ASUS routers running Merlin firmware offer advanced DNS configuration options beyond basic server changes. This guide covers everything from simple DNS server switching to implementing DNS over TLS, DNSSEC validation, and conditional forwarding for maximum privacy and performance.
🔐 Why Change Your Router's DNS?
- Privacy: ISP DNS servers log your browsing activity
- Speed: Faster DNS can improve web browsing
- Security: Block malware and phishing domains
- Bypass Censorship: Access blocked websites
- Ad Blocking: Network-wide ad filtering
Recommended DNS Providers
| Provider | Primary DNS | Secondary DNS | Features | Privacy |
|---|---|---|---|---|
| TorGuard DNS | 10.8.0.1 | 10.8.0.2 | No-logs, VPN integrated | ⭐⭐⭐⭐⭐ |
| Cloudflare | 1.1.1.1 | 1.0.0.1 | Fast, malware blocking | ⭐⭐⭐⭐ |
| Quad9 | 9.9.9.9 | 149.112.112.112 | Threat blocking | ⭐⭐⭐⭐⭐ |
| NextDNS | 45.90.28.0 | 45.90.30.0 | Custom filtering | ⭐⭐⭐⭐ |
| AdGuard DNS | 94.140.14.14 | 94.140.15.15 | Ad blocking | ⭐⭐⭐⭐ |
Note: TorGuard DNS servers (10.8.0.1/10.8.0.2) are only accessible when connected to TorGuard VPN. For always-on DNS, use public providers.
Basic DNS Configuration
Step 1: Access Router Interface
- Open web browser and navigate to:
http://192.168.1.1(default)http://router.asus.com(alternative)- Or your custom router IP
- Login with admin credentials
Step 2: Navigate to WAN Settings
- Click Advanced Settings (left menu)
- Select WAN
- Choose Internet Connection tab
Step 3: Configure DNS Servers
Under WAN DNS Setting section:
- Set Connect to DNS Server automatically to No
- Enter your preferred DNS servers:
- DNS Server 1: Primary DNS (e.g., 1.1.1.1)
- DNS Server 2: Secondary DNS (e.g., 1.0.0.1)
- Click Apply to save changes
Advanced DNS Features in Merlin
DNS over TLS (DoT)
Encrypt DNS queries for privacy:
- Navigate to WAN > Internet Connection
- Find DNS over TLS (DoT) section
- Enable DNS over TLS
- Select preset or configure custom:
- Preset: Cloudflare, Quad9, etc.
- Custom: Enter DoT server address
Popular DoT Servers
| Provider | DoT Address | Port |
|---|---|---|
| Cloudflare | cloudflare-dns.com | 853 |
| Quad9 | dns.quad9.net | 853 |
| NextDNS | [your-id].dns.nextdns.io | 853 |
DNSSEC Validation
Enable DNSSEC for authenticity verification:
- Go to Administration > System
- Find DNSSEC support
- Enable Enable DNSSEC support
- Apply settings
Conditional DNS Forwarding
Route specific domains through different DNS servers:
- SSH into router:
ssh [email protected] - Create custom config:
nano /jffs/configs/dnsmasq.conf.add - Add forwarding rules:
# Forward work domains to corporate DNS server=/company.local/10.0.0.1 server=/internal.corp/10.0.0.1 # Forward streaming to fastest DNS server=/netflix.com/1.1.1.1 server=/youtube.com/1.1.1.1 - Restart dnsmasq:
service restart_dnsmasq
DNS-Based Ad Blocking
Method 1: DNS Filtering Service
- Use ad-blocking DNS providers:
- AdGuard DNS: 94.140.14.14
- Alternate DNS: 76.76.2.11
- CleanBrowsing: 185.228.168.9
Method 2: Diversion Script
- Install Diversion via amtm:
amtm i (Install) Select Diversion - Configure blocking lists
- Enable pixelserv-tls for HTTPS ads
IPv6 DNS Configuration
For IPv6 networks:
- Navigate to IPv6 settings
- Set Auto Configuration Setting to Stateless
- Configure IPv6 DNS:
- DNS Server 1: 2606:4700:4700::1111 (Cloudflare)
- DNS Server 2: 2606:4700:4700::1001
DNS with VPN Enabled
VPN DNS Priority: When VPN is active, DNS queries should go through VPN tunnel for privacy.
Configure VPN DNS
- Go to VPN > VPN Client
- In client settings:
- Accept DNS Configuration: Exclusive
- Redirect Internet traffic: Yes
- This ensures all DNS goes through VPN
DNS Leak Prevention
# Add to OpenVPN client config
dhcp-option DNS 10.8.0.1
block-outside-dnsDNS Performance Testing
Test Current DNS
# From router SSH
nslookup google.com
dig google.com @1.1.1.1
# Response time test
time nslookup google.comBenchmark Multiple Servers
#!/bin/sh
# DNS benchmark script
for dns in 1.1.1.1 8.8.8.8 9.9.9.9; do
echo "Testing $dns..."
time dig @$dns google.com +noall +answer
doneTroubleshooting DNS Issues
DNS Not Changing
- Clear DNS cache:
service restart_dnsmasq - Reboot router: Some changes require full restart
- Check WAN status: Ensure internet connection is up
Slow DNS Resolution
- Try servers geographically closer
- Disable DNSSEC if causing delays
- Check router CPU usage during queries
DNS Leaks with VPN
- Verify "Accept DNS Configuration" is set to Exclusive
- Add custom DNS to VPN config
- Test at dnsleaktest.com
Advanced DNS Scripts
Auto-Switch DNS Based on VPN Status
#!/bin/sh
# /jffs/scripts/vpn-dns-switch.sh
if [ "$1" = "up" ]; then
# VPN is up, use TorGuard DNS
nvram set wan_dns1_x="10.8.0.1"
nvram set wan_dns2_x="10.8.0.2"
else
# VPN is down, use public DNS
nvram set wan_dns1_x="1.1.1.1"
nvram set wan_dns2_x="1.0.0.1"
fi
nvram commit
service restart_dnsmasqDNS Query Logging
# Enable query logging
echo "log-queries" >> /jffs/configs/dnsmasq.conf.add
echo "log-facility=/opt/var/log/dnsmasq.log" >> /jffs/configs/dnsmasq.conf.add
service restart_dnsmasqSecurity Best Practices
- Use DNS over TLS: Encrypts queries from router to DNS server
- Enable DNSSEC: Validates DNS responses
- Avoid ISP DNS: They log and sometimes redirect queries
- Test regularly: DNS servers can change policies
- Multiple servers: Always configure primary and secondary
DNS Provider Comparison
| Feature | TorGuard | Cloudflare | Quad9 | |
|---|---|---|---|---|
| No Logs | ✅ | ✅ | ✅ | ❌ |
| Malware Blocking | ✅ | ✅ (1.1.1.2) | ✅ | ❌ |
| DNSSEC | ✅ | ✅ | ✅ | ✅ |
| DoT/DoH | ✅ | ✅ | ✅ | ✅ |
| Global Servers | VPN Only | ✅ | ✅ | ✅ |
✅ Configuration Complete Checklist
- Automatic DNS disabled in WAN settings
- Custom DNS servers configured
- DNS over TLS enabled (optional)
- DNSSEC validation active (optional)
- Settings applied and router responding
- DNS leak test passed
Need DNS Configuration Help?
Our support team can assist with router DNS setup, troubleshooting resolution issues, and optimizing for privacy and performance.
Get Router Support