A few questions about the RT-AC68 firmware

[TheLyppardMan]

I have a number of queries regarding the latest version of the Asus and Merlin firmware, running on an RT-AC68U router, which I am posting on the forum and also sending to Asus support, so some of the questions here may not be totally relevant.

1. With previous Asus firmware, the dns settings on the router (e.g., to use OpenDNS content filtering) could easily be circumvented by setting different dns settings on a client computer. The Merlin version seemed to be much better in that respect. Q: Is the latest Asus firmware factory-configured to block this loophole and if not, can the user change a setting to make sure it doesn’t occur?

2. How effective is the new Trend filtering option that comes with the RT-AC68U compared with something like OpenDNS?

3. Are both options available in the new Merlin version and can they both be used in tandem or does it have to be one or the other?

4. With the Asus firmware, if the dns settings are changed to use OpenDNS, can the Trend filters still be used?

 

[A.D.]

With previous Asus firmware, the dns settings on the router (e.g., to use OpenDNS content filtering) could easily be circumvented by setting different dns settings on a client computer. The Merlin version seemed to be much better in that respect. Q: Is the latest Asus firmware factory-configured to block this loophole and if not, can the user change a setting to make sure it doesn’t occur?

If you configure your router to use a DNS server then it will use that for two things, namely for internal functionality such as URL filtering and for providing this information to DHCP clients. (Some devices can also act as a caching DNS server on the LAN side.)

Nothing keeps a LAN client from having a static IP configuration (including IP address) so in no way is the router's DNS config mandatory for any LAN client.

In this regard, calling a static DNS config (regardless of static or dynamic IP address) a "loophole" is a misconception.

I would be surprised to find that asuswrt-merlin differs in this regard from the stock firmware. If a firmware had this option, it would be a convenience function influencing several settings, which (wildly guessing) doesn't suit the UI's paradigm very well.

Of course you can block DNS traffic to other DNS servers than those you want to allow allow with any reasonabe firewall. I use my ASUS as an AP only but I'd be surprised if the ASUS can't handle the required filter ruless.

[EDIT]

Depending on what you want to achieve, you might want to consider other aspects. If a LAN participant can establish a VPN, the DNS settings may also be bypassed. And in general, trying to keep users from doing things via DNS is a pretty weak approach.

 

[TheLyppardMan]

From what I recall, I carried out the following experiment. I set the dns server settings on the router to use OpenDNS. Then, after confirming that my Internet traffic was going via OpenDNS, I changed the dns settings on my PC to Google's dns (8.8.8.8 & 8.8.4.4). I then ran the OpenDNS test again. Using the stock firmware, I reached the OpenDNS Oops page, meaning the Internet traffic was no longer being filtered by OpenDNS. However, when I repeated the test using Merlin's firmware, despite changing my PC's dns settings to Google, I still received the OK message from OpenDNS. I'm sure I also get the same result with Tomato, which I'm currently running, but I'll double check and add a further comment.

 

[TheLyppardMan]

Screenshots show the results I am getting with Tomato. I'm pretty sure I got the same results with Merlin's firmware, but not with the Asus stock firmware, which did allow me to by-pass the router dns settings.

 

[fryedchikin]

You can use the AiProtection>DNS-based Filtering options to force specific clients to use a certain DNS server, regardless of what the client is configured to use.

 

[TheLyppardMan]

You can use the AiProtection>DNS-based Filtering options to force specific clients to use a certain DNS server, regardless of what the client is configured to use.

Is that with the Merlin firmware and is OpenDNS one of the options or is it only Trend Micro that is available?

 

[RMerlin]

1. With previous Asus firmware, the dns settings on the router (e.g., to use OpenDNS content filtering) could easily be circumvented by setting different dns settings on a client computer. The Merlin version seemed to be much better in that respect. Q: Is the latest Asus firmware factory-configured to block this loophole and if not, can the user change a setting to make sure it doesn’t occur?

I developed the DNSFilter feature, it's only available in my firmware.

2. How effective is the new Trend filtering option that comes with the RT-AC68U compared with something like OpenDNS?

Much better at detecting malicious websites, Trend Micro using the same database to drive their business security suite's website filter.

3. Are both options available in the new Merlin version and can they both be used in tandem or does it have to be one or the other?

Nothing prevents you from using DNSFilter with OpenDNS in addition to Trend Micro's malicious websites filtering.

4. With the Asus firmware, if the dns settings are changed to use OpenDNS, can the Trend filters still be used?

Yes. Trend Micro's engine works independently from the configured DNS.

 

[TheLyppardMan]

Thanks Merlin. I'll put your firmware on the router when I get it and give it a go.