Disable dns changing in ui

Dee dee

Regular Contributor
All,

Is there a way that I can make it so that any connected device must use the DNS servers that I specify in my ASUS router.

I have the rt-ax3000 running Asus Merlin.

I remember I used open wrt or tomato many years ago and there was an option I did that made it if you change your DNS server on your Windows machine or anything you wouldn't get internet access.

I saw this article but I wasn't sure what it was I don't remember Website example
 

Tech9

Part of the Furniture
DNSFilter in LAN section set to Router
 

Dee dee

Regular Contributor
DNSFilter in LAN section set to Router
I did that and then on my laptop I set the custom DNS to 1.1.1.1 and I'm still able to access the internet on the same Wi-Fi device.

Is there anything else I have to be doing
 

eibgrad

Part of the Furniture
DNSFilter doesn't block access to the internet. It forces any change by the client to a different DNS server than you intended to use your intended server. And ultimately, that's what you want, right?
 

Dee dee

Regular Contributor
Ok and possibly amateur q. How do I in Windows make sure that it's using that DNS server that I specified and not the one that they're using.
 

Dee dee

Regular Contributor
DNSFilter doesn't block access to the internet. It forces any change by the client to a different DNS server than you intended to use your intended server. And ultimately, that's what you want, right?
Yes basically so the kids are always using next DNS and it blocks any malicious or spyware or any of that stuff
 

eibgrad

Part of the Furniture
P.S. Personally, I always verify what DNS is being used via connection tracking. That's absolute proof and doesn't rely on a third party.

Code:
watch -tn5 "cat /proc/net/nf_conntrack | egrep 'dport=(53|853) '"

What you'll see are various LAN clients communicating w/ DNSMasq based on its LAN ip, then DNSMasq forwarding those public queries over the WAN.

This technique is particularly useful when you're concerned not just what DNS server is being used, but which network interface is being used for that DNS server (e.g., WAN vs. VPN).
 
Last edited:

Tech9

Part of the Furniture
Yes basically so the kids are always using next DNS and it blocks any malicious or spyware or any of that stuff

DNSFilter to Router, IPv6 disabled, port 853 blocked and this blocklist in Diversion. :)
 

Dee dee

Regular Contributor
P.S. Personally, I always verify what DNS is being used via connection tracking. That's absolute proof and doesn't rely on a third party.

Code:
watch -tn5 "cat /proc/net/nf_conntrack | egrep 'dport=(53|853) '"

What you'll see are various LAN clients communicating w/ DNSMasq based on its LAN ip, then DNSMasq forwarding those public queries over the WAN.

This technique is particularly useful when you're concerned not just what DNS server is being used, but which network interface is being used for that DNS server (e.g., WAN vs. VPN).
Ty will see if they have a Windows equivalent or would work in wsl
 

eibgrad

Part of the Furniture
Ty will see if they have a Windows equivalent or would work in wsl

That command needs to be executed on the *router*, using ssh. The idea is to watch DNS traffic come into the router from various clients, and watch as DNSMasq forwards DNS queries out the WAN on their behalf.
 
Last edited:

Dee dee

Regular Contributor
ty @eibgrad im confused on the output. Ran it on SSH and showed my IP.

I tried cnn.com and such, but then blocked a site on NEXTDNS and set my computer's IP to 1.1.1.1 and it was still blocked. So i assume working :)

@Tech9 where do i go to block IPV6 and where do i block port 853.

I haven't used diversion in a while so will look for the "nuke guide" as i recall.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top