Your ISP
router is actually a router +
ONT combo. In the days before fiber, we would say router + modem combo.
For
DNS leak:
It has nothing to do with the ISP router. The ISP router gets a DNS server from Airtel (which will be hosted by Airtel) and all devices are provided that DNS server when using DHCP to get an IP address assigned. Airtel can easily log your browsing history this way as they can map the IP from the DNS request and your customer ID.
You can prevent this by setting your DNS to 1.1.1.1 on your own router (which will act as the DHCP server) and not connect anything directly to the Airtel router (via Wi-Fi or LAN) except your own router, no bridge mode required. This will fix the DNS "leak" as the test will say Cloudflare instead of Airtel.
But that is not enough these days, as DNS itself is not encrypted and Airtel can still see the DNS requests sent to 1.1.1.1 and log them easily, just requires more effort.
To fix the unencrypted DNS issue, you have 3 options:
- Browser: Set up Encrypted DNS in Chrome settings
- Native OS level: Supported by most modern OSes (Windows, Android, iOS, macOS), look up instructs
- Fake VPN (OS level): Use apps like 1.1.1.1 that set up a fake VPN tunnel just to intercept the plaintext DNS requests and return the result via encrypted DNS)
However, all 3 of these options require per-device configuration. If you want ALL devices (e.g., some
smart TV) to be covered then it's best to buy something like a
Raspberry Pi and set it up as a DNS server, or you could buy a router that supports custom firmware like OpenWRT and run the server on the router itself. Then the devices will send unencrypted DNS to your DNS server (custom firmware router/Raspberry PI - something local like 192.168.0.10) but that DNS server will only send encrypted requests to the upstream DNS server (1.1.1.1).
Where the issues with the ISP router come in:
- As you noted, poor WiFi performance. Although if you are not even getting 300Mbps then maybe it is an issue with distance or your client device or simply because you are on the 2.4GHz band. Because even the low end ISP provided WiFi 5 routers can provide that these days.
- ISP router is completely locked, you can't change anything except WiFi settings. So, you can't change the default DNS server even if you set up a Raspberry Pi or something else as a DNS server. You're forced to configure DNS per-device and that leaves a privacy risk.
- ISPs have full access to the ISP router, can change settings or push firmware updates remotely. Don't put reuse or put any sensitive information in your Wi-Fi password please, as Airtel can see it.
Bridge mode isn't required to fix the above issues. You can simply connect your own router's WAN port to the ISP router's LAN port to fix those. The ISP router will still act as a router but only act as if 1 device is connected to it (your own router).
What bridge mode offers:
- Disables most of the routing functionality and mostly makes the ISP router act as a converter between fiber and ethernet. The router's crappy hardware is moved out of the way. It doesn't really improve ping or increase bandwidth but can help with issues like bufferfloat or network performance between 2 devices on LAN (which can use higher bandwidth than your internet speed). This is useful for gaming.
- Your own router gets a public WAN IP address as opposed to a LAN IP (192.168.x.x) from the router, and you have the freedom to enable port forwarding, UPnP and other locked settings on the ISP router without ever logging into the ISP's router interface. Again, useful for gaming and power users.
- Your packets go through one less device (1 less network hop), again, doesn't visibly impact latency but can help with jitter and other issues.
- Your LAN is protected from the ISP as your own router is the firewall, not the ISP's router.
