Wow man, you have some great videos. I have been wondering what's going on in the backend with Unifi equipment for a long time and it has made advanced configurations quite challenging, but you have definitely helped!
Excellent info. Btw, in the current version of Network app, if you have a custom Internet/WAN DNS set and go to enable DNS Shield it'll warn you that it will override.
So, what's the point in having the option to select a DNS in WAN if when DNS Shield is enabled, it will take over the WAN DNS anyway? Shouldn't make more sense that options for DNS in WAN became graded out and give an information message to warn the user that DNS Shield settings are inhibiting DNS WAN setting? This would have make it more user-friendly to understand the way it really works. BTW many thanks for your video as I doubt I would have never find out how the settings take over each other without your video. I subscribed already :)
I am completely with you on this! But we all know how Ubiquiti responds to this type of "minor" things in the web interface, so I never bothered to suggest anything to them.
@@hz777 actually I was just playing around with it again and I just find out that if you set up the WAN DNS and later go to DNS Shield and change it to auto or manual it gives you a warning message: “the DNS server configured on the WAN will no longer be used” 😂
Thank you for the very informative video. Now the one question I have is can we use our own DNS over HTTPS server? Can I manually override this in the cli?
Nope, because the UI's list comes from the url in the DNScrypt-proxy config file. Even if you manually change the file, you won't be able to touch the list of servers hosted on public web. Having said that, I don't see why you want to use DNS Shield if you host your own DNS resolver already.
Thanks for another great video! Can you share how you used Wireshark to capture the traffic on the router? Did you use a client device and set WS to capture the WAN port of the UXG pro?
The router in the video is for my lab environment, which is behind the main router of my home, so I can easily run Wireshark on wan port. An alternative way is to run tcpdump in ssh to the router, to capture wan port traffic.
your video descriptions with different virtual/physical hosts being shown are amazing and graphics are very clean. what program(s) do you use to virtualize and tile your windows like this? really enjoy the minimalist look. keep up the great content.
Thanks for the video! I would seem there are 3 DNS related features we may want to implement 1) Blocking ads (pihole) 2) Full DNS server (not just a relay/proxy - Unbound) 3) DNS encryption (Unbound and DNS Shield). If you want all 3, it would appear Pihole + Unbound is still the ticket?
The DNScrypt-proxy features are not completely exposed in unifi's DNS Shield yet, so there are something to improve there for sure. And if Ubiquiti can add DNS log function, it will be perfect.
@@hz777 At the moment I have my pihole DNS upstream server set as the LAN port of my Gateway Max to try out DNS Shield. I just purchased this unit. I haven't had a UniFi security device since the USG. Figured I'd see if they made any progress in the space. Indeed, they have.
I have never said pi-hole was the best practice:) However, even with DNS Shield, UniFi routers still miss some features in pi-hole, but for me DNS Shield is good enough.
@@hz777 Haha , yeah I know you didn't say best! I just followed some of your previous videos and setup my pi-hole and wasn't sure if that was still the way to go! :D Both seem great obviously, especially if you don't want to go through the process of setting up one or two pi-holes. Great vid as always.
Excellent video
Wow man, you have some great videos. I have been wondering what's going on in the backend with Unifi equipment for a long time and it has made advanced configurations quite challenging, but you have definitely helped!
Love every video. Learning so much keeps me coming back every time.
Very informative, but still device's hard-coded DNS take priority and ignore DNS shield.
Excellent info. Btw, in the current version of Network app, if you have a custom Internet/WAN DNS set and go to enable DNS Shield it'll warn you that it will override.
Wow this guy knows what he is doing!! Thank you learned so much!!
love your videos, I always wanted to test these setups but I don't have money to build a lab, and I can't disrupt production environment...
The quality of the information in this video is incredible. The amount of detail and low level testing you do to teach how this works is unreal.
So, what's the point in having the option to select a DNS in WAN if when DNS Shield is enabled, it will take over the WAN DNS anyway?
Shouldn't make more sense that options for DNS in WAN became graded out and give an information message to warn the user that DNS Shield settings are inhibiting DNS WAN setting?
This would have make it more user-friendly to understand the way it really works.
BTW many thanks for your video as I doubt I would have never find out how the settings take over each other without your video. I subscribed already :)
I am completely with you on this! But we all know how Ubiquiti responds to this type of "minor" things in the web interface, so I never bothered to suggest anything to them.
@@hz777 actually I was just playing around with it again and I just find out that if you set up the WAN DNS and later go to DNS Shield and change it to auto or manual it gives you a warning message: “the DNS server configured on the WAN will no longer be used” 😂
@andreamessina6439 interesting... So the warning is only implemented in one way instead of completely.
Thank you!
Thank you for the very informative video. Now the one question I have is can we use our own DNS over HTTPS server? Can I manually override this in the cli?
Nope, because the UI's list comes from the url in the DNScrypt-proxy config file. Even if you manually change the file, you won't be able to touch the list of servers hosted on public web.
Having said that, I don't see why you want to use DNS Shield if you host your own DNS resolver already.
Thanks for another great video! Can you share how you used Wireshark to capture the traffic on the router? Did you use a client device and set WS to capture the WAN port of the UXG pro?
The router in the video is for my lab environment, which is behind the main router of my home, so I can easily run Wireshark on wan port.
An alternative way is to run tcpdump in ssh to the router, to capture wan port traffic.
your video descriptions with different virtual/physical hosts being shown are amazing and graphics are very clean. what program(s) do you use to virtualize and tile your windows like this? really enjoy the minimalist look. keep up the great content.
For vm, I use ESXi; for tile management, I use window tidy.
great video! nice work.
Thanks for the video! I would seem there are 3 DNS related features we may want to implement 1) Blocking ads (pihole) 2) Full DNS server (not just a relay/proxy - Unbound) 3) DNS encryption (Unbound and DNS Shield). If you want all 3, it would appear Pihole + Unbound is still the ticket?
I think so as well.
The DNScrypt-proxy features are not completely exposed in unifi's DNS Shield yet, so there are something to improve there for sure. And if Ubiquiti can add DNS log function, it will be perfect.
@@hz777 At the moment I have my pihole DNS upstream server set as the LAN port of my Gateway Max to try out DNS Shield. I just purchased this unit. I haven't had a UniFi security device since the USG. Figured I'd see if they made any progress in the space. Indeed, they have.
Would you still say Pi-Hole is best practice? Or just use DNS shield?
I have never said pi-hole was the best practice:) However, even with DNS Shield, UniFi routers still miss some features in pi-hole, but for me DNS Shield is good enough.
@@hz777 Haha , yeah I know you didn't say best! I just followed some of your previous videos and setup my pi-hole and wasn't sure if that was still the way to go! :D Both seem great obviously, especially if you don't want to go through the process of setting up one or two pi-holes. Great vid as always.
Juicy