Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Thu Jan 26, 2023 17:56 Post subject: Domain name in router & web server, in double-natted set
For ages I have struggled to fully understand and comprehend DNS and Domain name in routers, on servers, and on clients. I am still struggling and was hoping someone could explain and recommend a configuration in my DD-WRT router that suits my needs.
First of all, my DD-WRT router is behind my ISP router on a double nat configuration. I have just reset both routers to the default settings. My ISP router doesn't let me change it's DNS settings, hostname, or domain name. When plugging in my DD-WRT router into my ISP router, and going to the DD-WRT Status>Router page, my ddwrt shows the "WAN Domain Name" as "attlocal.net".
1) What exactly does this mean, and what is it doing by using my isp routers domain name? Does this affect my search results, or somehow affect my privacy, the way that using your ISP DNS affects your privacy?
2) What should my custom DD-WRT domain name actually be, and what are the consequences of using a custom domain name in dd-wrt? Does this custom domain name bypass the ISP routers domain name in the same way that setting a custom DNS in my ddwrt router would prevent using my ISP routers DNS by using a custom DNS?
3) I am also running an ubuntu web server behind my DD-WRT setup. When connecting the web server to the ddwrt router is seems as though my dd-wrt router pushes my ISP routers domain name to the ubuntu server, because ubuntu server lists my DNS Server and DNS Domain as:
Code:
DNS Servers: 192.168.2.1
DNS Domain: attlocal.net
What are the effects of using my DDWRT's local DNS server (192.168.2.1) while also using the pushed domain name (attlocal.net) to the web server as well? What are the benefits and tradeoffs to changing my DD-wrt Domain name to "ddwrt.local" and pushing that domain to my web server? and what exactly does a domain do to a webserver, particularly, if attempting to run an unbound dns server on it?
Basically, I am very confused as to what a domain name on a router even does and how it's compared to a DNS server. For example, If I set my DDWRT router to use 1.1.1.1 (under "Basic Setup>Network Setup>Router IP>Local IP Address"), it is my understanding the this forces all traffic behind my ddwrt router to query cloudflare for dns records instead of querying my ISP routers dns server for dns records, effectively preventing ATNT from knowing my dns queries. Does the Domain name set in ddwrt settings work in a similar fashion?
Thanks for any help and explanations. I have never wrapped my head around Domain names in routers. _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Fri Jan 27, 2023 15:07 Post subject:
yep domain name is for local resolution...so, you use name instead of IP to connect...as both will produce the same outcome..its like a local DNS resolving name to IP..it does not affect security...
as local names are not pushed forward...
"For example, If I set my DDWRT router to use 1.1.1.1 (under "Basic Setup>Network Setup>Router IP>Local IP Address"), it is my understanding the this forces all traffic behind my ddwrt router to query cloudflare for dns records instead of querying my ISP routers dns server for dns records, effectively preventing ATNT from knowing my dns queries. Does the Domain name set in ddwrt settings work in a similar fashion? "
NOPE you dont have to use that field for DNS...leave local DNS to 0.0.0.0 (its used only for WAP and some other, rare occasions)
If you click ignore WAN DNS (in case if you are using dynamic DHCP WAN otherwise it wont be visible)
than your router will use only DNS servers specified in the x3 DNS box's (whatever you put there)..
If you use a static IP for WAN, to ignore the WAN DNS(ISP DNS) that could be fetched, you have to use those commands in advanced DNS commands:
no-resolv
server=9.9.9.9
-first line will tell DNSmasq to ignore any other DNS's (like those that could be fetched by your ISP to the stack)
-second line are the servers you want to use...you can add as many as you like...
To mitigate the chance of your DNS requests(plain via port 53) to be captured, as egc advised, you better use an encrypted DNS...as encrypted DNS is using either port853 TLS port or port 443 https.
The easiest way is, to use SmartDNS or DNScrypt witch are implemented on DDWRT firmware, and work out of the box...just to notice DDWRT DNScrypt is using the old version 1.95 that has limited support or even none, but there is a guide for the more versatile new version of it DNScrypt-proxy v2, green link in my sig and for Stubby(very light option for DNS over TLS) red link , there is also Unbound option, which is more versatile and there was a guide for it on the forum too...have a search for it...
ATM the easiest to use of them all is SmartDNS (for DoT or DoH), as it only requires to add your preferred DNS in its valid format..and enable the Use Additional Servers Only option...
The most secure and versatile is DNScrypt-proxy v2.xx, but you have to run it form USB/Entware..
Unbound its also very reliable and secure....but as some of the others options it needs USB and Entware...
on my routers i use SmartDNS, Stubby or DNScrypt-proxy v2...well...not all of them on the same time
p.s. Bear in mind, that not all routers have ssl implemented so, SmartDNS Doh or Dot option will not work on routers that dont have it...routers with 16MB flash and above will be ok... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Fri Jan 27, 2023 21:02; edited 1 time in total
Use home.arpa for local DNS ... there was a thread and discussion about it, and now with mDNS, it's a must. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Sun Jan 29, 2023 16:53 Post subject:
dale_gribble39 wrote:
Use home.arpa for local DNS ... there was a thread and discussion about it, and now with mDNS, it's a must.
Do you have a link to that discussion? I would like to research this and exactly what you mean. _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Sun Jan 29, 2023 16:58 Post subject:
egc wrote:
Even if you do not use your ISP DNS (On Setup page tick/enable "Ignore WAN DNS"), your provider can see DNS queries as those are not secure.
Thanks for this.
To be clear, If i use the "Ignore WAN DNS" option, where do I enter my preferred DNS to replace that then? Can I just enter 1.1.1.1 in the "Basic_Setup>Network_Setup>Local_DNS" box and my router will then use 1.1.1.1 instead of the ISP routers dns? Otherwise, what DNS does ddwrt use if the "Ignore WAN DNS" option is checked? _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Mon Jan 30, 2023 1:21 Post subject:
atomicamp wrote:
dale_gribble39 wrote:
Use home.arpa for local DNS ... there was a thread and discussion about it, and now with mDNS, it's a must.
Do you have a link to that discussion? I would like to research this and exactly what you mean.
Not much discussion about it. Someone linked an article and I linked the current dnsmasq wiki. Do you not know how to set your local domain or used WAN domain?