Router

<aside> 📎

About Security

Traditional DNS request ****uses UDP without encryption, the WiFi router or a middleman can intercept the request (MITM attack) and see what domain’s IP is requesting, then response a malicious IP, letting user visit the malicious website (DNS attack). The website can have their self-issued SSL, so user won’t notice easily.

How to Avoid

  1. Use encrypted connection to make DNS request, preventing MITM attacks.
  2. Ensure the device requests to trustworthy DNS server to provide legitimate IP addresses.

Example

  1. Traditional
    1. Device → Router → ISP’s DNS server (via UDP)
  2. Cloudflare 1.1.1.1 (DNS over HTTPS, or DoH) can satisfy both.
    1. Device → Router → 1.1.1.1 DNS server (via HTTPS)
  3. Trusted VPN can provide encrypted tunnel for 1., but may or may not provide its own DNS servers.
    1. Device → Router → VPN server (via WireGuard) → ISP’s DNS server (via UDP)
    2. Device → Router → VPN + VPN’s DNS server (via WireGuard) (Ideal Scenario)

If the router sets a malicious DNS server address, the 3.a approach is still not safe. The 3.a scenario is similar to Apple devices using iCloud Private Relay without DoH.

</aside>

<aside> 📎

About Privacy

Example

  1. Device
  2. Router (LAN Gateway)
  3. Internet Service Provider (ISP)
  4. VPN Server
  5. DoH Provider

Even though we only use DoH without a VPN, it is still beneficial. The request content is encrypted, so the ISP cannot know the actual domain. The next actual request is harder to analyze the purpose, as an IP can be used in different services. For instance, connecting to 142.250.190.14, it might guess you’re using a Google service, but it won’t know if it’s Gmail, Google Search, or another product.

</aside>

Devices

LAN devices can connect to each other using their private IP with allowance:

This works because all LAN devices are on the same subnet. If devices are on different subnets, they need router configuration or belong to the same VLAN.