NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
How to get Orbi to pass through DNS information in DHCP?
I have an Orbi RBR50 running Firmware Version V2.5.1.16. I'm using its DHCP feature. The problem is that no matter what settings I try in the configuration, it always hands out client leases with the...
Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products.
If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well.
SunriseMan wrote:
Mstrbig wrote:The router's DNS server is an internal server. The Orbi uses the ISP or user provided 3rd party DNS servers, such as Google, Level 3, Open DNS, etc.. DNS over HTTPS server implementations are already available free of charge by some public DNS providers.
That wasn't my question.
A DHCP server gives DNS addresses to devices. Orbi's DHCP server is broken and always gives the router's address as the DNS address. So my Windows computer thinks that the DNS address is 192.168.1.1, rather than the address I configured.
I use a service that supports DoH. But Windows (again, for now I'm talking about the Insider versions, but this will soon be true for release versions as well) detects that by just trying to do a DoH request. And that will always fail, because the Orbi doesn't support DoH.
I'm not expecting the Orbi to support DoH. But its DHCP server should be able to correctly pass along the correct DNS servers rather than incorrectly giving its own address.
FURRYe38 wrote:Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products.
If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well.
Well, I agree that it's working as designed. But given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design. I believe that they've done this forever, but, just like their use of basic authentication for their management console login, it's an outdated decision that they should change.
As it happens, I swtiched to Orbi from a D-Link router over the weekend. I know D-Link works perfectly fine in this scenario. I was trying to get rid of it since it's old equipment. But just that incredibly insecure login authentication approach makes me seriously doubt my purchase. It suggests that their routers are still using code written decades ago and never updated.
Well thats your opintion of course. NG seems to do what they want to and it's been hard to get them to make the changes, few that they are. Saw this design back in the early days as well. Why I liked D-Link for there flexibility in this area.
Ya, insecure has been contention as well. Users want it while on the other hand, is it really needed for LAN side router log in? I have yet to experience any one trying to nefariously hack in to my routers web page from the LAN side. :smileytongue: Though NG has attempted to make some adjustments here as well, there certificates aren't being handled right. I for one don't use HTTPS for router mangement pages. I'm the only one doing anything.
Possibly that Orbi isn't a good product for you. Orbi is mostly simplistic towards the average home user. Same with D-Link. More advanced users may want to get into something with more advanced features for those needs. You might try ASUS or Ubiquity. There ERX router is crazy loaded with features. I haven't tried there wifi. I know that ASUS has there own MESH tech too.
For NG, users wanting more features and such, NG provides one forum to post about these in:
https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home
Again it's up to NG to look at these and make the choice.
Orbi is what is and you like it or don't. :smileywink:
SunriseMan wrote:
FURRYe38 wrote:Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products.
If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well.
Well, I agree that it's working as designed. But given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design. I believe that they've done this forever, but, just like their use of basic authentication for their management console login, it's an outdated decision that they should change.As it happens, I swtiched to Orbi from a D-Link router over the weekend. I know D-Link works perfectly fine in this scenario. I was trying to get rid of it since it's old equipment. But just that incredibly insecure login authentication approach makes me seriously doubt my purchase. It suggests that their routers are still using code written decades ago and never updated.
FURRYe38 wrote:Possibly that Orbi isn't a good product for you. Orbi is mostly simplistic towards the average home user. Same with D-Link. More advanced users may want to get into something with more advanced features for those needs. You might try ASUS or Ubiquity. There ERX router is crazy loaded with features. I haven't tried there wifi. I know that ASUS has there own MESH tech too.
Thanks for the Ubiquiti suggestion. It looks like I could get a pretty affordable router, then run the Orbi in AP mode. Given that I already own the Orbi and can't return it (I got it used), that's likely the most economical solution. And it's certainly easier than what I was considering, which was to build some Raspberry Pi machine just to run a DHCP server.
I still hope Netgear modernizes their router OS and starts taking security seriously some day, but at least the Orbi's Wi-Fi seems to run very well, so just relieving it of its router functions might be the best suggestion.
Ya there inexpensive. I found one on fleabay for cheap.
Ya, will see what NG does. Even with the new Orbi AX. it has the same issue. :smileyembarrassed:
SunriseMan wrote:Interesting bite from a top reputable, well know manufacturer of secure network devices:
Why switch up to DoH just as DoT is finally gaining traction? By having rogue apps like Firefox circumvent the system’s DoT-based DNS and use its own DNS resolver over DoH instead, this makes for a highly opaque security situation. That DNS resolving would move into individual applications, as we see happening now, seems like a massive step backwards. Do you know which DNS resolver each application uses? If it mixes in with TCP port 443 traffic, how would you even know?
Two big parties behind DNS over HTTPS are Cloudflare and Mozilla, the latter of which has produced this cutesy little cartoon in which they try to explain DoH. Not unsurprisingly, in it they completely omit to mention DNSSEC (despite it being referenced as ‘crucial’ in RFC 8484), instead proposing something called Trusted Recursive Resolver (TRR), which seems to basically mean ‘use a trustworthy DNS resolver’, which for Mozilla means ‘Cloudflare’.
In summary, one can state that DoH honors its acronym by poorly doing what DoT already does. More focus should be on getting DNSSEC fully implemented everywhere along with DoT and QNAME minimization. And if true privacy by dodging tracking is your goal, then you should be looking at VPNs, especially if you’re a dissident trapped in some authoritarian regime.
Since you have stated multiple times "given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design", the best advice would be to return or sell your Orbi, as it may never do what you are asking, and purchase a wireless mesh system that supports exactly what you are looking for.
I for one would never want to own something I felt was inferior and was deliberately "breaking things". That would make me frustrated and be just stupid of me.
