maxwellhadley wrote: Well, my auto-generated /etc/resolv.conf shows only the ISP resolvers (IPv6 first)

Is your mac using dynamic or static IP?

BTW - I’ve just gone through the ‘pain’of configuring https on my admin interfaces. I thought about let’s encrypt, but the 90 day certificate lifecycle put me off. I ended up using a local CA to generate the certificates (and distribute my own ca public key to my systems) The interesting thing is that the MacOS keychain access app can be a CA and issue certificates for the Mac and other systems.

I'm using DHCP on most things, including all the Macs. I arrived in this situation from the other direction - using a LetsEncrypt certificate for SSL VPN first, then switching the admin interface to https.

It would be great if you could configure a Draytek to provision its own certificates from LetsEncrypt on a schedule. The latest Firebrick can do this, so why not?

In that case your DNS client entries are probably also picked up from DHCP. I’m miles away from my mac at the mo so I’m working on memory.... I think the command is:

scutil —dns
(two hyphens?)

What does that show? I think it should list the current dns client entries.

scutil --dns again shows just the ISP resolvers, followed by the mdns resolver for the local domain, and the various .arpa reverse-DNS resolvers.

Interestingly, nslookup 8.8.8.8 where is my router's domain name, also returns the LAN address of the router. It looks as if the Draytek is proxying all DNS requests, not just those to configured nameservers. Which would explain why it doesn't matter whether or not you change the nameservers handed out by DHCP

I've just been playing with DIG and NSLOOKUP and I can confirm the behaviour that you describe. The Vigor intercepts DNS queries and answers them itself (whatever the queried nameserver is). I'm not yet sure if it only does this for records specified in LAN DNS or for all. Whilst for most people the interception would not be a problem, for me it's a big issue as I have not found a way (other than an internet access VPN) to get past it.

I'm a 3rd line network engineer and often have to target queries to particular nameservers to diagnose issues or to check for progress of recent changes. If I cannot trust the information I'm getting back from these basic tools then I cannot reliably work.... The tools still report that the server that I believe I queried answered. The only clue might be the TTL returned...

I still believe that the rest of the information that I posed about configuring LAN DNS rules is accurate - just that the need to manage the endpoint DNS client settings seems to be irrelevant...

I have a 2860ac running 3.8.8_BT. Been experimenting with LAN DNS and LetsEncrypt SSL certificates.

The 2860 is setup to use Google DNS,

I’m using two FQDN forms, host.mydomain.tld for external access setup in my external DNS and host.home.mydomain.tld for internal access setup in the 2860’s LAN DNS definition.

My Synology NAS works great, I can HTTPS to it internally with no certificate errors. If I temporarily turn on external access via NAT on 2860 that works fine as well.

Access to the 2860 is not fully working. Externally I can connect VPNs with no certificate errors and if I temporarily turn on external management access that is fine to http and https.

Internally nslookup returns the correct internal IP for the 2860. If I try connecting to the 2860 internally with any web browser http or https using the FQDN DrayTek page comes up “… is categorized with [Black List] has been blocked by DNS Filter”. Strangely nothing is shown in syslog for this block. I’ve turned off all APP, URL, WCF and DNS filters but problem remains. I’ve tried a URL keyword whitelist in DNS filter definition but still blocks.

Been at it for two days so will welcome any suggestions please!