Questions Regarding DNS

From what I understand DNS is used to obtain the IP addresses of websites. I’ve learned that setting up DNS at the router level eliminates the need for device-level or browser-level configurations. If a DNS is set at the browser level, it overrides the device-level DNS, and similarly, a device-level DNS overrides a network-level DNS. From what I gathered, AdGuard was recommended for use. Thus, I assume the best course of action would be to setup AdGuard DNS at the router-level. I know this has to be done manually, but I’m unsure how to do it on my Huawei Optus router E5186s-61a as these options are unavailable. To add to my confusion, AdGuard says Adguard Home is the most comprehensive solution, how is it different to AdGuard DNS at the router-level? Do I need the AdGuard app for Windows, or is this pointless, if I s et AdGuard up manually at the router-level.

From reading PG I understood (perhaps incorrectly?) that ideally one should use a combination of VPN and DNS, but not DNS if it’s illegal. Using AdGuard has significantly improved my internet speed, which is a great success. It demonstrated that privacy can be convenient and enhance features rather than restrict them. Furthermore, AdGuard DNS also has multiple other benefits including, bypassing censorship (I think), blocking ads, trackers and malicious domains. Therefore, I do not understand why DNS is not recommended to everyone by default, rather PG readers are encouraged to choose between DNS and VPN. I would presume the optimal solution would be to use DNS, VPN and Tor, unless using DNS is illegal, which would be the minority of cases. Moreover, how can someone determine you are using DNS?

Sorry for all the questions.

rethinkdns dev here

Not really. Your devices can probably use the latest protocols like Anonymized DNSCrypt / Oblivious DNS-over-HTTPS, while most (not all) routers cannot (unless they’re running OpenWRT or some such).

Yes, it is indeed a “comprehensive” solution to adblocking at DNS level, as that’s its sole purpose for existing. There are also other products in the space, like routers by GL-iNet.

AdGuard Windows can do much more than just block DNS queries. It can filter HTTPS traffic for ads, for instance, which is much more powerful than merely allowing/blocking DNS traffic. It also has a paid VPN built-in (though, one can also run any VPN at the router-level).

DNS blocking is recommended if you do not use a VPN. VPN + VPN provider’s own DNS is recommended for better privacy. These recommendations aren’t mutually exclusive. And most important, aren’t binding, in that, you’re free to make your own choices.

Not really. Tor is a TCP-only proxy (with support for name-lookups aka DNS) with sole focus on anonymity (which is hard to achieve by simply using “Tor”). VPN is not only a TCP proxy, but can have other features. Read this blog post by ex-Mozilla CTO for more: How to hide your IP address

I think a tour of howdns.works might clarify a few things up for you.

5 Likes

What I understood from your advice is:

  • AdGuard application + manually setting AdGuard at the router-level > manually setting AdGuard at the device- or browser-level > manually setting AdGuard at the router-level

In other words, I should use the AdGuard app when possible for device-level (which includes browser-level) DNS, due to electronic devices (I assume you mean ‘smart’ phones and PCs) using more modern (DNS encryption?) protocols compared to routers. However, I still want to set a router-level DNS since I live with my family, so that they can reap the benefits, without me having to download apps on all of their devices, kind of like a safety net, is this okay? Do I need to set DNS at the router manually, or can the app cover this?

Is all this pointless if I use AdGuard home?

VPN at the router level sounds interesting, but I assume this is not recommended, since sometimes using a VPN is not a good idea.

I am confused by this wording, I am not sure what you mean by this? The only thing I understood is that it is preferrable to use a VPN and DNS simultaneously from the same provider. However, I still can’t see why one should not use DNS always, whether using a VPN or not.

Finally, thanks for linking the resources. The comic was cool, it was a bit long and hard to keep track of what was going on so I gave up eventually. Will read the other link as soon as I post this (edit: as the author said it is overly long, but only for peeps like me who have another field of study, but are curious about a field outside of their own).

I think understanding the risks of unencrypted DNS would help out in your decision making.

With this:

  • unencrypted DNS requests can be snooped. Risk on a LAN is not as big of a deal for me personally, but other networks you should configure something.
  • bad upstream DNS servers could log your requests (they can only see you wanted to resolve the domain name and perhaps some additional query string info). Basically don’t choose a default ISP DNS server or anyone untrustworthy. On other networks, change it on your device or use VPN that ensure no DNS Leaks occur (see below).
  • [DNS Server only] Not using DNSSEC means resolved domains aren’t validated to be from the source. This would be important if someone managed to poison the DNS to resolve to a malicious URL. This is more about security than privacy.
  • [DNS Server only] using QName shorting chops of everything but the domain, whereas DNS servers can sometimes just send the full URL.

Outside of this, the biggest risk is a DNS Leak when using a VPN.

Personally, if your router changes the DNS Server to a non-default ISP one, that’s the best you’ll get unless you want to set up your own DNS Server (see pihole for an external one you can config on a Rapsberry Pi with your router). It would be crazy if your router won’t let you change the DNS Server, as it’s a basic config.

You’ll also want to ask yourself how detrimental it is if someone see what you resolve for your own privacy.

Anyone feel free to correct me if I’m wrong.

1 Like

From experience, Anonomyzed DNSCrypt can be kind of annoying to use due to unreliable relays.

I can’t see why I wouldn’t use DNS in any situation, plus their is the huge benefit of increasing my internet speed. My main questions are the below:

Also, my incompetent ISP does not allow me to change my DNS settings through their router settings web UI. In my other post, you recommended getting a different router entirely or using a rasperry pi, to help me set DNS at the router level. Can’t firmware do this?

you could contact support and ask how you can change your ISP or lookup docs on how to do it. If it’s really a no (which seems wild), then you’ll have to buy your own router (and you’ll never have to rent one from an ISP). You can’t upload your own firmware to an ISPs router

1 Like

Thanks a lot. Is all of this necessary (using client-side software for each device, setting DNS manually for my router, buying a new router or using rasperry pi, using DNScrypt or something) if I use AdGuard home?

We are talking about Optus here :rofl:, bottom of the barrel, hacked by a literal kid, with all of our data being sold to the dark web, plus their was a nation wide outage affecting ~10 million people

Tried this. Works really well. There is one obstacle though: you need to be fluent with server console. This alone makes running VPN on router level not for newbies.

1 Like

I’ve installed AdGuard Home, after this I’ve recently configured AdGuard Home DNS over HTTPS on my Windows 11 PC using the netsh dns add encryption command with server=127.0.0.1 and dohtemplate=https://dns.adguard.com/dns-query. No idea whether this is correct.

Additionally, I manually adjusted my DNS settings via the Network & Internet settings. Here’s what I did: I went to Settings > Network & internet > Wi-Fi > Hardware properties, set the configuration to manual, switched off IPv6, and enabled IPv4. I then set the preferred DNS address to 127.0.0.1 and enabled DNS over HTTPS at the address https://dns.adguard.com/dns-query.

However, I noticed that AdGuard recommends a different method involving the Control Panel and Network and Sharing Center, where it doesn’t seem possible to switch to DNS over HTTPS. Could anyone clarify why this method is recommended over the one I used?

Furthermore, after making these changes, Firefox started displaying a message stating it can’t protect my request for a site’s address through its trusted DNS resolver. I’ve already set Firefox to use DNS over HTTPS with the same address. Does anyone know why this might be happening?

Lastly, I noticed on AdGuard’s DNS providers page that a different address (https://dns.adguard-dns.com/dns-query) is listed compared to the one I used (https://dns.adguard.com/dns-query). Could someone explain this discrepancy? Thanks in advance for your help!

Also, I still need to know the optimal solution: i.e., do I need to download AdGuard software or manually configure each device to use DNS, along with use AdGuard Home, or is simply using AdGuard home enough? I think to use DNS over HTTPS, according to AdGuard’s Github guide you need configure each device, otherwise you need to run your own server to do DNS over HTTPS on a network level! Oof. Correct me if I am wrong.

When I turn on DNS at the Windows 11 system wide (as described in previous reply of mine), Firefox won’t load pages. Update: turning off DNS over HTTPS settings in Firefox, did not help. Other browsers like Chrome still work!

I have installed AdGuard on Windows 11 as a service, which is running automatically. Does this mean that I need to have my PC on 24/7, for AdGuard Home to act as a DNS for all the device on my network? If not how on Earth does it work? I am pretty sure all I need to do is set my wireless modem to use the DNS address 127.0.0.1 or should it use my local ipv4 address?

This has become more of an AdGuard support issue and not a question about DNS. I think it would be more appropriate to be asking the AdGuard support team these questions.

3 Likes

Basically, without going into much tech details, yes. Now yoiu have 3 options:

  • leave your Windows11 PC powered-on 24/7,
  • setup trunk that will direct all your traffic (from inside your network) directly to outside world (bypassing your Windows11 computer),
  • install Adguard Home on your router, than unistall it from Windows11 computer.
  • Connect via ssh with your router,
  • follow this guide (just remember, OS on your router is Linux)

If you are trying to setup a DNS server, you’ll definitely want a device online 24/7. Raspberry Pi is a good use case for this so long as your web traffic isn’t super crazy (lookup PiHole for another good example). I’ll say, this is a technical project you may want to understand essential networking before possibly nerfing the internet, especially if your family uses it.

Other than that, installing it on the router is best. If you have a router from your ISP, not likely possible to ssh into it and install it. Your best bet is to change the DNS on the ISP provided router (I know you’ve said it can’t be done, but I’d be absolutely stunned if that’s not possible).

If you want, DM me your ISP and I’ll research if it’s possible.

Haha, @overdrawn98901 I appreciate it, however, it is not worth jumping down the rabbit hole. It is the Huawei E5186s-61a, I have already tried to change its DNS settings using ‘API’ (no idea what this means) and the E5186 toolbox 0.9.

Definitely not, I am a naturalist, studying biology at Uni, and this would be plain unethical.

Thanks I will check out the other two options.

1 Like

I already have checked out the guide, and it is hard to follow. Very poorly communicated, the guide should begin with the options, I just followed the manual installation part for Windows for the guide. Still have know idea how to do the other two options. I really don’t think the guide mentions installing it directly on your router. It simply has two options automatic install and manual install that’s it.