Draytek 2862ac - DNSSEC Query

renton_2004 · 1 May 2019 at 22:30

New to the forum, but not firewalls etc

Just got myself a lovely 2862ac to replace an ageing Cisco RV134W unit. Internet access, wifi, DHCP, MAC binding, bandwidth management, outbound packet filters and service objects all sorted without issues.

My question is around DNS Security. I'd like my router to act as the DNS server on my network, fulfilling requests via DNSSEC against googles 8.8.8.8. I can't seem to find how to specify my WAN DNS servers, without using the option of 'force router to use the DNS servers settings from LAN1'. In this instance the router is then configured to connect to 8.8.8.8 using DNSSEC fine, however my clients also then get dished 8.8.8.8 for DNS, and bypass the router for queries.

Any clues anyone?

pcfarrar · 1 May 2019 at 23:39

That’s how Drayteks work with DNS. They operate as a transparent DNS proxy so you see the external DNS servers on your local
machines.

renton_2004 · 2 May 2019 at 07:19

Thanks for the response.

However, in this scenario, local machines don't take advantage of DNS Security natively. If I swap a client to use the draytek as its DNS server, I see the DNS cache build on the draytek which would indicate requests being served by it. If i then clear that cache and use the DNS server dished by the drayteks DHCP scope (8.8.8.8) the requests go directly out and aren’t fulfilled by the draytek itself.

The ideal I'm looking for, is to set the DCHP scope to advertise the draytek as the clients DNS server, and the draytek use 8.8.8.8 securely. This is possible, although only by manually repointing the clients DNS servers which is not ideal.

pcfarrar · 2 May 2019 at 08:34

renton_2004 said:
The ideal I'm looking for, is to set the DCHP scope to advertise the draytek as the clients DNS server, and the draytek use 8.8.8.8 securely. This is possible, although only by manually repointing the clients DNS servers which is not ideal.

I don't think you can do that on Drayteks, if you want to use the Draytek to forward you have to specify the Draytek as the DNS server manually on clients. You could ask Draytek support, they are quite good and will remote in to assist.

joeyjojo · 2 May 2019 at 08:36

Not sure about your method of checking the draytek is caching (you see the cache? where? how clearing it?)

Instead you could try timing DNS queries (dig, drill, etc.) for a fresh name and then the same again and see if the time reduces to ~0. You might find that google dns is already really fast so change to a slower one temporarily (ISP one or some random distant one if you can find one).

Regarding dnssec, how do you know the draytek isn't intercepting the request, fulfilling it with dnssec, then returning a plain result?

pcfarrar · 2 May 2019 at 13:21

joeyjojo said:
Not sure about your method of checking the draytek is caching (you see the cache? where? how clearing it?)

You can see the caching activity in "Diagnostics >> DNS Cache Table". I've checked a few of my Draytek's at work and it's blank in all of them. The cache only updates if you manually set the DNS server on clients to be the Draytek.

visibleman · 2 May 2019 at 16:19

Set your LAN(x) DHCP DNS to your Draytek's address (you might need to select the 'force' option) and then add your forwarder to the WAN DNS.

I haven't got a unit in front of me to test (most of our setups use an external DNS server on the network) so this is purely thinking aloud but that might do what you're after.

Edit - Ignore, this should be the default behavior.
I'd have a look on their 'Knowledge' site (you'll need to register) and/or drop their support a line.

renton_2004 · 2 May 2019 at 18:39

Thanks for all the advice, Ive got it working/resolved I believe. Still testing completely however.

The trick it turns out, is to utilise the conditional DNS forwarding feature. I created a parameter of *.* (as it supports wildcards) and pointed it at the IP of the Draytek. I can see the cache building on the router in response to queries I make on clients, even though the clients are configured with 8.8.8.8 as their DNS server. The ‘force router to use DNS settings’ feature is still enabled, and looking at 8.8.8.8 with DNS Security confirming the green padlock.

Still need to somehow verify all this mind!!