XIV. Miscellaneous Questions

How does DNS work on DrayTek routers?

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
DNS
content filtering
lan dns

The Domain Name System (or DNS) links host names to IP addresses. The way that DNS is handled on DrayTek routers varies depending on the firmware version and this article details how DNS is handled with different versions of firmware on DrayTek routers.
This article only applies to DrayTek routers and is not applicable other devices such as Access Points, Switches and Modems.

DNS Proxy with Advanced DNS Filtering

The router operates as a transparent DNS Proxy, which allows it to perform DNS Filtering, to apply either Web Content Filtering or URL Content Filtering to DNS queries. This allows the router to block access to HTTPS and other encrypted access methods; it does this by inspecting DNS queries that go through the router, including DNS queries made to external DNS servers. The router modifies DNS queries that the content filter blocks. Blocking access to content when it's blocked by the Web Content Filter or URL Content Filter.

DNS Filter to apply Content Filtering

The [CSM] > [DNS Filter] feature is linked to the Firewall's Filter Rules, this makes it possible to specified IPs from DNS filtering, schedule DNS Filtering or apply different DNS Filter profiles to different network segments.

When the router is used as the DNS server by client machines, the configuration of [CSM] > [DNS Filter] - DNS Filter Local Setting will apply instead.

Customising Local DNS

The [Application] > [LAN DNS] feature is able to specify custom DNS responses and supports wildcards - this allows the router to catch DNS queries to specified host names specified and will provide the IP address(es) specified in the LAN DNS profile.

For instance if a LAN DNS profile is configured with a hostname of "www.example.*", the router will modify the DNS response for any DNS queries that contain "www.example", such as www.example.co.uk and www.example.com.

To apply this custom DNS only to specific clients, there is an option to specify different DNS responses, depending on the IP range of the client making the DNS query, for instance a router with two VLANs can give a local IP address response to a client located on the same subnet as that server, while DNS queries made from the other VLAN will receive the public IP address.

Forwarding Specific DNS Queries to another DNS server

The LAN DNS feature also supports Conditional DNS Forwarding so that any DNS queries matching specified hostname suffix / prefix, such as *.local, could be set to go to a specified DNS server IP address such as a Windows domain server performing DNS for a local network. Conditional DNS forwarding will work regardless of the DNS server that the client machine is using.

DNS Cache

It also operates as a DNS Forwarder for client machines using the router as the DNS server. The router's DNS server has a DNS Cache, which can be checked and controlled from [Diagnostics] > [DNS Cache].

Older Routers - DNS Proxy with DNS Filtering

Router Models Firmware
Vigor 2860,
Vigor 2925,
Vigor 2760 (DrayOS)
3.7.4 to 3.7.5
Vigor 2830 3.6.4 to Current
Vigor 2850 3.6.4 to Current
Vigor 2920 3.6.4 to Current
Vigor 3200 3.6.4 to Current
Vigor 3200 3.6.4 to Current

The router operates as a transparent DNS Proxy, which allows it to perform DNS Filtering, to apply Web Content Filtering to DNS queries. This allows the router to block access to HTTPS and other encrypted access methods; it does this by inspecting DNS queries that go through the router, including DNS queries made to external DNS servers. The router modifies DNS queries that the content filter blocks, to block access to content that is blocked by the Web Content Filter.

The [CSM] > [DNS Filter] feature, when enabled, applies content filtering to all DNS queries.

The [Application] > [LAN DNS] feature is able to specify custom DNS responses - this allows the router to modify all DNS queries that go through the router for the host names specified and will provide the IP address(es) specified in the LAN DNS profile. This has 20 different profiles and can specify multiple IP addresses per profile. There is also an option to specify different DNS responses depending on the IP range of the client making the DNS query, for instance a router with two VLANs can give a local IP address response to a client located on the same subnet as that server, while DNS queries made from the other VLAN will receive the public IP address.

It also operates as a DNS Forwarder for client machines using the router as the DNS server. The router's DNS server has a DNS Cache, which can be checked and controlled from [Diagnostics] > [DNS Cache].

Older Routers & Firmware - DNS Forwarder and DNS Cache

Router Models Firmware
Vigor 2860,
Vigor 2760
Up to 3.7.3
Vigor 2830,
Vigor 2850,
Vigor 2920,
Vigor 3200
Up to 3.6.4
Vigor 2820,
Vigor 2910, 2930,
Vigor 2950, 2955,
Vigor 2710, 2110
Current
Vigor IPPBX 2820,
Vigor IPBBX 3510
Current
Vigor 2800, 2900,
Vigor 2600,
Vigor 2700
Current

The router operates as a DNS Forwarder and DNS Cache.

DNS Queries from client machines using the router's IP for DNS are forwarded by the router to the ISP DNS servers and the response is returned to the client machine. The router also caches this response and will be able to answer additional queries for the same hostname without needing to forward the DNS query to an external server.

The DNS servers that the router will use are shown on the [Online Status] > [Physical Connection] page under the LAN Status details.

The router does not inspect DNS query content and does not alter the DNS query in any way.

The DNS server that the router uses can be changed from [LAN] > [General Setup] by entering DNS server addresses on that page and ticking Force DNS Manual Setting, which will force the router to use the specified DNS servers.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1