Surf-LAN DNS
This manual describes how to configure the Local DNS Forwarder Settings for the Surf-LAN on the IACBOX. You can find these settings in the WebAdmin menu Network under the tab Surf-LAN DNS.
If you are searching for the Upstream DNS Server Settings please refer to the DNS documentation.
If you are searching for the DNS Filter Settings please refer to the DNS documentation.
General
Added in Version
Support for DNS over TLS (DoT) and DNS over HTTPS (DoH) was introduced in version v24.2.The following options are available for the Surf-LAN DNS configuration:
- Return Surf-LAN IP for unknown domains: If a DNS request is made for a nonexistant domain (NXDOMAIN), the DNS answer will be replaced by the Surf-LAN IP address. This settings is discouraged and disabled by default as it can lead to unexpected behavior.
- Prevent DNS tunnels for offline clients: This option activates certain protections against DNS tunneling for offline clients.
- Cache for successful DNS requests: Amount of successful DNS requests to be cached (Default: 10000). On systems with sufficient memory and high DNS request rates, increasing this value can improve performance.
- Cache for denied DNS requests: Amount of denied DNS requests to be cached (Default: 2500). On systems with sufficient memory and high DNS request rates, increasing this value can improve performance.
- Count Top Domains: Gather statistics about the most requested domains in the Surf-LAN. The statistics can be viewed on the WebAdmin Dashboard. Disabling this option may improve performance on systems with very high DNS request rates.
- Enable DNS over TLS (DoT): Enable encrypted DNS over TLS for DNS requests from Surf-LAN clients.
- Enable DNS over HTTPS (DoH): Enable encrypted DNS over HTTPS for DNS requests from Surf-LAN clients. Both, HTTP/2 and HTTP/3 are supported.
- Block DNS-Bypass via Apple Private Relay (iCloud+): Blocks DNS requests to Apple Private Relay servers to prevent DNS bypass. It is highly recommended to enable this option.
- Block DNS-Bypass via public DoH: Blocks DNS requests to known public DoH servers to prevent DNS bypass. It is highly recommended to enable this option.
DNS Bypass
Requests for domains listed in the DNS Bypass table will never be modified by the Surf-LAN DNS forwarder. It is possible to use wildcards (*) in the domain names (e.g. *.example.com).
DNS Redirect
The DNS Redirect table allows to redirect requests for certain domains to a different IP address. Instead of an IP, the value NXDOMAIN can be used to effectively block access to certain domains.
