What's new

DNS Director

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

liukuohao

Regular Contributor
Hi,

I am not a network guru here; I am just trying to use the functions of my Asus router to the fullest,
in any possible way.

I have downloaded the AsusWRT manual from the Asus website.
and found that there is no reference or documentation about DNS Director.


Reference: https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Director
The link above has some brief documentation but does not show the real nitty gritty details
of its configuration.

So naturally, I just want to ask the community: has anyone tried this DNS Director feature before?

I have tried & tinkered over the weekends, and I have determined the following findings to be true.
If anyone finds my statement to be false, Please feel free to correct me by showing
screenshot of the findings. For me, I have prepared enough screenshots to back up
my investigation.

1) DNS Director: What is the purpose?

DNS Director overrides the router's WAN DNS settings when activated and properly configured.
[DNS Director, when enable, will just take over "the whole ship he is the captain"]

2) DNS Director: What is the purpose?

You can have a group of LAN devices send DNS queries to DNS A.
And you can have another group of LAN devices send DNS queries to DNS B.
DNS A = less restrictive for a grown-up adult to access the internet
DNS B is very restrictive for underage kids to access the internet.

3) Let's say DNS B (very restrictive) is configured to be used in the router's WAN setting.
A smart underage user went to the Windows TCP/IP properties and changed its
DNS setting to DNS A (less restrictive).

Under this condition, DNS Director has no way to intercept and force all the DNS queries back to DNS B.
Hence, the user has successfully circumvented the restriction by simply changing the DNS server.

4) Presumably, all underage users do not have access to a VPN.
How to prevent underage users from surfing the internet to adult sites is actually not by activating DNS Director.
Here are the following steps:

(A) Diable DNS Director.
(B) Use CleanBrowser Family DNS servers (or any free DNS servers of your choice) at the WAN setting.
(C) Go to Firewall >> Network Services Filter >> Create a deny list >> Add 2 lines to block traffic TCP and UDP port = 53
Done.

The above 3 steps will stop any user trying to access restrictive website. Once the DNS setting is tampered with,
Accessing the internet will be blocked.

Thank you.
 
Last edited:
I have downloaded the AsusWRT manual from the Asus website.
and found that there is no reference or documentation about DNS Director.

It's Asuswrt-Merlin feature. How it works is explained on the Wiki page. Many people are using it. Some install Asuswrt-Merlin for it alone.
 
has anyone tried this DNS Director feature before?
Yes lots of people use it. Have you used the forum search feature to search for DNS Director (or its previous incarnation DNSFilter? If you do you will find lots people use the feature; and you will find lots of questions and discussion on the feature:
https://www.snbforums.com/search/730742/?q=DNS+Director&o=relevance
https://www.snbforums.com/search/730743/?q=DNSFilter&o=relevance
https://www.snbforums.com/search/730741/?q=DNS+Filter&o=relevance

The AsusWRT manual doesn't list it because its a feature of the Asus-Merlin firmware and not the Asus stock firmware. Both the DNS Director GUI page and the Asus-Merlin Wiki page explain what the feature is/does.
 
It's Asuswrt-Merlin feature. How it works is explained on the Wiki page. Many people are using it. Some install Asuswrt-Merlin for it alone.
Are you using this feature?

If you are, can you verify below statement is correct?

Thank you.

4) Presumably, all underage users do not have access to a VPN.
How to prevent underage users from surfing the internet to adult sites is actually not by activating DNS Director.
Here are the following steps:

(A) Diable DNS Director.
(B) Use CleanBrowser Family DNS servers (or any free DNS servers of your choice) at the WAN setting.
(C) Go to Firewall >> Network Services Filter >> Create a deny list >> Add 2 lines to block traffic TCP and UDP port = 53
Done.

The above 3 steps will stop any user trying to access restrictive website. Once the DNS setting is tampered with,
Accessing the internet will be blocked.
 
Yes lots of people use it. Have you used the forum search feature to search for DNS Director (or its previous incarnation DNSFilter? If you do you will find lots people use the feature; and you will find lots of questions and discussion on the feature:
https://www.snbforums.com/search/730742/?q=DNS+Director&o=relevance
https://www.snbforums.com/search/730743/?q=DNSFilter&o=relevance
https://www.snbforums.com/search/730741/?q=DNS+Filter&o=relevance

The AsusWRT manual doesn't list it because its a feature of the Asus-Merlin firmware and not the Asus stock firmware. Both the DNS Director GUI page and the Asus-Merlin Wiki page explain what the feature is/does.
Ok thanks, if you are using this feature, would you please review my 4 statements are correct? Especially statement No. 3.
 
Are you using this feature?

No. My main network has no Asus routers on it.

Most folks use DNS Director for redirecting client DNS requests to filtering DNS servers of choice set in WAN or to additional DNS server like Pi-Hole on their LAN. It captures port 53 requests transparently and send them to whatever DNS server the user wants. About your Parental Control challenges - DNS Director is one of the tools only. You have to make your own strategy based on what response actions you expect. You have traffic filters Parental Controls available in Asuswrt based on TrendMicro engine. You can use upstream DNS server blocking proxy/VPN. You can use ad-blocker like Diversion blocking known DoT/DoH servers. There are options, but you have to know that are you doing. Blocking port 53 in firewall is not a good approach.

If you have IPv6 enabled on your router - it creates additional challenges for you.
 
Last edited:
Ok thanks, if you are using this feature, would you please review my 4 statements are correct? Especially statement No. 3.
Yes I use the feature, because I'm using Pi-Hole(s). One example explanation of why this feature is used with Pi-Hole:
Guide for Asuswrt-merlin users with screenshots (forcing all traffic to Pi-hole)

As to your "statements", someone else will have to comment on their veracity or accuracy. All I will say is sometimes people overthink certain Asus-Merlin features like DNS Director. If you have questions about it or it isn't operating as you thought it would, see the search links previously posted as its likely your questions about it have been asked (probably more than once) previously.
 
There are options, but you have to know that are you doing. Blocking port 53 in firewall is not a good approach.
If you have Asus router and test it out yourself, probably can understand what I am trying to say here.

Currently, I am using NextDNS DNS server in my router WAN setting.
All DNS traffic is using DoT using port 853, but not sure about DOH though. I believe it must be enabled in the browser or windows.
So if any of the mischievous client user is acting up and wants to tamper the DNS setting, and change Windows' TCP/IP properties to other DNS server, e.g: 8.8.8.8.
Having block both TCP & UDP 53 rules at Network Services Filter will definitely STOP this client browsing the internet. There is no doubt about it. Period!
This method was recommended by a SNB forum users.
I tested and it works all the time 100%.


However, if you have enable DNS Director alone, and that is remove the TCP & UDP 53 rules.
[You cannot have both, well, I just noticed, it is capturing DNS traffic on port 53,
you cannot have both in use, otherwise you cannot browse the internet]

My point is DNS Director cannot enforce this rule:
Ok client has changed DNS server = 8.8.8.8. and DNS Director is enabled, and it is going allow internet access,
BUT it must enforce this rule- DNS query must go through my specified NextDNS DNS servers [that is not 8.8.8.8]


DNS Director allows you to force LAN devices to use a specific DNS server, which can be useful if you want to force them to use a filtering service that would block malicious or adult sites.
What I am concern about this statement above, is not 100% true.
Yes, DNS Director does capture all the 53 traffic originating from the LAN and DIRECT to the specific DNS server to your liking.
However..... there is caveat here.....that is:
DNS Director WILL NOT stop the offender browsing restrictive websites, if the offender manipulate his /her DNS settings in Windows TCP/IP properties.
Hence, he/she is able to surf the internet using a different DNS server.
 
Last edited:
Yes I use the feature, because I'm using Pi-Hole(s). One example explanation of why this feature is used with Pi-Hole:
Guide for Asuswrt-merlin users with screenshots (forcing all traffic to Pi-hole)

As to your "statements", someone else will have to comment on their veracity or accuracy. All I will say is sometimes people overthink certain Asus-Merlin features like DNS Director. If you have questions about it or it isn't operating as you thought it would, see the search links previously posted as its likely your questions about it have been asked (probably more than once) previously.
Thanks for sharing your reddit post.
I tried replicate your set up, but I don't have RPI.
So I replicate your set up using whenever I have.
Would it matter if I didn't a RPI in DNS Director - Client List?
Below it the screenshots:

2023-04-24_15-36-34.jpg
2023-04-24_15-39-10.jpg
2023-04-24_16-01-31.jpg
 
Last edited:
Yes I use the feature, because I'm using Pi-Hole(s). One example explanation of why this feature is used with Pi-Hole:
Guide for Asuswrt-merlin users with screenshots (forcing all traffic to Pi-hole)

As to your "statements", someone else will have to comment on their veracity or accuracy. All I will say is sometimes people overthink certain Asus-Merlin features like DNS Director. If you have questions about it or it isn't operating as you thought it would, see the search links previously posted as its likely your questions about it have been asked (probably more than once) previously.
Referring these statement in yellow, you made your Reddit post:
What these settings are doing:

You are forcing all LAN DNS requests back to your router's settings in LAN, with your Pi-hole as a no-filtering exception. Your router's settings in LAN is your Pi-hole IP address. Your WAN (router's internet access) goes upstream to your ISP or Quad9 (doesn't matter).

Any device on your network, whether they are trying to use their own DNS or not, will be forced upstream to your Pi-hole because of your DNSFilter rule. Note that even if they are using Firefox's new DoH out of the box, the next build of asuswrt-merlin will fix this and force them down the Pi-hole rabbit hole.

You do not have to use Quad9 upstream on the WAN page; I am just making it as a suggestion if you want to hide your router's NTP requests for some reason. You don't need to "trust" your WAN provider; asuswrt-merlin accesses the web to check for updates and sync with an NTP server and things of this sort.
Would you be kind enough to test this out:
Choose a device in your LAN which has internet access, and a web browser available.
Change the device DNS setting = 8.8.8.8
Fire up your browser and key in: dnsleaktest.com and enter. Select: Standard Test, What is your result?
 
Last edited:
Referring these statement in yellow, you made your Reddit post:
I did not write that Reddit post. I am mearly refering to it as an example explination.
Would you be kind enough to test this out:
Choose and device which has internet access, and a web browser available.
Change the device DNS setting = 8.8.8.8
Fire up your browser and key in: dnsleaktest.com and enter. Select: Standard Test, What is your result?
See my post at the following link that explains how DNS Director is working in my setup when a PC has a (different) manually configured DNS address:
https://www.snbforums.com/threads/dns-director-does-not-work-properly.83265/#post-819741

On a side note. I do block (or try to block) Google's DNS servers (8.8.8.8 and 8.8.4.4) via the LAN > Route tab. Example directions (not mine) of how this is done.
https://12vpx.com/docs/block-google-dns/asus
https://support.strongvpn.com/hc/en-us/articles/360043339733-Blocking-Public-DNS-on-an-Asus-Router

Edit to add: With a PC configured to use Quad9 DNS (9.9.9.9 and 149.112.112.112) and running dnsleaktest.com; the Pi-Hole query log shows the requests, as it should with properly intercepted DNS requests using DNS Director, coming from the Asus router.
Pi-holeQueryLog.jpg
 
Last edited:
On a side note. I do block (or try to block) Google's DNS servers (8.8.8.8 and 8.8.4.4) via the LAN > Route tab. Example directions (not mine) of how this is done.
Thank you 👍 for the link. I think this trick of blocking Google's DNS, make sense. :)
 
Last edited:
Ok client has changed DNS server = 8.8.8.8. and DNS Director is enabled, and it is going allow internet access,
BUT it must enforce this rule- DNS query must go through my specified NextDNS DNS servers [that is not 8.8.8.8]

This is what DNS Director does. It will redirect port 53 requests to your Router - your NextDNS with DoT.
 
@bennor, what does "No Redirection" means when DNS Director is enabled
No Redirection" will bypass a global redirection
I have tested this function, it is basically when the device assigned in the Client List using its MAC address,
has NO internet access.

It seems like No Redirection means No internet access under DNS Director (when it enabled & applied)?
 
This is what DNS Director does. It will redirect port 53 requests to your Router - your NextDNS with DoT.
I think my statement is not clearly stated.

My expectation is if DNS Director is enabled and router's DNS is pointing to NextDNS DNS servers,
DNS traffic should go thru NextDNS, regardless if the client user has tampered the DNS setting on the Windows PC pointing to: 8.8.8.8.

What I am saying is if tampered, DNS traffic is in fact go thru Google DNS server: 8.8.8.8 when tested using: dnsleaktest.com.
Hence, that is why I mentioned: DNS director has failed to enforce (cannot enforce).

Same thing here: DNS Director cannot enforce, by right it should redirect to NextDNS DNS server, if DNS settings on the Windows PC change to: 8.8.8.8.
I have tested many times, it will go thru Google DNS server. AND NOT NextDNS DNS servers.
 
Last edited:
If you have Asus router and test it out yourself, probably can understand what I am trying to say here.

I do have an Asus router and tested it for myself many times in many different firmware versions. It was working as expected last time I checked. DNS Director does exactly what is has to do unless a client is bypassing it over DoH. Just few days back it was working on my test RT-AX86U router with local DNS server on x86 board running Ubuntu, Unbound and AdGuard Home (a Pi-hole alternative). Not sure why it isn't working for you.
 
Same thing here: DNS Director cannot enforce, by right it should redirect to NextDNS DNS server, if DNS settings on the Windows PC change to: 8.8.8.8.
I have tested many times, it will go thru Google DNS server. AND NOT NextDNS DNS servers.
I think you need to take a step back and think about what DNS Director can and can't do.
 
@bennor, what does "No Redirection" means when DNS Director is enabled

I have tested this function, it is basically when the device assigned in the Client List using its MAC address,
has NO internet access.

It seems like No Redirection means No internet access under DNS Director (when it enabled & applied)?
As indicated previously people tend to overthink what DNS Director does or how it works.

For my use, as I understand things and very simplistically, with the Global Redirection set to Router and with devices (Pi-Holes) in the Client List set to No Redirection; only the two Pi-Hole clients that make DNS requests to the internet are allowed through. DNS Director will "intercept" any requests that don't come from the two Pi-Holes and route them to the DHCP LAN DNS severs (listed on the LAN > DHCP Server tab page). I have those two DNS Server entries in the DHCP LAN DNS section set to my Pi-Hole PI addresses.

Another way to look at it (derived from my older post here):
  • Fred's PC makes a DNS request to the Pi-Hole.
  • The Pi-Hole (or Pi-Hole+Unbound) makes the DNS request upstream.
  • The Pi-Hole's DNS requests are not filtered by the router's DNS Director because the Pi-Holes are listed in the Client List and the Redirection is set to No Redirection; so the DNS request continues upstream to the Internet.
  • Other PC's who's DNS requests try to bypass Pi-Hole however are stopped by the router's DNS Director Global Filtering Mode being set to Router and the PC not being in the Client List; so their DNS requests "use the DNS provided by the router's DHCP server" and are sent to the Pi-Hole where the DNS request process starts again. The Pi-Hole Query Log (as my example above) shows these requests as coming from the router.
In other words the only DNS requests that should be let through upstream by the DNS Director are those of the Pi-Hole. Network clients with (static) DNS servers other than the Pi-Hole(s) hit the DNS Director and are sent to the Pi-Hole, the Pi-Hole then sends that request back to the DNS Director which then sends that request upstream. (again very simplistic explanation)
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top