NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

SunriseMan's avatar
SunriseMan
Guide
Aug 30, 2020

How to get Orbi to pass through DNS information in DHCP?

I have an Orbi RBR50 running Firmware Version V2.5.1.16. I'm using its DHCP feature. The problem is that no matter what settings I try in the configuration, it always hands out client leases with the...
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Aug 30, 2020
SunriseMan wrote:

That's only true because people have to set up the DoH manually rather than having it be supported by the underlying OS. With the implementation in the Preview version of Windows, it still uses the DNS server provided by DHCP, it just tests that server to see if DoH will work. So the security or content controls of the DNS provider will still apply.

 

This applies to the concerns CrimpOn mentioned as well. However, I don't understand why DoH adoption would have an impact on the need for router firmware updates. It'll probably increase the urgency for one update to provide an option to avoid DHCP proxying, but I don't see any reason there would be less need for updates after that.

Having just become aware of this development today, it seems to me that this is going to a long, complicated rollout.  There must be 100's of different consumer router models installed.  Even a "simple" router update to avoid DNS proxying has to be developed, tested, and rolled out by manufacturers who have shown little interest in updating firmware.  (Verizon sold the Orbi to customers and has never issued a firmware update.)  Suppose the default changes from "DNS Proxy" to "include the DNS server we got from the ISP in our DHCP response."  That means every ISP DNS proxy has to be reprogrammed.

 

This is sort of "Deja Vu" for me.  When was IPv6 announced as the "solution to IPv4 running out of numbers"?  And here we are in the middle of 2020.  DoH is going on my list of "things to watch out for."

SunriseMan's avatar
SunriseMan
Guide
Aug 31, 2020
CrimpOn wrote:

 

Suppose the default changes from "DNS Proxy" to "include the DNS server we got from the ISP in our DHCP response."  That means every ISP DNS proxy has to be reprogrammed.

I don't understand what you mean. All home routers, including the Orbi, can do the necessary NAT to let computers access the ISP's DNS servers directly. Look at the attached screenshot -- that's me accessing my ISP's DNS going through my Orbi. (10.10.10.1 is the address of my Orbi, which is why it's my default DNS server.)

 

I've also used routers that don't do DNS proxying, gone through periods where I had a separate server running DHCP that passed my ISP's DNS servers, and have had computers with static addresses that used the ISP's DNS servers. I assure you that all of these scenarios work, and have worked since I got my first home router decades ago.

 

  • Mstrbig's avatar
    Mstrbig
    Master
    Aug 31, 2020
    SunriseMan wrote:

    I don't understand what you mean. All home routers, including the Orbi, can do the necessary NAT to let computers access the ISP's DNS servers directly. Look at the attached screenshot -- that's me accessing my ISP's DNS going through my Orbi. (10.10.10.1 is the address of my Orbi, which is why it's my default DNS server.)

     

    I've also used routers that don't do DNS proxying, gone through periods where I had a separate server running DHCP that passed my ISP's DNS servers, and have had computers with static addresses that used the ISP's DNS servers. I assure you that all of these scenarios work, and have worked since I got my first home router decades ago.

     

    Unfortunately, you are mixing up the scenario and are confused with regard to DoH and DNS proxying. You accessing your ISP's DNS is elemetary, as many user can and have been using their provider's or third party DNS servers for a very long time. However, if the DNS servers used  don't support DoH, there will be no DoH. 

    With regard to the whole DoH implementation on the Orbi or any other router, the manufacturer would have to update their firmware as that is where the OS resides running the Orbi or any other router's program. This is why third party companies like Cisco, offer DoH for those who need it. Software based, like in Microsoft's new OS, will allow users to set it up on each of their PCs, if needed. However for full network, you would need a dedicated server, switch, or ISP that supports DoH.

    And back to the argument of protection, once DoH is implemented, users may have to up their game of virus, malware, etc. protection as a trade off.

    • SunriseMan's avatar
      SunriseMan
      Guide
      Aug 31, 2020
      Mstrbig wrote:

      Unfortunately, you are mixing up the scenario and are confused with regard to DoH and DNS proxying. You accessing your ISP's DNS is elemetary, as many user can and have been using their provider's or third party DNS servers for a very long time. However, if the DNS servers used  don't support DoH, there will be no DoH. 

      With regard to the whole DoH implementation on the Orbi or any other router, the manufacturer would have to update their firmware as that is where the OS resides running the Orbi or any other router's program. This is why third party companies like Cisco, offer DoH for those who need it. Software based, like in Microsoft's new OS, will allow users to set it up on each of their PCs, if needed. However for full network, you would need a dedicated server, switch, or ISP that supports DoH.

      And back to the argument of protection, once DoH is implemented, users may have to up their game of virus, malware, etc. protection as a trade off.

      I'm not confused at all. I've been writing networking code for over 30 years, and understand perfectly well how these systems work. I'm just not understanding the points that you're making. You said that the minor change of having the router not proxy DNS would require reprogramming every ISP's DNS. I was pointing out that that is most definitely not the case. There are already routers that don't proxy DNS.

       

      Obviously, DNS servers have to support DoH in order for DoH to work. But the implementation Microsoft decided on simply tests whether there's a DoH server at the standard port and address accessible at the same address as the regular DNS server, and if so automatically switches to using DoH. Again, that doesn't require reprogramming ISP's servers -- if it doesn't work, Windows will revert to standard DNS.

       

      But suppose that someone wants to use a DoH service, whether that's from the ISP or (more likely) from a third party that provides additional security features. If it weren't for DNS proxying, a person could simply set up their third party DoH-supporting DNS server address on their router and all attached computers (with the upcoming Windows release) would automatically use it. As it is, they have to set up every computer individually just to bypass the proxy.

       

      I also don't understand why you keep talking about this like it's a trade-off between DoH and having security features. All of the major providers of filtering and security DNS services provide DoH as well (OpenDNS, Quad9, etc.). Presumably people like me who use such a service and also want DoH will keep the same service and just switch protocols.

       

      You said "However for full network, you would need a dedicated server, switch, or ISP that supports DoH." Why do you say that? It's not as if the Orbi is caching anything. (Try setting norecurse in nslookup and you can verify that.) Having each computer in a SOHO network going directly against, say, Quad9's DoH or DNS servers does not result in any more Internet traffic than proxying it through the Orbi. It would work exactly the same, just faster (and albeit without the rather questionable feature of resolving the pseudodomain for the Orbi management page).