NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
How to get Orbi to pass through DNS information in DHCP?
I have an Orbi RBR50 running Firmware Version V2.5.1.16. I'm using its DHCP feature. The problem is that no matter what settings I try in the configuration, it always hands out client leases with the...
SunriseMan wrote:I don't understand what you mean. All home routers, including the Orbi, can do the necessary NAT to let computers access the ISP's DNS servers directly. Look at the attached screenshot -- that's me accessing my ISP's DNS going through my Orbi. (10.10.10.1 is the address of my Orbi, which is why it's my default DNS server.)
I've also used routers that don't do DNS proxying, gone through periods where I had a separate server running DHCP that passed my ISP's DNS servers, and have had computers with static addresses that used the ISP's DNS servers. I assure you that all of these scenarios work, and have worked since I got my first home router decades ago.
Unfortunately, you are mixing up the scenario and are confused with regard to DoH and DNS proxying. You accessing your ISP's DNS is elemetary, as many user can and have been using their provider's or third party DNS servers for a very long time. However, if the DNS servers used don't support DoH, there will be no DoH.
With regard to the whole DoH implementation on the Orbi or any other router, the manufacturer would have to update their firmware as that is where the OS resides running the Orbi or any other router's program. This is why third party companies like Cisco, offer DoH for those who need it. Software based, like in Microsoft's new OS, will allow users to set it up on each of their PCs, if needed. However for full network, you would need a dedicated server, switch, or ISP that supports DoH.
And back to the argument of protection, once DoH is implemented, users may have to up their game of virus, malware, etc. protection as a trade off.
Mstrbig wrote:Unfortunately, you are mixing up the scenario and are confused with regard to DoH and DNS proxying. You accessing your ISP's DNS is elemetary, as many user can and have been using their provider's or third party DNS servers for a very long time. However, if the DNS servers used don't support DoH, there will be no DoH.
With regard to the whole DoH implementation on the Orbi or any other router, the manufacturer would have to update their firmware as that is where the OS resides running the Orbi or any other router's program. This is why third party companies like Cisco, offer DoH for those who need it. Software based, like in Microsoft's new OS, will allow users to set it up on each of their PCs, if needed. However for full network, you would need a dedicated server, switch, or ISP that supports DoH.
And back to the argument of protection, once DoH is implemented, users may have to up their game of virus, malware, etc. protection as a trade off.
I'm not confused at all. I've been writing networking code for over 30 years, and understand perfectly well how these systems work. I'm just not understanding the points that you're making. You said that the minor change of having the router not proxy DNS would require reprogramming every ISP's DNS. I was pointing out that that is most definitely not the case. There are already routers that don't proxy DNS.
Obviously, DNS servers have to support DoH in order for DoH to work. But the implementation Microsoft decided on simply tests whether there's a DoH server at the standard port and address accessible at the same address as the regular DNS server, and if so automatically switches to using DoH. Again, that doesn't require reprogramming ISP's servers -- if it doesn't work, Windows will revert to standard DNS.
But suppose that someone wants to use a DoH service, whether that's from the ISP or (more likely) from a third party that provides additional security features. If it weren't for DNS proxying, a person could simply set up their third party DoH-supporting DNS server address on their router and all attached computers (with the upcoming Windows release) would automatically use it. As it is, they have to set up every computer individually just to bypass the proxy.
I also don't understand why you keep talking about this like it's a trade-off between DoH and having security features. All of the major providers of filtering and security DNS services provide DoH as well (OpenDNS, Quad9, etc.). Presumably people like me who use such a service and also want DoH will keep the same service and just switch protocols.
You said "However for full network, you would need a dedicated server, switch, or ISP that supports DoH." Why do you say that? It's not as if the Orbi is caching anything. (Try setting norecurse in nslookup and you can verify that.) Having each computer in a SOHO network going directly against, say, Quad9's DoH or DNS servers does not result in any more Internet traffic than proxying it through the Orbi. It would work exactly the same, just faster (and albeit without the rather questionable feature of resolving the pseudodomain for the Orbi management page).