A little confused with DNS settings for my Wireguard server. Use case is just keeping everything full tunnel and routing my work laptop (connected to Beryl AX travel router) traffic back home to the Wireguard VPN (Brume 2) with no DNS leaks.
Which device should I encrypt DNS on if any? I definitely would choose to encrypt over HTTPS since port 443 is normal while TLS would look suspicious. I currently choose Google or Cloudflare servers manually for server and client routers.
You can only encrypt DNS on devices that talk to encrypted DNS servers. In home networks this isn’t the case, mostly. So you will set up your router that it will talk encrypted to the ISPs one, or Google or whatever.
If you end device talks directly to a 3rd party DNS server you will enable encrypted DNS there.
Sorry, but this doesn’t really answer my question. I know that the GL.iNet router, whether it’s on the server or client side, allows me to encrypt DNS. My question was which end makes most sense to encrypt (for my use case)? And is there any reason to not encrypt DNS on both ends? I suppose the client side traffic is already supposed to be going through the full tunnel anyway, but not sure. Again, I do want to limit “red flags” to an IT dept that might be snooping. So I know DNS over TLS would be weird, but maybe encrypted DNS in general is too much of a red flag. Not sure.
It does answer your question if you knew more about encrypted DNS 
More encryption = Better. Always.
But: Your router does not support encrypted DNS out-of-the-box. The only thing you activate by using encrypted DNS on the router is the encrypted talk between the router and the routers upstream DNS. Not between the end device and the router! Which is totally fine for home networks.
My 2 cents about this: Let your router use encrypted DNS and tell your client to forward all DNS requests to your router. But if you route all your traffic through your home router, you can encrypted on every device if you like to.
*sigh* Talk to them if you are afraid of it. If you suspect that they are snooping without your knowledge, you should change your company. If your employee says “No” to remote work, it is something you need to accept. Changing a job is always possible. If they don’t care at all, you should not care about red flags, then.
It does answer your question if you knew more about encrypted DNS
More encryption = Better. Always.
But: Your router does not support encrypted DNS out-of-the-box. The only thing you activate by using encrypted DNS on the router is the encrypted talk between the router and the routers upstream DNS. Not between the end device and the router! Which is totally fine for home networks.
Fair enough. So at this point, it’s more a question of does adding encryption to DNS slow down throughput at all?
sigh Talk to them if you are afraid of it. If you suspect that they are snooping without your knowledge, you should change your company. If your employee says “No” to remote work, it is something you need to accept. Changing a job is always possible. If they don’t care at all, you should not care about red flags, then.
I don’t think they snoop. When I joined, they explicitly said that despite the device being managed by them, they absolutely do not snoop into things.
I’ve actually traveled all over the world with my work devices without using a VPN with no issue. It’s not uncommon for employees to travel, or take their devices on vacation like I did. That said, in the long term, I’d rather cover my *** and rather be safe than sorry (i.e., get questioned or trip some alarm such as strange DNS traffic). I don’t need to change my job, it’s great and flexible. Don’t ask don’t tell is all that needs to be said here. Remote working for 2 week periods is not doing any harm. No different than traveling for work or taking a vacation. Zero paperwork gets filled out, and nothing changes on my taxes. Uncle Sam still gets his normal cut according to tax bracket. Anyway, I digress…
Nope, it does not. I mean technically it does, of course, because you need to invest more power into encrypted DNS than into plain one, but you will not notice it.
Great, that’s what I expected. Well, now I just need to know two more things:
Will encrypted DNS on the client router look “strange” if it passes through my work’s Cisco Umbrella DNS servers (let’s assuming encryption over HTTPS/port 443)?
If I decide to not encrypt client-side DNS, then I assume Manual (with Google or Cloudflare) is the preferred DNS option for the travel router so that Automatic doesn’t use the parent router’s DNS which could be something strange if in a different country. However, that probably wouldn’t matter because the DNS traffic is supposedly going through my full Wireguard tunnel! I guess the idea of setting Manual here would be an extra layer of safety for DNS leaks if I understand correctly.
Maybe 2015, but now encrypted DNS is pretty normal - so no, does not look strange.
I can’t answer the 2nd to be honest because I am not fully sure how GL devices handle DNS at all, speaking of sending them through the VPN tunnel. That’s because they need DNS before VPN starts - because how would they be able to connect to a VPN domain if there is no DNS available at this time? Maybe they will switch to sending all DNS traffic through the VPN as soon as the VPN is connected - not sure about that.
That’s because they need DNS before VPN starts - because how would they be able to connect to a VPN domain if there is no DNS available at this time? Maybe they will switch to sending all DNS traffic through the VPN as soon as the VPN is connected - not sure about that.
This is a great point, and I’ve pretty sure I’ve heard it before somewhere else online. In that case, I’m definitely going to set my DNS manually. I will try encrypted here as well.