Forward local domain queries to upstream dns что это
Local DNS Setup issue with ASUS router
I set up my Asus RT-AC1900P router for a home network and after completing the set up, I ran the DNS Benchmark test on https://www.grc.com/dns/benchmark.htm
I sounds like from the comments received on the test that DNS access is being impeded by the router. The comments from Steve Gibson’s Benchmark test that came back are as follows:
«It appears that only one local (router gateway) DNS nameserver,
with the IP address of [192.168.1.1], is currently providing all DNS name resolution services. This configuration is not recommended because most consumer-grade routers are
inefficient and under-powered DNS resolution services.»
BC AdBot (Login to Remove)
Have you tried setting your router to specify a different DNS server in its DHCP and verified that you have issues with name resolution on your home network?
If you are asking did I change to a different DNS server from my ISP’s servers, Yes. I changed to Cloudflare in the router, but the change to 1.1.1.1 in the router wasn’t to verify issues with name resolution. I still have the same test results no matter what the DNS server is.
[EDIT] I do not use static IP’s at all
Under the DHCP server settings, there are two settings that apparently have been omitted. The ASUS-WRT-Merlin firmware does have the settings under the DHCP server ‘tab’.
And the ASUS-WRT stock firmware also has these two settings. However, I can only find these under the IPv6 settings with the ASUS stock firmware.
Those two settings are:
«Advertise routers IP in addition to user-name specified DNS»
«Forward local Domain queries upstream to DNS»
First of all, it’s worth mentioning that I’m aware I should be focused on the basics of the Domain Name System and troubleshooting my DNS related problems.
My apologies to Kilroy for my last responses. Looking back at my comments, my observations to bloviate or sound pretentious were not my intention.
My confidence in how much troubleshooting I’m capable of doing however, could be a lot higher. I’m hoping I might learn from my search for guidance on this issue affecting my local setup.
With that said, I ran a DNS query to the router to check if the router can process DNS and IP mapping using nslookup.
I think the results of different Reverse IP lookup queries merit attention. It was my hope I could attach these screenshots, except that the «uplink» button on this forum is greyed out and is not working.
I’m aware of no problems existing with the network connection from my ISP and also the correct DNS server addresses were specified.
Page 60 of the Manual, is where you set the DNS for the clients to use. Set that to 8.8.8.8 (Google) or 1.1.1.1 (Cloudflare) and run your DNS speed tests.
You will need to either restart the computer or do an IPCONFIG /RELEASE then IPCONFIG /RENEW to get the DNS changes. You can see your DNS server on the client by typing IPCONFIG /ALL
Is the PC you ran DNS Benchmark have its DNS settings set to use your ISP’s default DNS servers or is it set to use your router’s DNS?
A computer’s local DNS settings will over-ride the router’s DNS settings so if you have a lot of devices connected to your LAN, they’ll each be using whatever DNS service is the default (typically your ISP’s DNS servers). If instead you want each to use different, specified DNS servers you’ll either need to change each device’s DNS settings, or point them all to your router and change your router’s DNS settings (both IPv4 and IPv6).
Some public DNS services:
Quad9
IPv4
9.9.9.9
149.112.112.112
IPv6
2620:fe::fe
2620:fe::9
Cloudfare
IPv4
1.1.1.1
1.0.0.1
IPv6
2606:4700:4700::1111
2606:4700:4700::1001
Google
IPv4
8.8.8.8
8.8.4.4
IPv6
2001:4860:4860::8888
2001:4860:4860::8844
— regarding that message on, «. because most consumer-grade routers are inefficient and under-powered DNS resolution services», I’ve seen that before and just my opinion I think it’s a little dated. While there’s no shortage of cheap, bargain-bin routers out there and that statement certainly would apply to them, I don’t think your Asus RT-AC1900P is in that category so if you have say, up to a dozen of constantly active devices connected to your home LAN it should work out fine as your LAN’s primary DNS source. Or just do an either/or test and see if you do get diminished results one way or the other.
Thank you for providing that link to the full user’s manual.
I had previously set the router’s IPv4 DNS correctly to Cloudflare’s IPv4 resolvers (1.1.1.1 and 1.0.0.1).
For quite a while I’m seeing where more than anything s_l_o_w responses in the browser waiting for an IP resolver. From manually typing website domains both large and smaller sites like Bleeping Computer into the url box the responses are t iming out occasionally.
As for those two router’s settings in my original post, I found out that the one has nothing to do with the DNS server I use. It would benefit someone who uses a Windows server (which I don’t have). The other setting «A dvertise routers IP in addition to user-name specified DNS«, I believe is beneficial for private networks designed with a Pi-hole (which I don’t have) to block DNS requests for known tracking domains.
So whether the comment from the DNS Benchmark test described correctly the result I would experience e.g, slow browser response because of the router configuration, I don’t know
​EDITED] duplicated post
Is the PC you ran DNS Benchmark have its DNS settings set to use your ISP’s default DNS servers or is it set to use your router’s DNS?
The PC I ran the DNS Benchmark test with is set to obtain DNS server address automatically.
I thought the PC would override the router’s settings only if I had manually entered DNS servers in the IPv4 adapter setting under Control panel
If instead you want each to use different, specified DNS servers you’ll either need to change each device’s DNS settings, or point them all to your router and change your router’s DNS settings (both IPv4 and IPv6).
I’m just looking to have all the devices on my LAN use the same DNS servers (but not my ISP’s DNS servers).
The router was changed to a Public DNS service from my ISP’s DNS.
The entire topology of my LAN is as plain and simple as it gets. Only one Desktop PC and one Android phone running Pie (btw it’s set in Private DNS mode to a providers hostname which is the same as the router’s DNS servers).
So to summarize, I have two questions
If I’m interpreting your two replies I quoted correctly, neither changing the device’s settings OR point them to the router and change the IPv4 and IPv6 settings are necessary. Is that correct? b/c I want all devices using the same DNS
T he setting on my PC is currently set to obtain DNS automatically. Isn’t this the correct PC’s local DNS setting then and the PC should be using the router’ s DNS?
Yes, if your PC is set to its default it will be relying on whatever DNS servers you specified in your router. Try using the ‘nslookup’ command to verify what DNS service you’re using:
The IP address(s) of your selected DNS server should be at the top of the results.
You might also want to use Gibson’s DNS Spoofability Test to further analyze your settings. The DNS Benchmark utility is good for checking for just speed, but just because a DNS service is the fastest doesn’t necessarily mean it’s also the safest.
My whole reason why I’m still trying to understand this router’s basic pre-configuration is because the set up (out of the box) acts as a proxy DNS nameserver.
This is what two tests both confirm :
A nd when I ran Gibson’s DNS Benchmark test, it says: «One [router gateway] DNS Nameserver with the IP address of [ my router’s IP address ] is providing all DNS name resolution services.
I don’t know if Asus really understands what I tried to explain to them. They came back to me recommending that I configure Port Forwarding. That made no sense.
If anything, from the sound of it you’ve been experimenting with a lot of the settings options in your router. It might be a good idea at this point to just reset your router to its default factory settings so it’s a ‘clean’ configuration, and then reconfigure it accordingly.
Is this not your intended goal?
Yes. both PC and phone «should» be relying on the DNS resolver set up in the Asus router
Me neither. When I query the DNS server using the nslookup command prompt from the techwiser site you posted, I’m getting my Asus router address IP (192.168.1.1)
You’ll notice if you pull that site up where it says to run ipconfig /all | findstr «DNS\ Servers», the returned query isn’t some common (default) router IP addresses like (192.168.x.x) or (10.0.x.x)
I should do a reset on the router to see if it queries a DNS resolver IP.
[EDIT] Mistyped the correct ASUS router IP
DNS Forwarding and Conditional Forwarding
DNS Forwarding improves performance, load balances, and makes your network more resilient. It provides a way to pass on namespaces or resource records that are not contained in a local Domain Name System (DNS) server’s zone to remote DNS server for resolution of name queries both inside and outside a network.
There are two methods that we’ll discuss: forwarding and Conditional Forwarding. To understand the benefits of Conditional Forwarding, we must first understand how forwarding works.
Forwarding
In a simple example, a DNS forwarder sends name queries of external domains to a remote DNS servers outside of its local network for resolution. Internal name queries are handled by the Internal DNS server.
If the DNS server has no forwarder listed for the name designated in the query, it can attempt to resolve the query using standard recursion using root hints file.
There are two types of DNS name queries: recursive and iterative. While both DNS forwarding and Conditional DNS Forwarding follows the general steps above, each is a little different.
Recursive Name Query
Forwarded queries are sent as a recursive. In this scenario, the DNS client requires that the DNS server respond to the client with either the requested resource record or an error message stating that the record or domain name does not exist. The DNS server cannot just refer the DNS client to a different DNS server.
Iterative Name Query
DNS client allows the DNS server to return the best answer it can give based on its cache or zone data.
A DNS server configured to use a forwarder will behave differently than a DNS server that is not configured to use a forwarder. Here’s how a DNS server works when using forwarding:
1. When the DNS server receives a name query, it attempts to resolve this query using its primary zones, secondary zones and finally its cache in that order.
2. If the name query cannot be resolved using its local zone data or cache, then it will forward the query to the DNS server designated as a forwarder. As a result, root hints method of name resolution will not be used.
3. The original DNS server that received the initial query will wait briefly for an answer from the forwarder. If that fails, it will attempt to contact the DNS servers specified in its root hints as a last resort.
Conditional forwarders allow you to improve name resolution between internal (private) DNS namespaces that are not part of the DNS namespace of the Internet, such as results from a company merger.
Conditional forwarders
Conditional forwarders are DNS servers that only forward queries for specific domain names. Instead of forwarding all queries it cannot resolve locally to a forwarder, a conditional forwarder is configured to forward a query to specific forwarders based on the domain name contained in the query. Forwarding according to domain names improves conventional forwarding by adding a name-based condition to the forwarding process.
Let’s walk through two examples where Conditional Forwarding really comes in handy. The first example is an internal name and the second is an external name resolution scenario.
Example 1. Intranet name resolution
When a DNS server configured with a conditional forwarder receives a query for a domain name, it will compare that domain name with its list of domain name conditions and use the longest domain name condition that corresponds to the domain name in the query. For example, in the figure below, the DNS server performs the following conditional forwarding logic to determine how a query for a domain name will be forwarded:
Example 2: Internet name resolution
DNS servers can use conditional forwarders to resolve queries between the DNS domain names of companies that share information. For example, two companies, Widgets Toys and TailspinToys, want to improve how the DNS clients of Widgets Toys resolve the names of the DNS clients of Tailspin Toys. The administrators from Tailspin Toys inform the administrators of Widgets Toys about the set of DNS servers in the Tailspin Toys network where Widgets can send queries for the domain dolls.tailspintoys.com. The DNS servers within the Widgets Toys network are configured to forward all queries for names ending with dolls.tailspintoys.com to the designated DNS servers in the network for Tailspin Toys. Consequently, the DNS servers in the Widgets Toys network do not need to query their internal root servers, or the Internet root servers, to resolve queries for names ending with dolls.tailspintoys.com.
The result is better performance, less network bandwidth, and happier end users because their name queries between different domains are resolved faster.
Conditional Forwarding Benefits
Conditional Forwarding leads to a safer, faster, smarter and more reliable Internet. When a DNS server forwards a query to a forwarder, it sends a recursive query to the forwarder. This is different than the iterative name query that a DNS server will send to other DNS servers during standard name query resolution (name resolution that does not involve a forwarder).
By configuring the DNS servers in one internal namespace to forward queries to the authoritative DNS servers in a second internal namespace, conditional forwarders enable name resolution between the two namespaces without performing iterative name query on the DNS namespace of the Internet, which leads to better performance and utilization of DNS servers and reduced traffic on a Local Area Network (LAN) subnet.
A LAN is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, or office building. A local area network is contrasted in principle to a wide area network (WAN), in which two or more LANs are connected and thus covers a larger geographic distance and may involve leased telecommunication circuits, while the media for LANs are locally managed.
When you designate a DNS server as a forwarder, you make that forwarder responsible for handling external traffic, thereby limiting DNS server exposure to the Internet. A forwarder will build up a large cache of external DNS information because all of the external DNS queries in the network are resolved through it. In a small amount of time, a forwarder will be able to resolve a good portion of external DNS queries using this cached data and thereby decrease the Internet traffic over the network and the response time for DNS clients. As a result, root hint usage is greatly reduced.
Setting up a DNS Server Forwarder
Instructions to setup a conditional DNS forwarder for external domain name resolution using Windows Server 2012 R2 are described below.
1. In the console tree, double-click the applicable DNS server. Expand DNS, and then double-click Applicable DNS server.
2. In the console tree, double-click the applicable DNS server. Expand DNS, and then double-click Applicable DNS server.
3. In the console tree, click Conditional Forwarders, and then on the Action menu, click New Conditional Forwarder.
4. In DNS domain, type the fully qualified domain name (FQDN) of the domain for which you want to forward queries.
5. Click the IP addresses of the master servers list, type the IP address of the server to which you want to forward queries for the specified DNS domain, and then press Enter.
6. Click check box “ Store this conditional forwarder in Active Directory,” and replicate it.
Summary
The DNS protocol is an important part of the web’s infrastructure, serving as the Internet’s phone book: every time you visit a website, your computer performs a DNS lookup. Complex pages often require multiple DNS lookups before they start loading, so your computer may be performing hundreds of lookups a day. DNS Conditional Forwarding can provide higher performance and security.
Even if you do not have access to Windows Server or the ability to run a local DNS server, you can still experiment with DNS forwarding using a Google Public DNS or Cisco’s OpenDNS. Both are free options that allow you to experiment with DNS forwarding. In both cases, all your DNS traffic will be forwarded to them and not your Internet Service Provider (ISP). Benefits are increased performance and security from phishing, malware, botnets, and targeted online attacks. In both cases, your traffic will probably be tracked and profiled, so buyer beware. At the very least, these services help you understand how DNS Forwarding works in real life.
While setup of DNS Forwarding in Windows Server is elaborate, on a normal Windows computer, however, it only takes one screen to configure.
Instructions
To use OpenDNS instead of Google Public DNS, where it says “ Preferred DNS Server” and “ Alternate DNS server”, use IP OpenDNS’s IP address.
For OpenDNS, the IP addresses are always:
If you have questions or need more information about Conditional DNS Forwarding, please leave your comments below. While you’re at it, why don’t you like, comment, and subscribe to this article if topics like this are of interest to you.
Thank you Saron Yitbarek for editing this article.
Forward local domain queries to upstream dns
В этой статье будет описано как правильно настроить работу DNS.
Служба DNS расшифровывается как «система доменных имен», которая сопоставляет URL’у IP-адреса серверов указанного ресурса во внешней сети. После этого трафик направляется на указанные адреса.
Прежде чем выбрать путь настройки, убедитесь, что на машине с UserGate на интерфейсе, который смотрит во внешнюю сеть (WAN), имеются DNS провайдера или внешние крупные DNS, на интерфейсе, который смотрит в локальную сеть (LAN), отсутствует шлюз и DNS (прописаны только адрес и маска). Внимание! Убедитесь, что на внешнем интерфейсе прописано не более трех DNS-адресов, иначе могут быть вызваны ошибки с обработкой запроса и страницы в браузере могут открываться долго . Если все так, тогда можно идти дальше.
Существуют четыре основных пути настройки DNS:
1. В локальной сети отсутствует DNS-сервер на машине с контроллером домена.
В этом случае настройка производится следующим образом:
2. В локальной сети присутствует DNS-сервер на машине с контроллером домена – отдельная машина в локальной сети.
В данном случае нужно настраивать DNS следующим образом:
3. В локальной сети присутствует DNS-сервер на машине с контроллером домена и это та же машина, на которой стоит UserGate.
Такая конфигурация считается не самой лучшей в плане нагрузки на сервер, однако для нее тоже есть конфигурация, и делается она следующим образом:
4. Машины из локальной сети имеют шлюзом отличную от машины с UserGate машину (например RRAS сервер, поднятый в Windows Server ****).
В этом случае в браузере клиента требуется прописать локальный адрес машины с UserGate, а в таком случае прокси сам распознает DNS-адреса через DNS-форвардинг. Поэтому последовательность действия следующая:
* – приоритетным вариантом считается использование нашего DHCP-сервера, или DHCP-сервера от Windows Server.
В самом DNS-форвардинге имеется возможность поменять порт (по умолчанию стоит 5458, однако лучше без крайней необходимости этого не делать), изменить тайм-аут DNS-запроса (по умолчанию 7000, который тоже не рекомендуется менять, если нет представления о том, как это работает), включить/отключить кэш DNS-записей и изменить их число при включенном кэш. Кэш снижает нагрузку на сервер, благодаря тому, что ответ на запрос берется из кэша, если данный адрес уже вызывался.
Если после корректной настройки согласно данной статье у вас появляется в браузере ошибка 10065, то обратитесь к данной статье.
Относится к: Windows Server (Semi-Annual Channel), Windows Server 2016 Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016
Режим AD является устаревшим, начиная с Windows Server 2019. AD mode is deprecated beginning with Windows Server 2019. Для сред, в которых невозможно подтвердить аттестацию доверенного платформенного модуля, настройте аттестацию ключа узла. For environments where TPM attestation is not possible, configure host key attestation. Аттестация ключа узла обеспечивает аналогичные гарантии в режиме AD и проще в настройке. Host key attestation provides similar assurance to AD mode and is simpler to set up.
Выполните следующие действия, чтобы настроить пересылку DNS и установить одностороннее отношение доверия с доменом структуры. Use the following steps to set up DNS forwarding and establish a one-way trust with the fabric domain. Эти действия позволяют службе HGS размещать контроллеры домена структуры и проверять членство в группе узлов Hyper-V. These steps allow the HGS to locate the fabric domain controllers and validate group membership of the Hyper-V hosts.
Выполните следующую команду в сеансе PowerShell с повышенными привилегиями, чтобы настроить пересылку DNS. Run the following command in an elevated PowerShell session to configure DNS forwarding. Замените fabrikam.com именем домена структуры и введите IP-адреса DNS-серверов в домене Fabric. Replace fabrikam.com with the name of the fabric domain and type the IP addresses of DNS servers in the fabric domain. Для повышения доступности наведите указатель на более одного DNS-сервера. For higher availability, point to more than one DNS server.
Чтобы создать одностороннее доверие лесов, выполните следующую команду в командной строке с повышенными привилегиями: To create a one-way forest trust, run the following command in an elevated Command Prompt:
Finishing bits of technology, vintage and new.
Using ASUSWRT for Local DNS and DHCP
A little background on ASUSWRT. ASUSWRT is the firmware ASUS ships on current routers. It started as a fork of the Tomato firmware project. Tomato is similar to DD-WRT. ASUSWRT-Merlin is an enhanced, and fixed (some), version of the ASUS supplied ASUSWRT.
Post Switch Concerns
After switching to ASUSWRT from DD-WRT I thought I would be losing the ability to serve local DNS. I was wrong. I loaded ASUSWRT-Merlin on my ASUS RT-N66U. After some trial and error configuration I discovered local DNS is alive and well in ASUSWRT-Merlin.
There is one minor caveat in that local DNS only works for DHCP served addresses, unless you further modify the dnsmasq configuration from the command line. I spent a lot of time managing non-DHCP addresses in that fashion with DD-WRT, and want to make management as simple as possible. The dnsmasq service used by ASUSWRT operates as a masquerading forwarding DNS server.
With DD-WRT I had non-DHCP addresses allocated in a certain range (0-99), and DHCP addresses from 100 to 255. Within the DHCP addresses I reserved the first 20 (via DHCP reservations) for our devices. Which let any guests pickup other addresses. Why?
With DD-WRT I broke the DHCP range into two and had QOS rules in place for each group. Guest addresses received tighter restrictions and lower bandwidth. Managing these in DD-WRT was a pain. The ASUSWRT makes it a lot simpler to accomplish the same things.
Local DNS Setup
I couldn’t find any definitive guides on setting this up, only that it could be done. So heres how. Before proceeding, to make things easier, make sure all devices in the ASUS Client list have a name showing up. If the name doesn’t show up, click it’s MAC address (top one) and define it in the pop-up window that appears.
Open the LAN menu, and “DHCP Server” tab. A few things to note:
a) “Enable the DHCP Server” should be Yes.
b) The routers Domain Name can be blank or you can set it to what you want, just don’t use one of the top level domains like com, net, org, etc. I chose “home”. This makes all hosts on my network resolvable as “hostname.home”.
c) Set the DHCP starting and ending range, for example 192.168.1.10 to 192.168.1.150. The subnet and final address are blocked out in the image. For the subnet, it should be the same as the routers defined subnet. If you defined the routers address as 192.168.1.1 then the IP range should be on subnet 1. I don’t use 1.
d) The “Default Gateway” is the gateway that clients will route through.
e) Now the DNS settings need special attention:
If you select Yes for “Advertise routers IP in addition to user specified DNS”, then the routers address will be appended to the DNS address list given to the clients when they lease an IP address. I said “appended” meaning it will be LAST!
So if you want to be able to resolve names on your network without specifying the routers address as the name server to do the resolution (i.e.: nslookup – 192.168.1.1), then you should make sure the Advertise setting is set to No, and put the routers address in “DNS Server 1”. This puts the router in the list FIRST! Apply your secondary (if any) in “DNS Server 2”.
The last thing surrounding DNS, which ties into the router domain defined above, is the “Forward local domain queries to upstream DNS”. This should be No. You don’t want a query for “xbox.home” to be passed up to be resolved at the internet level. You want it to stay on your network.
With DNS setup in this way, your hosts (blah.home) are answered first from the local DNS cache while external hosts (www.apple.com) are answered from your ISP (or OpenDNS, Google, etc) DNS servers.
f) Click the Apply button when done.
I typically assign a static address to devices that I want to always be at a certain address (like a printer, NAS drive, etc). I typically setup appliances like streaming players and TV’s with static addresses too since they really don’t need to change.
I still wanted to resolve the problem where these non-DCHP devices (devices with static IP assignments) could be resolved on the network WITHOUT having to modify configuration from the command line. Remember, simple, low maintenance.
To resolve this I changed all devices with static IP’s to DHCP. Bonus that makes device setup simpler too. I then setup DHCP reservations for them within the DHCP pool in a particular range (99 or less). This way I can easily identify “appliances” from computing devices.
a) Set the “Enable Manual Assignment” to Yes.
b) Use the dropdown to select a device, which will have the MAC address or device name (if it was given by the requesting client or defined manually on the ASUSWRT Client list).
c) Set the address (it will default to whatever it was assigned by the server). If you want to change it, change it.
d) Click the + button.
e) Click the Apply button.
Traffic Control
With DD-WRT I had devices setup in ranges with guest range relegated to low bandwidth and peer to peer services blocked. I want the same thing with ASUSWRT. I also had my devices defined with particular classes of service.
The ASUSWRT firmware has defaults based on traffic type, mainly surrounding file transfer.
Once enabled you can delete the default ones, and add custom ones.
I added the peer to peer services using the service name drop down and selecting the common ones. To add, select it, set the priority, and click the + sign icon.
I then added my devices, this time using the Source IP or Mac dropdown. The name will show up if it was offered by the requesting client or was manually defined on the ASUS Client list. This makes it a cinch to add, unlike DD-WRT where you add each device by MAC address only.
Once defined, click the Apply button.
So what about the lower priority guest traffic? With ASUSWRT, any traffic not matching a rule gets routed to the “Low” setting. I have my low and lowest settings set to use very little bandwidth.
I now have ASUSWRT doing everything DD-WRT was doing, and without command line management.
Oh, and now is a good time to backup the configuration using the Administration/Save feature.