×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: How to get Orbi to pass through DNS information in DHCP?

SunriseMan
Guide

How to get Orbi to pass through DNS information in DHCP?

I have an Orbi RBR50 running Firmware Version V2.5.1.16. I'm using its DHCP feature. The problem is that no matter what settings I try in the configuration, it always hands out client leases with the gateway address as the DHCP address.

 

I guess this works, if inefficiently, in many cases. But it's a real problem now that Microsoft is adding DNS over HTTPS capabilities to Windows. (It's already in the Insider previews, they'll be rolling it out in release versions in an update.) It automatically detects whether DNS servers can do DNS over HTTPS, which of course the router does not.

 

Is there a way to make the Orbi tell DHCP devices to use the DNS servers specified in the configuration? If not, it will become a major hindrance to security as DoH gets widely rolled out.

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 24
FURRYe38
Guru

Re: How to get Orbi to pass through DNS information in DHCP?

Most of NG routers don't allow for DNS proxy bypass. So you can set DNS on the router for any kind of DNS you want to use, however all clients will only get the routers IP address for there DNS entries. 

Message 2 of 24
Mstrbig
Master

Re: How to get Orbi to pass through DNS information in DHCP?


@SunriseMan wrote:

I have an Orbi RBR50 running Firmware Version V2.5.1.16. I'm using its DHCP feature. The problem is that no matter what settings I try in the configuration, it always hands out client leases with the gateway address as the DHCP address.

 

I guess this works, if inefficiently, in many cases. But it's a real problem now that Microsoft is adding DNS over HTTPS capabilities to Windows. (It's already in the Insider previews, they'll be rolling it out in release versions in an update.) It automatically detects whether DNS servers can do DNS over HTTPS, which of course the router does not.

 

Is there a way to make the Orbi tell DHCP devices to use the DNS servers specified in the configuration? If not, it will become a major hindrance to security as DoH gets widely rolled out.


The router's DNS server is an internal server. The Orbi uses the ISP or user provided 3rd party DNS servers, such as Google, Level 3, Open DNS, etc.. DNS over HTTPS server implementations are already available free of charge by some public DNS providers.

Message 3 of 24
SunriseMan
Guide

Re: How to get Orbi to pass through DNS information in DHCP?


@Mstrbig wrote:


The router's DNS server is an internal server. The Orbi uses the ISP or user provided 3rd party DNS servers, such as Google, Level 3, Open DNS, etc.. DNS over HTTPS server implementations are already available free of charge by some public DNS providers.


That wasn't my question.

 

A DHCP server gives DNS addresses to devices. Orbi's DHCP server is broken and always gives the router's address as the DNS address. So my Windows computer thinks that the DNS address is 192.168.1.1, rather than the address I configured.

 

I use a service that supports DoH. But Windows (again, for now I'm talking about the Insider versions, but this will soon be true for release versions as well) detects that by just trying to do a DoH request. And that will always fail, because the Orbi doesn't support DoH.

 

I'm not expecting the Orbi to support DoH. But its DHCP server should be able to correctly pass along the correct DNS servers rather than incorrectly giving its own address.

Message 4 of 24
Mstrbig
Master

Re: How to get Orbi to pass through DNS information in DHCP?


@SunriseMan wrote:


That wasn't my question.

 

A DHCP server gives DNS addresses to devices. Orbi's DHCP server is broken and always gives the router's address as the DNS address. So my Windows computer thinks that the DNS address is 192.168.1.1, rather than the address I configured.

 

I use a service that supports DoH. But Windows (again, for now I'm talking about the Insider versions, but this will soon be true for release versions as well) detects that by just trying to do a DoH request. And that will always fail, because the Orbi doesn't support DoH.

 

 


No I understood what you were saying. Most all home user routers are, as you stated, broken. 

And I am currently on Windows 10 Preview Build 20201. 

There's still a lot of debate over whether DoH is good or not, and I'm sure a lot will change before it is available in public versions of Windows 10. 

Most people rely on DNS to block malware, enable parental controls, or filter the browser’s access to websites. When DoH is enabled, it bypasses the local DNS resolver and defeats these special policies.

 

Message 5 of 24
CrimpOn
Guru

Re: How to get Orbi to pass through DNS information in DHCP?

Thanks for introducing this topic to the forum.  I found the Wikipedia article interesting:

https://en.wikipedia.org/wiki/DNS_over_HTTPS 

 

Given that probably zero consumer routers currently support DoH, there may be mass confusion if Apple and Microsoft make DoH the default rather than an option for advanced users (who presumably know what they are getting into).  The fact that it probably kills any sort of parental controls or content filtering will be a massive shock.

 

With the major browsers already supporting DoH, perhaps that will lessen the urgency for router firmware updates?

Message 6 of 24
SunriseMan
Guide

Re: How to get Orbi to pass through DNS information in DHCP?


@Mstrbig wrote:

Most people rely on DNS to block malware, enable parental controls, or filter the browser’s access to websites. When DoH is enabled, it bypasses the local DNS resolver and defeats these special policies.

 


That's only true because people have to set up the DoH manually rather than having it be supported by the underlying OS. With the implementation in the Preview version of Windows, it still uses the DNS server provided by DHCP, it just tests that server to see if DoH will work. So the security or content controls of the DNS provider will still apply.

 

This applies to the concerns @CrimpOn mentioned as well. However, I don't understand why DoH adoption would have an impact on the need for router firmware updates. It'll probably increase the urgency for one update to provide an option to avoid DHCP proxying, but I don't see any reason there would be less need for updates after that.

 

Message 7 of 24
CrimpOn
Guru

Re: How to get Orbi to pass through DNS information in DHCP?


@SunriseMan wrote:


That's only true because people have to set up the DoH manually rather than having it be supported by the underlying OS. With the implementation in the Preview version of Windows, it still uses the DNS server provided by DHCP, it just tests that server to see if DoH will work. So the security or content controls of the DNS provider will still apply.

 

This applies to the concerns @CrimpOn mentioned as well. However, I don't understand why DoH adoption would have an impact on the need for router firmware updates. It'll probably increase the urgency for one update to provide an option to avoid DHCP proxying, but I don't see any reason there would be less need for updates after that.


Having just become aware of this development today, it seems to me that this is going to a long, complicated rollout.  There must be 100's of different consumer router models installed.  Even a "simple" router update to avoid DNS proxying has to be developed, tested, and rolled out by manufacturers who have shown little interest in updating firmware.  (Verizon sold the Orbi to customers and has never issued a firmware update.)  Suppose the default changes from "DNS Proxy" to "include the DNS server we got from the ISP in our DHCP response."  That means every ISP DNS proxy has to be reprogrammed.

 

This is sort of "Deja Vu" for me.  When was IPv6 announced as the "solution to IPv4 running out of numbers"?  And here we are in the middle of 2020.  DoH is going on my list of "things to watch out for."

Message 8 of 24
SunriseMan
Guide

Re: How to get Orbi to pass through DNS information in DHCP?


@CrimpOn wrote:

 


Suppose the default changes from "DNS Proxy" to "include the DNS server we got from the ISP in our DHCP response."  That means every ISP DNS proxy has to be reprogrammed.

I don't understand what you mean. All home routers, including the Orbi, can do the necessary NAT to let computers access the ISP's DNS servers directly. Look at the attached screenshot -- that's me accessing my ISP's DNS going through my Orbi. (10.10.10.1 is the address of my Orbi, which is why it's my default DNS server.)

 

I've also used routers that don't do DNS proxying, gone through periods where I had a separate server running DHCP that passed my ISP's DNS servers, and have had computers with static addresses that used the ISP's DNS servers. I assure you that all of these scenarios work, and have worked since I got my first home router decades ago.

 

Message 9 of 24
Mstrbig
Master

Re: How to get Orbi to pass through DNS information in DHCP?


@SunriseMan wrote:

I don't understand what you mean. All home routers, including the Orbi, can do the necessary NAT to let computers access the ISP's DNS servers directly. Look at the attached screenshot -- that's me accessing my ISP's DNS going through my Orbi. (10.10.10.1 is the address of my Orbi, which is why it's my default DNS server.)

 

I've also used routers that don't do DNS proxying, gone through periods where I had a separate server running DHCP that passed my ISP's DNS servers, and have had computers with static addresses that used the ISP's DNS servers. I assure you that all of these scenarios work, and have worked since I got my first home router decades ago.

 


Unfortunately, you are mixing up the scenario and are confused with regard to DoH and DNS proxying. You accessing your ISP's DNS is elemetary, as many user can and have been using their provider's or third party DNS servers for a very long time. However, if the DNS servers used  don't support DoH, there will be no DoH. 

With regard to the whole DoH implementation on the Orbi or any other router, the manufacturer would have to update their firmware as that is where the OS resides running the Orbi or any other router's program. This is why third party companies like Cisco, offer DoH for those who need it. Software based, like in Microsoft's new OS, will allow users to set it up on each of their PCs, if needed. However for full network, you would need a dedicated server, switch, or ISP that supports DoH.

And back to the argument of protection, once DoH is implemented, users may have to up their game of virus, malware, etc. protection as a trade off.

Message 10 of 24
FURRYe38
Guru

Re: How to get Orbi to pass through DNS information in DHCP?

Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products. 

 

If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well. 


@SunriseMan wrote:

@Mstrbig wrote:


The router's DNS server is an internal server. The Orbi uses the ISP or user provided 3rd party DNS servers, such as Google, Level 3, Open DNS, etc.. DNS over HTTPS server implementations are already available free of charge by some public DNS providers.


That wasn't my question.

 

A DHCP server gives DNS addresses to devices. Orbi's DHCP server is broken and always gives the router's address as the DNS address. So my Windows computer thinks that the DNS address is 192.168.1.1, rather than the address I configured.

 

I use a service that supports DoH. But Windows (again, for now I'm talking about the Insider versions, but this will soon be true for release versions as well) detects that by just trying to do a DoH request. And that will always fail, because the Orbi doesn't support DoH.

 

I'm not expecting the Orbi to support DoH. But its DHCP server should be able to correctly pass along the correct DNS servers rather than incorrectly giving its own address.


 

Message 11 of 24
SunriseMan
Guide

Re: How to get Orbi to pass through DNS information in DHCP?


@Mstrbig wrote:


Unfortunately, you are mixing up the scenario and are confused with regard to DoH and DNS proxying. You accessing your ISP's DNS is elemetary, as many user can and have been using their provider's or third party DNS servers for a very long time. However, if the DNS servers used  don't support DoH, there will be no DoH. 

With regard to the whole DoH implementation on the Orbi or any other router, the manufacturer would have to update their firmware as that is where the OS resides running the Orbi or any other router's program. This is why third party companies like Cisco, offer DoH for those who need it. Software based, like in Microsoft's new OS, will allow users to set it up on each of their PCs, if needed. However for full network, you would need a dedicated server, switch, or ISP that supports DoH.

And back to the argument of protection, once DoH is implemented, users may have to up their game of virus, malware, etc. protection as a trade off.


I'm not confused at all. I've been writing networking code for over 30 years, and understand perfectly well how these systems work. I'm just not understanding the points that you're making. You said that the minor change of having the router not proxy DNS would require reprogramming every ISP's DNS. I was pointing out that that is most definitely not the case. There are already routers that don't proxy DNS.

 

Obviously, DNS servers have to support DoH in order for DoH to work. But the implementation Microsoft decided on simply tests whether there's a DoH server at the standard port and address accessible at the same address as the regular DNS server, and if so automatically switches to using DoH. Again, that doesn't require reprogramming ISP's servers -- if it doesn't work, Windows will revert to standard DNS.

 

But suppose that someone wants to use a DoH service, whether that's from the ISP or (more likely) from a third party that provides additional security features. If it weren't for DNS proxying, a person could simply set up their third party DoH-supporting DNS server address on their router and all attached computers (with the upcoming Windows release) would automatically use it. As it is, they have to set up every computer individually just to bypass the proxy.

 

I also don't understand why you keep talking about this like it's a trade-off between DoH and having security features. All of the major providers of filtering and security DNS services provide DoH as well (OpenDNS, Quad9, etc.). Presumably people like me who use such a service and also want DoH will keep the same service and just switch protocols.

 

You said "However for full network, you would need a dedicated server, switch, or ISP that supports DoH." Why do you say that? It's not as if the Orbi is caching anything. (Try setting norecurse in nslookup and you can verify that.) Having each computer in a SOHO network going directly against, say, Quad9's DoH or DNS servers does not result in any more Internet traffic than proxying it through the Orbi. It would work exactly the same, just faster (and albeit without the rather questionable feature of resolving the pseudodomain for the Orbi management page).

 

Message 12 of 24
SunriseMan
Guide

Re: How to get Orbi to pass through DNS information in DHCP?


@FURRYe38 wrote:

Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products. 

 

If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well. 



Well, I agree that it's working as designed. But given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design. I believe that they've done this forever, but, just like their use of basic authentication for their management console login, it's an outdated decision that they should change.

 

As it happens, I swtiched to Orbi from a D-Link router over the weekend. I know D-Link works perfectly fine in this scenario. I was trying to get rid of it since it's old equipment. But just that incredibly insecure login authentication approach makes me seriously doubt my purchase. It suggests that their routers are still using code written decades ago and never updated.

 

Message 13 of 24
FURRYe38
Guru

Re: How to get Orbi to pass through DNS information in DHCP?

Well thats your opintion of course. NG seems to do what they want to and it's been hard to get them to make the changes, few that they are. Saw this design back in the early days as well. Why I liked D-Link for there flexibility in this area. 

 

Ya, insecure has been contention as well. Users want it while on the other hand, is it really needed for LAN side router log in? I have yet to experience any one trying to nefariously hack in to my routers web page from the LAN side. Smiley Tongue Though NG has attempted to make some adjustments here as well, there certificates aren't being handled right. I for one don't use HTTPS for router mangement pages. I'm the only one doing anything. 

 

Possibly that Orbi isn't a good product for you. Orbi is mostly simplistic towards the average home user. Same with D-Link. More advanced users may want to get into something with more advanced features for those needs. You might try ASUS or Ubiquity. There ERX router is crazy loaded with features. I haven't tried there wifi. I know that ASUS has there own MESH tech too. 

 

For NG, users wanting more features and such, NG provides one forum to post about these in:

https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home

Again it's up to NG to look at these and make the choice. 

 

Orbi is what is and you like it or don't. Smiley Wink


@SunriseMan wrote:

@FURRYe38 wrote:

Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products. 

 

If you want the ability to disable DNS proxy, the one Mfr that has this option feature is D-Link. There routers allow for disabling of DNS proxy on there router. It's call DNS Relay for them. Something you could try and find a used D-Link router and set one up as your main host router and test it out. Can connect the Orbi in AP mode behind the router as well. 



Well, I agree that it's working as designed. But given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design. I believe that they've done this forever, but, just like their use of basic authentication for their management console login, it's an outdated decision that they should change.

 

As it happens, I swtiched to Orbi from a D-Link router over the weekend. I know D-Link works perfectly fine in this scenario. I was trying to get rid of it since it's old equipment. But just that incredibly insecure login authentication approach makes me seriously doubt my purchase. It suggests that their routers are still using code written decades ago and never updated.

 


 

Message 14 of 24
Mstrbig
Master

Re: How to get Orbi to pass through DNS information in DHCP?


@SunriseMan wrote:

Interesting bite from a top reputable, well know manufacturer of secure network devices:

Why switch up to DoH just as DoT is finally gaining traction? By having rogue apps like Firefox circumvent the system’s DoT-based DNS and use its own DNS resolver over DoH instead, this makes for a highly opaque security situation. That DNS resolving would move into individual applications, as we see happening now, seems like a massive step backwards. Do you know which DNS resolver each application uses? If it mixes in with TCP port 443 traffic, how would you even know?

 

Two big parties behind DNS over HTTPS are Cloudflare and Mozilla, the latter of which has produced this cutesy little cartoon in which they try to explain DoH. Not unsurprisingly, in it they completely omit to mention DNSSEC (despite it being referenced as ‘crucial’ in RFC 8484), instead proposing something called Trusted Recursive Resolver (TRR), which seems to basically mean ‘use a trustworthy DNS resolver’, which for Mozilla means ‘Cloudflare’.

 

In summary, one can state that DoH honors its acronym by poorly doing what DoT already does. More focus should be on getting DNSSEC fully implemented everywhere along with DoT and QNAME minimization. And if true privacy by dodging tracking is your goal, then you should be looking at VPNs, especially if you’re a dissident trapped in some authoritarian regime.

 

Since you have stated multiple times "given that it breaks things, and substantially degrades DNS performance, all for the dubious reason of resolving the router management pseudodomain, it's a broken design", the best advice would be to return or sell your Orbi, as it may never do what you are asking, and purchase a wireless mesh system that supports exactly what you are looking for.

I for one would never want to own something I felt was inferior and was deliberately "breaking things". That would make me frustrated and be just stupid of me.

Message 15 of 24
SunriseMan
Guide

Re: How to get Orbi to pass through DNS information in DHCP?


@FURRYe38 wrote:

Possibly that Orbi isn't a good product for you. Orbi is mostly simplistic towards the average home user. Same with D-Link. More advanced users may want to get into something with more advanced features for those needs. You might try ASUS or Ubiquity. There ERX router is crazy loaded with features. I haven't tried there wifi. I know that ASUS has there own MESH tech too. 

Thanks for the Ubiquiti suggestion. It looks like I could get a pretty affordable router, then run the Orbi in AP mode. Given that I already own the Orbi and can't return it (I got it used), that's likely the most economical solution. And it's certainly easier than what I was considering, which was to build some Raspberry Pi machine just to run a DHCP server.

 

I still hope Netgear modernizes their router OS and starts taking security seriously some day, but at least the Orbi's Wi-Fi seems to run very well, so just relieving it of its router functions might be the best suggestion.

Message 16 of 24
FURRYe38
Guru

Re: How to get Orbi to pass through DNS information in DHCP?

Ya there inexpensive. I found one on fleabay for cheap. 

 

Ya, will see what NG does. Even with the new Orbi AX. it has the same issue. Smiley Embarassed

Message 17 of 24
henrycase
Initiate

Re: How to get Orbi to pass through DNS information in DHCP?

To get around this I got a Rasp PI (as you mentioned) and installed Pi-Hole/Unbound and use it for DHCP/DNS. Security, network-wide adblocking, working DHCP, etc. No brainer. 

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 18 of 24
jayell1
Initiate

Re: How to get Orbi to pass through DNS information in DHCP?

I was trying to do the same thing to get a pihole to act as an intermediary DNS. I finally decided to let the pihole handle DHCP because it is better able to do that -- so I turned off DHCP on the Orbi and turned it on on the pihole -- now everything works great.

Message 19 of 24
OrbiPhilip
Luminary

Re: How to get Orbi to pass through DNS information in DHCP?

@FURRYe38 wrote:

Orbi DHCP server isn't broke in regards to handing out it's router IP address for all clients DNS. Thats just how NG designs there routers to work. NG seems to have had this design for a long time standing up to this point on there router products. 

Broken by design, and broken by design for a long time, are still broken.
The DHCP spec calls for the IP addresses specified in DHCP to be passed to the client. Orbi does not do that. i.e. it is "broken".

 

@FURRYe38 wrote:
Well thats your opintion of course.

It is also the opinion of the IEFT who drafted the DHCP spec, and the vast majority of professional network engineers.

 

@FURRYe38 wrote:
Orbi is mostly simplistic towards the average home user. Same with D-Link. More advanced users may want to get into something with more advanced features for those needs.

This statement is ridiculous.
DHCP was designed explicitly for ease of use. DNS is a core function of DHCP. Specifiying a DNS address is part of DHCP.
In stark contrast, VPN, reserved IP addresses, channel freequency assignment, et.a. are all features for advanced users. And they are present in Orbi.

DNS config in Orbi is fundamentally broken. Stop justifying bad design/code.

 

 

Message 20 of 24
FURRYe38
Guru

Re: How to get Orbi to pass through DNS information in DHCP?

Router Mfrs don't have to follow that spec and from long standing design, NG doesn't. Been like this for years. Even my WNDR3700 back then wasn't able to turn OFF DNS Proxy. 

Looks like PiHole is your alternative. 


Good luck though. 

Message 21 of 24
OrbiPhilip
Luminary

Re: How to get Orbi to pass through DNS information in DHCP?


@FURRYe38 wrote:

Router Mfrs don't have to follow that spec and from long standing design, NG doesn't. Been like this for years.

Year after year, two things never change:
1) Netgear continues turning out garbage code.
2) FURRYe38 continues turning out garbage posts.


 


@FURRYe38 wrote:
Even my WNDR3700 back then wasn't able to turn OFF DNS Proxy.

See #2 above. DNS proxy isn't even the topic of discussion.

Message 22 of 24
CrimpOn
Guru

Re: How to get Orbi to pass through DNS information in DHCP?


@OrbiPhilip wrote:

It is also the opinion of the IEFT who drafted the DHCP spec, and the vast majority of professional network engineers.


Would be helpful to see the section of the DHCP standard that discusses Option 6.  I have looked at RFC 2131 and RFC2132 without much success.

 

Personally, I am on the side of, "Let the user choose."  It appears to me that Netgear follows the same practice as Windows: the user can choose to (a) accept the DNS servers offered through DHCP, or (b) define other DNS servers.  Does not seem to be very complicated to add another choice: provide the gateway IP as the only DNS server or some specific IP's as DNS servers.

Message 23 of 24
FURRYe38
Guru

Re: How to get Orbi to pass through DNS information in DHCP?

DNS Proxy/Relay is what NG uses (192.168.1.1) or the router IP address/gateway, when it shows up on the client side when connected to any NG router. Same thing as DNS Relay. On some other Mfr routers like D-Link, which users are able to disable DNS Proxy/Relay and there devices get the actual DNS detected by the host router or any custom DNS the user inputs in to the router. NG doesn't seem to want to support this. They may have there reasons. There product, there design. Don't like it, find something else. 

 

I agree that users should have the choice. Not saying other wise. Just saying is all that NG hasn't moved on this on there router line ever and has been so long, NG doesn't seem to wanna budge. By all means though, keep asking though. You might post here about it though:

https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home

 

Good Luck. 

Message 24 of 24
Top Contributors
Discussion stats
  • 23 replies
  • 13272 views
  • 13 kudos
  • 7 in conversation
Announcements

Orbi WiFi 7