Menu
What's new
By:
Filters Better Search

DNS setting

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I just wanted to tell you ports blocking alone is not a solution. Speaking of Asuswrt-Merlin, better plan of action is multiple barriers: intercept and redirect DNS queries on ports 53, 853 (DNSFilter); block known DoT, VPN and Proxy servers on both IP/DNS (Skynet/Diversion), block common VPN ports (Services Filter), use filtering DNS service with corresponding categories (OpenDNS/NextDNS). Not guaranteed, but will discourage most average users.
 
Tech9 said:
I just wanted to tell you ports blocking alone is not a solution. Speaking of Asuswrt-Merlin, better plan of action is multiple barriers: intercept and redirect DNS queries on ports 53, 853 (DNSFilter); block known DoT, VPN and Proxy servers on both IP/DNS (Skynet/Diversion), block common VPN ports (Services Filter), use filtering DNS service with corresponding categories (OpenDNS/NextDNS). Not guaranteed, but will discourage most average users.
Click to expand...

I'm spoiled by using Paloalto Firewalls. Access lists and DNS redirecting is so 20th Century. I guess I could settle for Fortinet, at least there low end costs about the same as a decent router.

Morris
 
Tech9 said:
This is the original question, Morris:
Click to expand...

Yep, and I answered it. The issue is insufficient technology. One can stop the person that can only follow a script and annoy the expert who will go to war with you if they chose to and you will both waste a lot of time till someone gets frustrated and gives up.
 
Morris said:
You should be able to block most VPN connections by blocking all of this:
  • PPTP (Point-to-Point Tunneling Protocol) – This protocol uses port 1723 TCP.
  • L2TP (Layer Two Tunneling Protocol) – This protocol uses port 1701 TCP, Port 500 UDP, and port 4500 UDP.
  • IPSec (Internet Protocol Security) – This protocol uses port 500 UDP and ports 4500 UDP.
  • STP (Secure Socket Tunneling Protocol) – This protocol uses port 443 TCP.
  • OpenVPN – This protocol uses port 1194 TCP/UDP and port 443 TCP.
Morris
Click to expand...
Thank you Morris! I will try that
 
porfavorhelp said:
Can I disable these protocol on WAN - NAT router settings to make it easy?
Click to expand...
Yes, you can block outgoing connections to PPTP, L2TP and IPSec servers by setting their NAT Passthrough option to disabled.

You can't block SSTP or OpenVPN running on port 443 because that port is used by HTTPS. As RMerlin said in post #7 the only way to block them is by the destination IP address.
 
Last edited:
Port blocking will be a whack a mole in frustration. Many options.

Ports that are used on my router.

StrongVPN WireGuard 50001
StrongVPN OpenVPN 8293 & 1194
PIA OpenVPN 1197 & 1198

In addition both providers offer other port options
 
CaptainSTX said:
Port blocking will be a whack a mole in frustration. Many options.

Ports that are used on my router.

StrongVPN WireGuard 50001
StrongVPN OpenVPN 8293 & 1194
PIA OpenVPN 1197 & 1198

In addition both providers offer other port options
Click to expand...

it depends who you are dealing with. It it is someone that knows how to click an installer and say OK to every question you can easily stop them. Otherwise a conversation and if they don't comply booting them off your network is the way to go.

Morris
 
Morris said:
It it is someone that knows how to click an installer and say OK to every question you can easily stop them.
Click to expand...

Your solution simply doesn't work. You refuse to understand why. Go ahead and help @porfavorhelp.
 
Tech9 said:
Your solution simply doesn't work. You refuse to understand why. Go ahead and help @porfavorhelp.
Click to expand...

If a VPN is permitted, then it's not possible. Blocking a VPN link is possible for some types via ports, in other cases you must block what could turn out to be a long list of destination IP's.
 
The NextDNS setup i use for the kids seems to work so far and tested it on one of my devices and it blocked my vpnprovider and I could not connect(tested with several servers), With the block bypass-methods enabled.
So think it is a good start and if needed add Ip blocklists too skynet.
Edit:
Nextdns is not needed if bypass-method lists are used with Diversion and Skynet
 
Last edited:
You must log in or register to reply here.

Similar threads

J
Prevent bypassing AGH DNS
Replies
5
Views
452
jayz
J
B
Firewall lan - vpn?
Replies
0
Views
295
blast
B
D
Blocking GoogleDNS & others via Diversion, Firewall-NSF &/or static routing
Replies
11
Views
1K
drinkingbird
drinkingbird
R
DNS filtering when using cloudflare DNS?
Replies
4
Views
392
dave14305
dave14305
I
Blocking a device from sending DNS requests?
Replies
1
Views
344
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
H Wireguard Server Allow DNS Setting? Asuswrt-Merlin 1
T How to Setting ipv4 dns priority before ipv6 dns Asuswrt-Merlin 1
D WAN DNS Setting: Using different DoT servers Asuswrt-Merlin 19
B Proper DNS setting? Asuswrt-Merlin 16
M Issue with Setting Backup DNS Server for Adguard Home on ASUSWRT Merlin Firmware Asuswrt-Merlin 11
storkinsj DNS and internet dropping Asuswrt-Merlin 2
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
pdc Router DNS returning Refused Asuswrt-Merlin 2
C Need help with GT-AXE11000 and DNS Director Asuswrt-Merlin 0
V DNS server vs DNS-over TLS server list Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 650 (members: 26, guests: 624)
Top