Ubiquiti EdgeRouter Lite (UBNT ERLite-3) Update - still works great for my family, and for my VMware vSphere, Windows, and Linux home lab

Posted by Paul Braren on Jul 11 2017 (updated on Nov 17 2017) in
  • Networking
  • VMware
  • ESXi
  • HowTo
  • HomeLab
  • This article was originally intended for my audience at The Greater Boston Network Users Group at their July 11th meetup. Until I'm able to do a complete configuration walk through, this spot in a recent "Network Enthusiast" EdgeRouter video I created gives you a good look at how DNS is supposed to work in Windows + Linux and/or VMware vSphere home lab environments, only using this little metal box router. Look mom, no Microsoft AD/DNS/DHCP required!

    Shop

    This Ubiquiti EdgeRouter Lite (aka, UBNT ERLite-3) is available at Amazon, B&H, Newegg, and Wiredzone. These are affiliate links, full disclosure below.

    Product Page

    • Ubiquiti EdgeRouter Lite
      Model-Comparison
      Steve Gibson brags about his beloved $65 "EdgeRouter X" on many Security Now podcast episodes, an even smaller router that uses the same firmware family. But the EdgeRouter X doesn't specify that it can also do a million packets per second. I wanted something fast enough for my home's 300Mbps/30Mbps connection, with a bit of future-proofing for even faster internet speeds someday. Even with a year of daily heavy use already behind me, I don't suspect I'll want or need to swap my ERLite-3 for some years to come.

    EdgeOS User Guide

    EdgeRouter Datasheet

    Firmware Download

    Status Update

    The ERLite-3 has been around since 2013, still pictured in it's original plastic body on Amazon. They're made of metal now, and has gained a lot functionality ever since through regular firmware updates, see full history here. This "networking enthusiast" router has enjoyed a lot of popularity in the market, with mostly-favorable reviews on Amazon and on Ubiquiti's forum. I've personally owned two of these little ~$90 routers for about a year, one dedicated to my traveling home datacenter right, and the other used heavily full time by my entire family, with better reliability than every consumer router I've used before it.

    TinkerTry-UBNT-EdgeRouter-Lite-with-eero-cropped
    ETH0 at left is connected to my cable modem, ETH1 connected to my gigabit switch, one of my 3 eero Wi-Fi devices is pictured at right, using SlimRun gigabit wired backhauls to the same gigabit home network.
    883710450961133569

    I rely on my ERLite-3 for all my home network routing, DNS, and DHCP functions, leaving the Wi-Fi duties to my wired-backhaul eero 3 pack Wi-Fi that I configured for bridge mode. This combination, wired up to my DCOSIS 3.0 SB6183 cable modem, gives me a consistent 300 MBps down and 30 Mbps up speed from anywhere in my home, whether I'm wired or wireless. Hard to not be happy with that.

    The deployment overview will hopefully help newbies make this little metal box behave much more consumer-router-like. Don't bother configuring the router with the default firmware, update it first! All the steps are detailed below.

    Firmware

    1.9.1.1 - Current Version

    Download here. This is the latest release, it arrived in April 2017, and was just a security update, with no new features since December 2016's 1.9.1 release. Read all about 1.9.1.1 in the forums and release notes. You can also see future release announcements at the EdgeMAX Updates Blog that even features a handy RSS feed.

    1.9.7

    1.9.7 is in beta now, sign-up for access to the beta forums. When 1.9.7 is released, it might not have the DNS shortname fix incorporated, and it won't have OpenVPN vulnerability fixes, but 1.9.7-hotfix.1 will.

    2.0.x

    Future release with many new features and fixes. Date TBD.

    VPN server

    L2TP IPsec VPN Server

    It works, both split and tunnel all settings from iOS tested over LTE just fine, but:

    1. can't be used in conjunction with UPnP, causes only first tunnel connection to work, subsequent connections from same or any other device require router reboot, note that UPnP shouldn't be turned on anyway, which I explained back in my consumer router days here and here.

    OpenVPN vulnerabilities

    I personally haven't gone through the admittedly better, but more-complex OpenVPN configuration process. But for those who have, they may have spotted that there were some OpenVPN vulnerabilities recently discovered by Guido Vranken's fuzzing techniques, see:

    Insecure-about-using-public-WiFi-Connect-to-your-home’s-OpenVPN-appliance-for-free-Network-Diagram-Page-1-2014-Jul-22

    with OpenVPN patches already released for OpenVPN's installable versions of VPN servers intended for actual servers (not this router). The Hyper-V and ESXi Virtual Appliances have unfortunately been neglected since 3rd quarter of 2016, which is a shame, since I used to enjoy the occasional use of that OpenVPN VMware appliance, see also:

    Implementation of dnsmasq coming soon, we hope

    • dnsmasq seems more desirable for DNS/DHCP, since it may eliminate duplicate DNS admin overhead (see screenshots below), but it won't be available until the 2.x firmware release.
      correction, see Jul 31 2017 update below!

    How to properly configure DHCP and DNS for properly for mixed OS home labs

    Meanwhile, while we wait for the Ubiquiti to get to 2.x, there a very workable way to have robust DHCP and DNS (not DDNS) for your current Windows, Linux, and VMware hypervisors & VMs. I've been using this method extensively for a year now, hasn't let me down for the ERLite-3. While these weren't the most intuitive steps for me to figure out initially (dogged determination/trial-and-error), now that they're documented, implementing them is easy

    For proper VMware forward (both FQDN and shortname) and reverse (IP) DNS lookups, which happens to help Windows and Linux systems also get to know one another on a first name or full name or IP basis, here's the steps.

    Prepare your router

    1. Download latest firmware

      If your ERLite-3 is new, be sure to update the firmware first before bothering to configure anything at all! 1.9.1 is available here, with video that guides you through the simple firmware update process here, using a laptop/PC/mac directly attached to eth1.

      EdgeMAX - Upgrade Firmware via Web GUI
    2. Reboot

      When the firmware update is complete, you will be prompted to reboot.

    3. Use the Setup Wizard to turn it into a consumer-like router

      a. click on Wizards tab, along the left-edge under Setup Wizards choose WAN+2LAN2
      b. under Internet port (eth0)
      c. under Firewall, ensure checkbox is on for Enable the default firewall
      d. under LAN port (eth1) is where you create your network router/gateway IP address and subnet mask, most will like the defaults of 192.168.1.1 / 255.255.255.0
      e. under (Optional) Secondary LAN port (eth2), this is where you create a second network router/gateway IP address and subnet mask, most home and SOHO users won't need this, and will choose to uncheck the Enable the DHCP server checkbox like I did, although some may choose to isolate their WiFi access points onto this separate network if they can run a backhaul cable right to this port (or via a switch), giving them better visibility into just the traffic generated by their Wi-Fi devices using EdgeMAX Traffic Analysis tab, with a live overview of traffic flow that's leveraging the optional Deep Packet Inspection (DPI), which doesn't seem to slow traffic down at all

    4. Create a DHCP Reservation

      a. Power up your network-connected device, which by default will request a DHCP lease.
      b. in your ERLite-3 Web UI, nagivate to
      DHCP Server / Actions / View Leases / Map Static IP [change the IP and/or Name to those desired] / Save / Close

    5. Create a DNS shortname/FQDN/IP entry

      a. in your ERLite-3 Web UI, nagivate to
      Wizards / DNS host names / Static host names / Host name [enter FQDN name] / Alias [enter short name], / IP Address [enter your available IP Address], then and click OK

    Admittedly, implementing the DHCP reservations and making the name entry is easy enough, it's maintaining the discipline to make all future changes in both places that is a bit tougher. Maybe dnsmasq will change all that, hopefully eliminating the need to both create a lease entry and create a duplicate DNS entry. But in all releases to date, the DHCP Lease GUI doesn't yet support dnsmasq.

    Screenshots

    Taken with 1.9.1.1 firmware loaded.

    2017-07-12_0-41-34
    The main Dashboard view, it's what you see when you first log into the router with your browser.
    2017-07-12_10-21-31
    Traffic Analysis view is availabe because I've turned on Deep Packet Inspection and left it on, which seemingly hasn't slowed things down at all.
    2017-07-12_10-17-55
    DHCP Server Static MAC/IP Mapping view.
    2017-07-12_10-13-32
    DNS hosts names wizard.

    Jul 31 2017 Update

    New firmware has arrived! See Release Notes v1.9.7, forum thread, and ERLite-3 download.

    I have not finished testing v1.9.7 yet, but these two lines in the notes looked very promising:

    [Dnsmasq] Fix bug when DHCP leases were not showing if dnsmasq was enabled
    [Dnsmasq] Preserve lease file after reboot. Discussed here

    as well as this comment by VMVN4565 in this forum post:

    ER-X SFP updated fine via GUI.

    so I dove right in and did the upgrade on my second router that's used for my traveling home datacenter demonstrations. I will update this post accordingly, as I learn how this firmware release behaves. So far, implementing dnsmasq isn't quite as it's documented by Ubiquity here:

    • EdgeRouter - Using dnsmasq for DHCP Server
      see also screenshot below, but this particular section seemed promising, making me very glad I might not have to wait for a v2.x release to get dnsmasq with a GUI after all, and that the move might be eased by this automatic migration:

      When using dnsmasq, the entries configured under "static-mapping" will be translated to statically assigned A records in dnsmasq (using the dnsmasq host-record directive). If a client with a static-mapping entry sends a DHCP request with a different client-name, that client-name will be ignored.

    My first tests seem to be going well, so far, with all static DHCP leases migrated over to the dynamic section, just as the above paragraph describes. In other words, I can now just pick my new device's DHCP lease from the GUI, set a reserved IP for it, and I'm done. No more duplicate efforts to add them to the Wizard / DNS host name / Static host names area anymore, they automatically appear in the Dynamic host names area right below it. Nice! I can't get shortname DNS queries to work yet though, but FQDN and reverse are working just fine.

    Reading the forum posts further, this comment looks more worrisome to me:

    After an upgrade from v1.9.1 to v1.9.7 Hairpin NAT does not work.

    so this is something I'll definitely need to test, as I use hairpinning regularly. I'll also be re-testing IPSEC and maybe even a secure way to configure UPnP for use with whole-home network usage monitoring via NetWorx, we'll see. With 1.9.1.1, turning on UPnP would cause my IPSEC VPN to only work once, with all subsequent connection attempts failing.

    upgrade-to-ubnt-v1.9.7
    On July 31 2017, I began upgrading my TinkerTry home network from 1.9.1.1 to 1.9.7, after making sure I had my current configuration saved of course!
    ssh-session-of-post-update-dnsmasq-configuration-by-TinkerTry
    Me testing literal copy-and-paste of Ubiquiti's instructions, just to see what happens.

    This is what happens if you take every line of instruction way too literally, just me testing it verbatim, ready to reset to known-good easily at any point I scrogg things. I have some more tweaking of their instructions to do, to get this right. I do wish there was a GUI for this migration from ISC DHCPD to dnsmasq.


    Aug 01 2017

    Testing still underway. Rather important I get lab testing right, so when I deploy it into "production," aka, running my family's home network, it better run well! It also has to do all the basics I need it to do for all my VMware vSphere infrastructure and VMs as well, keeping my Linux and Windows OSs talking to one another on a first name and full name (FQDN) basis.

    My plan is to help refine and simplify the entire process of configuring this router when it's first unboxed, greatly improving the out-of-box experience for new owners, especially those trying to configure a VMware VCSA-friendly network (forward FQDN and shortname & reverse lookups), with no need for Active Directory or Windows Server licenses, and no need for Linux skills required. Might be a pipe dream, but I try!

    This is a heavily modified version, for my home network which doesn't feature these items that the original author uses in his example, I am:

    • using the Feature Wizard named WAN+2LAN2, and was at firmware v1.9.1.1 on my ERLite-3
    • using a domain named lab.local
    • using a System name server 127.0.0.1 (found in the "System" button at the bottom, under "Name Server", "System name server:")
    • my router is set to 10.10.1.1, but many folks may prefer 192.168.1.1
    • using ETH1 (I'm not using ETH2)
    • using no VLANs (removed 2nd line of step 3)
    • ok with the author's use of Google DNS 8.8.8.8, so I stuck with it, avoids the need for you to lookup the name of your ISP's DNS, but I realize some may prefer to use OpenDNS 208.67.222.222
    • already have a system domain name (removed step 5)
    • already have a DHCP domain in use that works fine, with no need to create new ones (removed step 6)
    • already use just the webUI for all DHCP reservations, and after the upgrade, I removed all the Static host mappings anyway, since they were all auto-migrated to the Dynamic host names area, and from here forward, I just fire up a new device, find it in DHCP leases, give it a reservation, and I'm done, forward and reverse lookup instantly work from all Windows and Linux PCs and VMs on my network! This all boils down to the shorter instruction set below.

    Disclaimer: I'm no networking expert. While you may find these instructions helpful, published here for informational purposes and my own reference. I cannot possibly provide support should you run into issues, there's so much that can go wrong. Please instead post your v1.9.7 question(s) in UBNT's excellent forum.

    Step 1: Back up your configuration

    Click on the System button along the bottom edge of the Web UI.
    Select Configuration Management & Device Maintenance / Back Up Config / Download backup config file / Download and save the file in a secure location.

    Step 2: Establish a baseline

    TinkerTry-pre-ping

    Here I demonstrate that I have a working configuration, where DNS lookups by IP, by FQDN, and by shortname all function perfectly. We'll repeat this after the upgrade to make sure everything is still working as it should.

    Open a command line (Windows) / terminal (Mac/Linux), and issue the following commands, where vcsa is one of my system names on my network:

    ping 10.10.1.97 -n 1
    ping vcsa.lab.local -n 1
    ping vcsa -n 1
    nslookup 10.10.1.97
    nslookup vcsa.lab.local
    nslookup vcsa

    Step 3: Upgrade from 1.9.1.1 to 1.9.7

    See Release Notes v1.9.7, forum thread, then download your ERLite-3 firmware, and save it in a folder you'll remember.
    Then along the bottom edge of the EdgeRouter's Web UI, click:
    System / Configuration Management & Device Maintenance / Upgrade System Image / Upload system image: / Upload a file / navigate to the ER-e100.v1.9.7.5001798.tar file you downloaded, click on the Open button

    Step 4: Enable dnsmasq for DHCP

    Currently, this feature must be enabled using the CLI as there is not a webUI option to enable dnsmasq. Open an SSH session and authenticate. I would not recommend the CLI icon in the Web UI, instead, a separate SSH client is preferred for many reasons, including easy cut-and-paste.

    Enter the following commands:

    configure
    set service dhcp-server use-dnsmasq enable 

    Step 5: Adjust DNS Forwarding, DHCP, and System settings

    To allow local hostname resolution across networks, the following changes will need to be made to allow clients to use the router address as the DNS server, configure DNS forwarding options, and set the system name-server. This will also require setting a domain-name on the router and adding this domain-name to the dhcp-server(s) to distribute to clients so local hostnames resolve properly across networks.

    A. Set system name-server to loop back to the router itself, which will forward requests to the DNS servers set in the DNS forwarding settings.

    set system name-server 127.0.0.1

    B. Set global name-servers to resolve all external resolutions. Note, you should be sure that a public DNS server is not manually set on a client on the same network. For example, if an address like 8.8.8.8 is manually set on the client, it will prefer that address over the router's address issued by the DHCP-Server, so it won't be able to resolve names on your local network.

    set service dns forwarding name-server 8.8.8.8

    C. Set DNS forwarding listen-on address for all LAN interfaces including VLANs.

    set service dns forwarding listen-on eth1

    D. Set system domain-name.

    set system domain-name lab.local 

    E. Enable Turn on UPnP2 - Optional - all UPnP is off by default, UPnP2 is the more secure kind with no GUI way to activate it. Works with NetWorx' "Monitor my router rather than this computer" feature).

    set service upnp2 listen-on eth1
    set service upnp2 nat-pmp enable
    set service upnp2 secure-mode enable
    set service upnp2 wan eth0

    F. Use commit to make all changes active and persistent.

    commit

    Step 6: View Leases

    With the release of v1.9.7, and after following the instructions above, DCHP leases are now shown in the webUI, much like they did when using (default) ISC DHCPD for DHCP. You can choose any of the Leases, and configure a reservation.

    Step 7: Testing local DNS

    Try browsing the web from a system attached to ETH1, if it works, now try the web UI for something on your local network by Linux-based (no NETBIOS) device that you've given a DNS reservation too, such as https://vcsa.lab.local and if that works, you're really done.

    If having trouble, first ping the local IP of the device, then ping the hostname, then ping the hostname with the domain-name. This should help you narrow down where your DNS configuration issue might be.

    Open a command line (Windows) / terminal (Mac/Linux), and issue the following commands, where vcsa is one of my system names on my network:

    ping 10.10.1.97 -n 1
    ping vcsa.lab.local -n 1
    ping vcsa -n 1
    nslookup 10.10.1.97
    nslookup vcsa.lab.local
    nslookup vcsa

    Step 8: Testing remote DNS via IPSEC VPN (if you use VPN)

    On mobile cellular connected device outside of your network, connect the IPSEC VPN, then see if DNS works by trying a Web UI or SSH session to a known device on your home network, using IP first, then FQDN then shortname next.

    Step 9: Testing hairpinning

    If you use port forwarding, try accessing that device as if you're remote, but you're actually on your private LAN. If hairpinning is working, your access should work fine.

    Step 10: Save your configuration

    Prior to step 7, you should make sureyou've tested out all crucial functionality.

    A. If your testing went well, to make all the changes you made persist across reboots, save your configuration.

    save

    you are done!

    B. If your testing didn't go well and you don't wish to troubleshoot it, you can easily revert your configuration.

    exit discard

    This will back out of all changes made in the steps above, safely and easily, without having to resort to restoring from a backup of your configuration file, a last-resort process found under:
    System / Configuration Management & Device Maintenance / Restore Config / Upload config file: / Upload a file (button)


    Aug 02 2017 Update

    Added UPnP2 implementation steps to the configuration procedure above, which was using techniques discussed in this UBNT thread.


    Aug 10 2017 Update

    A new firmware hotfix has arrived, I have not tried it yet. It's called EdgeRouter ERLite-3/ERPoe-5 Firmware v1.9.7+hotfix.1, filename:
    EdgeRouter ERLite-3/ERPoe-5 Firmware v1.9.7+hotfix.1

    • Download

    • Release Notes

      [Release Notes v1.9.7+hotfix.1]

      Changelog

      Changes since v1.9.7

      New features
      n/a

      Enhancements and bug fixes
      [UNMS] Fix bug when configuration was randomly reset to default values after upgrade if UNMS service was configured. Discussed here
      [SSH] Fix security vulnerability via SSH when operator user was able to read/write configuration and gain full admin privileges
      [OpenVPN] Backport patch for multiple OpenVPN vulnerabilities (CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521). Discussed here.
      Updated software components
      n/a


    Aug 14 2017 Update

    I have made the move to EdgeRouter Lite v1.9.7+hotfix.1, the next few days of heavy use will reveal whether I'm happy with it or not. So far, so good.

    EdgeRouter Lite v1.9.7+hotfix.1

    Aug 22 2017 Update

    My issue with L2TP/IPSec VPN failure after the first connection struck again, for the first time I've seen it happen on v1.9.7, so it was time to figure out why, especially with travel to VMworld coming up this weekend. Then I found this UBNT forum comment:

    • L2TP over IPsec and UPNP2

      Sometime ago I reported that I was having issues with my L2TP/IPsec over the cellular network .... my symptoms where that I was timing out consequently my VPN connection failed until I rebooted my ERL --- after reboot my VPN would work for a period of time then time out again.

    I went ahead and typed the following command, to see which Apple device in my home network was initiating a port 4500, which is also used for L2TP/IPSec:

    show upnp2 rules

    and tada, there it was, whatever device is at IP Address 10.10.1.228 is using port 4500. Time for a quick visit to my EdgeMAX Web UI to pop on over to Services / Actions / Leases, and search for .228, and it's one of my son's systems, a Mac Mini. No problem at all, time to fix this issue via SSH by simply blocking port 4500 UPnP on my 10.10.1.0 network:

    configure
    set service upnp2 acl rule 15 action 'deny'
    set service upnp2 acl rule 15 description 'Block Port 4500 utilized by ATC'
    set service upnp2 acl rule 15 external-port '4500'
    set service upnp2 acl rule 15 local-port '0-65535'
    set service upnp2 acl rule 15 subnet '10.10.1.0/24'
    commit
    save
    exit
    2017-08-22_11-14-57

    Once I got to the commit command listed above, the resolution of the problem was seen immediately. I was able to reconnect my VPN right away, no need to reboot my ER3-Lite. Tried it out for a day, still working great. So I then typed save to preserve this new configuration across reboots, and finally exited my SSH session. Done! Everything about my ER3-Lite is configured exactly the way I always wanted it to work, I can now move on to so many other projects.

    I'll likely be adding this to my configuration procedure, as documented above.


    Aug 24 2017 Update

    Well, it's back, the Mac Mini has taken port 4500 again. It seem the better fix might be to make this change to the Mac Mini configuration, addressing the problem at the source:

    Change made, let's see how it goes.
    https://www.quad9.net

    Sep 06 2017 Update

    It's actually not just the 4500 via UPnP issue, it's an OS counter that runs out, so after a few days of operation, Networx live display of the router's speeds show 0. The full function of Networx is immediately restored by just restarting the router. Well, that's a rather disruptive workaround. I'm still on the lookout for a better solution. Anybody gone one?

    I've also now gone to:

    and so far, it seems to be working the same way as the previous 1.9.7 releases. This has been a busy few months of bug releases by UBNT.


    Nov 16 2017 Update

    "How DNS Works" published at "Quad9 DNS" on Nov 15, 2017.

    See new announcement from IBM today:

    This DNS service name Quad9 is now available:

    Quad9-thumbnail--TinkerTry

    How Quad9 works
    Quad9 routes your DNS queries through a secure network of servers around the globe. The system uses threat intelligence from more than a dozen of the industry's leading cyber security companies to give a real-time perspective on what websites are safe and what sites are known to include malware or other threats. If the system detects that the site you want to reach is known to be infected, you'll automatically be blocked from entry - keeping your data and computer safe.

    quad9_infographic
    Quad9 Infographic courtesy of Quad9.
    • Quad9 FAQ

      Will Quad9 filter content?
      No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.
      What does Quad9 log/store about the DNS queries?
      We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries.

    and I've decided to give it a try, and will let you know how it goes. Yeah, I used to work at IBM for 21 years, but I had nothing to do with the team that apparently helped launch this service that's apparently been in beta since 2016.

    Why?

    Privacy

    Well, my ISP is Cox Communications, but they tend to give me some strange Cox customized search page of theirs when I type a URL wrong, and they're apparently now free to do whatever they want with my browsing data.

    I've been using Google DNS 8.8.8.8 and 8.8.4.4 for years, and it has served me well, and has been pretty fast. But Google does hold on to some of that rich DNS data, see Google Public DNS Privacy. Perhaps Quad9 holds on a little less, see Quad9 Your Privacy Is Paramount, and FAQ.

    Stay tuned, as it may be possible to use DNSSEC with the Ubiquiti EdgeRouter's dnsmasq that I'm now using, as explained in detail above. For now, much more investigation and testing is needed, especially pertaining to reliable NTP sync after reboots. You can read more about Quad9 DNSSEC and their full IPv6 support in their FAQ.

    Speed

    DNS-Benchmark-results-zip-code-06109-on-Cox-Communications-2017-11-16--TinkerTry

    Turns out Quad9 DNS is maybe a tiny bit faster.

    Use DNS Benchmark to measure speed, here's how

    I measured my dns performance for my home's network here in zip code 06109 by running Steve Gibson's ancient DNS Benchmark a few times. It's a portable, completely free application that needs no installation (portable), just download and run DNSBench.exe to get started:
    a. Let the initial calibration finish in a few seconds
    b. click on the Nameservers tab
    c. click on the Add/Remove button
    d. type in 9.9.9.9 then click the Add button
    e. click on Remove 8 Dead Nameservers
    f. click on Close
    g. click on Run Benchmark
    h. right-click on the graph, choose Set Graph Scale as needed
    A few minutes it was later, it was auto-sorted with fastest DNS Servers at the top. I get pretty much the same list each time, pictured here.

    ping-tests--TinkerTry
    Low tech and imperfect-but-easy speed test, from the Windows Command line.

    Remember, as described earlier in this article, I use computer names that I want resolved for my home's systems. This means my EdgeRouter Lite's Google DNS of 8.8.8.8 and 8.8.4.4 is only used for resolving external systems that aren't found in the local DNS. I'm now changing that to 9.9.9.9, as in quad nines. Certainly easy to remember.

    Change DNS on your router, not your PCs

    Everywhere I look on Quad9 DNS how to guides, and they tell you to change DNS on the client device. Maybe just because explaining how to do this on a router is considerably tougher, especially in this day and age where many are stuck with the Wi-Fi router their ISP provides them with.. This hard-coding is not always a great idea, especially for portable devices like laptops that travel, even if they have a VPN for some protection. When that device is away from home, captive portals may require that the local DNS server be told to you by DHCP, before you'll be able to surf the web at all. If you hard-coded your IP as Quad9 suggests, you'll be out of luck getting on line. For this reason, along with the fact that I like local computer names that I've given DHCP reservations to have their DNS names fed to all my local Windows, Linux, and VMware VMs, I'd much prefer having my home's DHCP server/router dole out IP address leases. In Windows Command Prompt, issuing ipconfig /all will show the lease is pointing to the DHCP server/router itself for routing and DNS. The configured-in-the-router settings that handle the forwarding magic cause a seamless hand-off of non-local DNS lookups. Those lookups go to the DNS forwarding target you configure, which for me is now set to 9.9.9.9 at Quad9. Here's how I did it, proceed at your own risk, and follow every step.

    How to change your EdgeRouter DNS forwarding

    Step 1: Back up your configuration

    Click on the System button along the bottom edge of the Web UI.
    Select Configuration Management & Device Maintenance / Back Up Config / Download backup config file / Download and save the file in a secure location.

    Step 2: Establish a baseline

    nslookup-commands--TinkerTry

    Here I demonstrate that I have a working configuration, where DNS lookups by IP, by FQDN, and by shortname all function perfectly. We'll repeat this after the upgrade to make sure everything is still working as it should.

    Open a command line (Windows) / terminal (Mac/Linux), and issue the following commands, where vcsa is one of my system names on my network, and cnn.com is external

    nslookup vcsa.lab.local
    nslookup cnn.com

    Make note of the results.

    Step 3: See what your DNS is set to, delete it, then add 9.9.9.9

    Currently, this feature must be enabled using the CLI as there is not a webUI option to set DNS forwarding. Open an SSH session and authenticate. I would not recommend the CLI icon in the Web UI, instead, a separate SSH client is preferred for many reasons, including easy cut-and-paste.

    Enter the following commands, one line at a time, to see what dns forwarding you have, delete whatever is there, then set the new single dns forwarding to 9.9.9.9, then commit the change and test whether the commit worked:

    show dns forwarding nameservers
    configure
    show service dns forwarding
    delete service dns forwarding name-server 8.8.8.8
    delete service dns forwarding name-server 8.8.4.4
    show service dns forwarding
    set service dns forwarding name-server 9.9.9.9
    show service dns forwarding
    commit
    show dns forwarding nameservers

    Step 4: Test

    Back at the Windows command line.

    ipconfig /flushdns
    nslookup vcsa.lab.local
    nslookup cnn.com

    Make note of the results, comparing with what you got before, they should be about the same. Go ahead and try browsing the web to be sure your browsing seems to be functioning just fine.

    Step 5: Save your configuration

    Prior to saving the change you made above, you should make sure you've tested out all crucial functionality first.

    A. If your testing went well, to make all the changes you made persist across reboots, save your configuration.

    save

    you are done!

    B. If your testing didn't go well and you don't wish to troubleshoot it, you can easily revert your configuration.

    exit discard

    This will back out of all changes made in the steps above, safely and easily, without having to resort to restoring from a backup of your configuration file, a last-resort process found under:
    System / Configuration Management & Device Maintenance / Restore Config / Upload config file: / Upload a file (button)

    Next up, working on a simple visit-this-URL way to confirm that 9.9.9.9 is your active DNS provider, and testing NTP setting by IP after reboots along with DNSSEC. Stay tuned!


    See also at TinkerTry

    my-tinkertry-d-xeon-d-bundle-2-supermicro-superserver-bundle-2-of-joy

    replaced-linksys-with-eero-after-also-testing-luma
    How to install Ubiquiti EdgeMAX EdgeRouter firmware v1.9.1 onto UBNT ERLite-3

    See also