference ?
Message 14 of 26
Temporel
Novice

Re: Router should not be DNS Server

MatM wrote:
no speed is not my Problem.

My "Problem" is:

"Users of GRC's DNS Spoofability system have determined that consumer-grade routers can be crashed by the receipt of specific DNS reply packets from the Internet. This opens the possibility that Internet-based criminals could acquire access to your router from the Internet as well as to the private network in controls."

And as I said before my old router gave the DNS Server to all clients - this Problem (if it is one) was not there.


and btw, the last place to look for security informations is grc.com. That guy is a joke.
Message 15 of 26
MatM
Guide

Re: Router should not be DNS Server

ah ok - so this is not a Problem? I don´t know that - and if I want to have speed on the DNS Server I would take namebench Smiley Happy
Message 16 of 26
MatM
Guide

Re: Router should not be DNS Server

After Reading on the net.

It seems a Problem since 2009:

http://forum1.netgear.com/showthread.php?t=46246

and in older models you could disable proxy Settings Smiley Sad

http://documentation.netgear.com/fvs336g/enu/202-10257-01/FVS336G_RM-05-03.html

Should I open a Ticket that this option should be in? It was in and they have taken it out - but I don´t know why Smiley Sad
Message 17 of 26
nisaaru
Aspirant

Re: Router should not be DNS Server

fordem wrote:
The router does not act as a DNS server, it acts as a DNS forwarder or proxy - it will forward the DNS requests to the DNS server of your choice.


Something I don't really get. Why shouldn't it act as a DNS Server? I would expect it to at least cache DNS entries for a time to make most DNS queries local traffic. What's the sense to offer one if all it does is proxy all queries to the one on the WAN ?
Message 18 of 26
LeeH
Prodigy

Re: Router should not be DNS Server

I like having the router as a DNS forwarder because it allows me to resolve my local host names. I have used my printer host names in my driver configurations instead of the IP addresses.
Message 19 of 26
fordem
Mentor

Re: Router should not be DNS Server

LeeH,

A DNS forwarder will not allow you to resolve local host names - all it will do is forward the DNS request to the ISPs name server (or which ever name server is configured).

You are resolving the printer names through a different mechanism - if you're in a pure Windows network this will probably be done using the SMB "master browser"

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 20 of 26
LeeH
Prodigy

Re: Router should not be DNS Server

You are correct.
Message 21 of 26
Temporel
Novice

Re: Router should not be DNS Server

MatM,

you convinced me to try other DNS servers. I was always happy with the ones my ISPs provided but Im willing to switch.

Any recommendation beside open dns or google dns ?

On an other related subject: I run BIND (split DNS) on a Linux server ( http://www.firewall.cx/linux-knowledgebase-tutorials/system-and-network-services/829-linux-bind-intr... ) and it works very well (for that server, its the only hardware using it).
Anyone knows if I can have a split DNS using the dnsmasq of the DD-WRT firmware ?
Message 22 of 26
JAMESMTL
Novice

Re: Router should not be DNS Server

You can most likely realize your split dns needs depending on what you are trying to accomplish.

You can have specific interfaces or mac addresses served up different dns servers via dhcp response. Ex mac FF:FF:FF:FF:FF:FF or devices on guest network use google dns while others use dnsmasq. Or you can define specific host names within dnsmasq so that dns queries for www.yourdomain.com gets a reponse of 192.168.1.100 while queries for undefined hosts are looked up by dnsmasq using opendns.

Dnsmasq is fairly versatile. I would suggest reading the manpage http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

If your not sure if it can do what you want just give us a specific example and either myself or another ddwrt user can test it out for you.
Message 23 of 26
MatM
Guide

Re: Router should not be DNS Server

Temporel,

I only use Google DNS or Open DNS. At the moment I use Open DNS for my xbox one only because the DNS Servers of open DNS are in my country. Google has no DNS Server in my country. And because xbox delivers much content over akamai Servers and akami Servers choose their Servers from the Region your DNS Server is - it´s better to use a DNS Server from your country.

I found this on the net Smiley Happy

"Some other major CDNs don't have this problem because instead of considering the resolver IP address, they actually pay attention to the actual client network, in order to pick the closest/fastest server.

OpenDNS and Google DNS have been supporting the edns-client-subnet extension for a long time. This mechanism was designed by Google specifically to address this problem. And it works beautifully. CDNs can send a redirection to the best server no matter what resolver you use.

Unfortunately, Akamai still don't support this mechanism."

At the moment I know many people who are happy with:

http://www.opennicproject.org/

But I have to read more about it until i will test them - like I understood there are private people who run those Servers - so the question is - can this be secure? I´m not sure and some of the Servers are offline....
Message 24 of 26
MatM
Guide

Re: Router should not be DNS Server

what I forgot about opennic

http://blog.lowsnr.net/2014/08/08/dns-privacy-using-opennic-and-dnscrypt/

but like I said - I have to read more about it - so at the Moment I don´t use it because I don´t understand how it works Smiley Sad
Message 25 of 26
Top Contributors
Discussion stats
  • 25 replies
  • 25886 views
  • 0 kudos
  • 7 in conversation
Announcements