NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
How to get Orbi to pass through DNS information in DHCP?
I have an Orbi RBR50 running Firmware Version V2.5.1.16. I'm using its DHCP feature. The problem is that no matter what settings I try in the configuration, it always hands out client leases with the...
Mstrbig wrote:The router's DNS server is an internal server. The Orbi uses the ISP or user provided 3rd party DNS servers, such as Google, Level 3, Open DNS, etc.. DNS over HTTPS server implementations are already available free of charge by some public DNS providers.
That wasn't my question.
A DHCP server gives DNS addresses to devices. Orbi's DHCP server is broken and always gives the router's address as the DNS address. So my Windows computer thinks that the DNS address is 192.168.1.1, rather than the address I configured.
I use a service that supports DoH. But Windows (again, for now I'm talking about the Insider versions, but this will soon be true for release versions as well) detects that by just trying to do a DoH request. And that will always fail, because the Orbi doesn't support DoH.
I'm not expecting the Orbi to support DoH. But its DHCP server should be able to correctly pass along the correct DNS servers rather than incorrectly giving its own address.
Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products.
If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well.
SunriseMan wrote:
Mstrbig wrote:The router's DNS server is an internal server. The Orbi uses the ISP or user provided 3rd party DNS servers, such as Google, Level 3, Open DNS, etc.. DNS over HTTPS server implementations are already available free of charge by some public DNS providers.
That wasn't my question.
A DHCP server gives DNS addresses to devices. Orbi's DHCP server is broken and always gives the router's address as the DNS address. So my Windows computer thinks that the DNS address is 192.168.1.1, rather than the address I configured.
I use a service that supports DoH. But Windows (again, for now I'm talking about the Insider versions, but this will soon be true for release versions as well) detects that by just trying to do a DoH request. And that will always fail, because the Orbi doesn't support DoH.
I'm not expecting the Orbi to support DoH. But its DHCP server should be able to correctly pass along the correct DNS servers rather than incorrectly giving its own address.
FURRYe38 wrote:Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products.
If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well.
Well, I agree that it's working as designed. But given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design. I believe that they've done this forever, but, just like their use of basic authentication for their management console login, it's an outdated decision that they should change.As it happens, I swtiched to Orbi from a D-Link router over the weekend. I know D-Link works perfectly fine in this scenario. I was trying to get rid of it since it's old equipment. But just that incredibly insecure login authentication approach makes me seriously doubt my purchase. It suggests that their routers are still using code written decades ago and never updated.
Well thats your opintion of course. NG seems to do what they want to and it's been hard to get them to make the changes, few that they are. Saw this design back in the early days as well. Why I liked D-Link for there flexibility in this area.
Ya, insecure has been contention as well. Users want it while on the other hand, is it really needed for LAN side router log in? I have yet to experience any one trying to nefariously hack in to my routers web page from the LAN side. :smileytongue: Though NG has attempted to make some adjustments here as well, there certificates aren't being handled right. I for one don't use HTTPS for router mangement pages. I'm the only one doing anything.
Possibly that Orbi isn't a good product for you. Orbi is mostly simplistic towards the average home user. Same with D-Link. More advanced users may want to get into something with more advanced features for those needs. You might try ASUS or Ubiquity. There ERX router is crazy loaded with features. I haven't tried there wifi. I know that ASUS has there own MESH tech too.
For NG, users wanting more features and such, NG provides one forum to post about these in:
https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home
Again it's up to NG to look at these and make the choice.
Orbi is what is and you like it or don't. :smileywink:
SunriseMan wrote:
FURRYe38 wrote:Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products.
If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well.
Well, I agree that it's working as designed. But given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design. I believe that they've done this forever, but, just like their use of basic authentication for their management console login, it's an outdated decision that they should change.As it happens, I swtiched to Orbi from a D-Link router over the weekend. I know D-Link works perfectly fine in this scenario. I was trying to get rid of it since it's old equipment. But just that incredibly insecure login authentication approach makes me seriously doubt my purchase. It suggests that their routers are still using code written decades ago and never updated.
FURRYe38 wrote:Possibly that Orbi isn't a good product for you. Orbi is mostly simplistic towards the average home user. Same with D-Link. More advanced users may want to get into something with more advanced features for those needs. You might try ASUS or Ubiquity. There ERX router is crazy loaded with features. I haven't tried there wifi. I know that ASUS has there own MESH tech too.
Thanks for the Ubiquiti suggestion. It looks like I could get a pretty affordable router, then run the Orbi in AP mode. Given that I already own the Orbi and can't return it (I got it used), that's likely the most economical solution. And it's certainly easier than what I was considering, which was to build some Raspberry Pi machine just to run a DHCP server.
I still hope Netgear modernizes their router OS and starts taking security seriously some day, but at least the Orbi's Wi-Fi seems to run very well, so just relieving it of its router functions might be the best suggestion.
SunriseMan wrote:Interesting bite from a top reputable, well know manufacturer of secure network devices:
Why switch up to DoH just as DoT is finally gaining traction? By having rogue apps like Firefox circumvent the system’s DoT-based DNS and use its own DNS resolver over DoH instead, this makes for a highly opaque security situation. That DNS resolving would move into individual applications, as we see happening now, seems like a massive step backwards. Do you know which DNS resolver each application uses? If it mixes in with TCP port 443 traffic, how would you even know?
Two big parties behind DNS over HTTPS are Cloudflare and Mozilla, the latter of which has produced this cutesy little cartoon in which they try to explain DoH. Not unsurprisingly, in it they completely omit to mention DNSSEC (despite it being referenced as ‘crucial’ in RFC 8484), instead proposing something called Trusted Recursive Resolver (TRR), which seems to basically mean ‘use a trustworthy DNS resolver’, which for Mozilla means ‘Cloudflare’.
In summary, one can state that DoH honors its acronym by poorly doing what DoT already does. More focus should be on getting DNSSEC fully implemented everywhere along with DoT and QNAME minimization. And if true privacy by dodging tracking is your goal, then you should be looking at VPNs, especially if you’re a dissident trapped in some authoritarian regime.
Since you have stated multiple times "given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design", the best advice would be to return or sell your Orbi, as it may never do what you are asking, and purchase a wireless mesh system that supports exactly what you are looking for.
I for one would never want to own something I felt was inferior and was deliberately "breaking things". That would make me frustrated and be just stupid of me.
FURRYe38 wrote:
Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products.
Broken by design, and broken by design for a long time, are still broken.
The DHCP spec calls for the IP addresses specified in DHCP to be passed to the client. Orbi does not do that. i.e. it is "broken".FURRYe38 wrote:
Well thats your opintion of course.It is also the opinion of the IEFT who drafted the DHCP spec, and the vast majority of professional network engineers.
FURRYe38 wrote:
Orbi is mostly simplistic towards the average home user. Same with D-Link. More advanced users may want to get into something with more advanced features for those needs.This statement is ridiculous.
DHCP was designed explicitly for ease of use. DNS is a core function of DHCP. Specifiying a DNS address is part of DHCP.
In stark contrast, VPN, reserved IP addresses, channel freequency assignment, et.a. are all features for advanced users. And they are present in Orbi.
DNS config in Orbi is fundamentally broken. Stop justifying bad design/code.Router Mfrs don't have to follow that spec and from long standing design, NG doesn't. Been like this for years. Even my WNDR3700 back then wasn't able to turn OFF DNS Proxy.
Looks like PiHole is your alternative.
Good luck though.
FURRYe38 wrote:Router Mfrs don't have to follow that spec and from long standing design, NG doesn't. Been like this for years.
Year after year, two things never change:
1) Netgear continues turning out garbage code.
2) FURRYe38 continues turning out garbage posts.
FURRYe38 wrote:
Even my WNDR3700 back then wasn't able to turn OFF DNS Proxy.See #2 above. DNS proxy isn't even the topic of discussion.
OrbiPhilip wrote:It is also the opinion of the IEFT who drafted the DHCP spec, and the vast majority of professional network engineers.
Would be helpful to see the section of the DHCP standard that discusses Option 6. I have looked at RFC 2131 and RFC2132 without much success.
Personally, I am on the side of, "Let the user choose." It appears to me that Netgear follows the same practice as Windows: the user can choose to (a) accept the DNS servers offered through DHCP, or (b) define other DNS servers. Does not seem to be very complicated to add another choice: provide the gateway IP as the only DNS server or some specific IP's as DNS servers.
