Enabling DNSfilter no longer blocks DNS queries using IPv6 on AC5300 after upgrading to version 386.7_2.

Frank Monroe

Regular Contributor
Prior to version 386.7_2, enabling DNSfilter would block DNS queries that were using IPv6. I assume this was done so that DNSfilter would work on models or versions where DNSfilter did or does not support IPv6. The change introduced in version 386.7_2, which no longer blocks IPv6 queries on models that do not support IPv6 DNSfilter, allows clients to bypass DNSfilter by using IPv6 servers. Because of this, this feature no longer functions fully on AC5300 routers.

Thanks in advance
 

L&LD

Part of the Furniture
What prior version of the firmware were you using, exactly?

What exact model of router?

Did you test that 386.7_2 works as expected after a full reset to factory defaults?
 

Frank Monroe

Regular Contributor
What prior version of the firmware were you using, exactly?

What exact model of router?

Did you test that 386.7_2 works as expected after a full reset to factory defaults?
Well, I have used DNSfilter on pretty much every version since the feature was released. The most recent version was and now is 386.7_0 since I reverted back. The exact model is RT-AC5300. I did try with a reset. With or without a reset, DNSfilter no longer blocks DNS queries to IPv6 servers. If I revert back to 386.7_0, the behavior returns to blocking those queries.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Works for me. After enabling DNSFilter on my RT-AC66U_B1 and setting the global rule to use Cleanbrowsing, I am no longer able to access the Quad 9 IPv6 DNS server from my laptop.

Note that now, DNSFilter will always allow the router's own IP to be used over IPv6, regardless of the rules. This is to allow people to still be able to resolve LAN addresses if they decided to use an hybrid DNS configuration (with the router handling the LAN prefix, and the rest being handled by the remote DNS server). Only remote DNS servers are actively blocked.
 

Frank Monroe

Regular Contributor
Works for me. After enabling DNSFilter on my RT-AC66U_B1 and setting the global rule to use Cleanbrowsing, I am no longer able to access the Quad 9 IPv6 DNS server from my laptop.

Note that now, DNSFilter will always allow the router's own IP to be used over IPv6, regardless of the rules. This is to allow people to still be able to resolve LAN addresses if they decided to use an hybrid DNS configuration (with the router handling the LAN prefix, and the rest being handled by the remote DNS server). Only remote DNS servers are actively blocked.
Let me clarify. It still blocks DNS queries to IPv6 DNS servers in general. However, it used to also block DNS queries to the router's own IPv6 address, the address that is handed out by relayd. It no longer does this. Instead, it processes the query and forwards the query to upstream servers. Because of this, DSNfilter only partially works. In other words, from the same client some queries are filtered while others are processed as normal depending whether the client decided to use the IPv4 DNS server or the IPv6 DNS server.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Let me clarify. It still blocks DNS queries to IPv6 DNS servers in general. However, it used to also block DNS queries to the router's own IPv6 address, the address that is handed out by relayd. It no longer does this. Instead, it processes the query and forwards the query to upstream servers. Because of this, DSNfilter only partially works. In other words, from the same client some queries are filtered while others are processed as normal depending whether the client decided to use the IPv4 DNS server or the IPv6 DNS server.
Allowing inbound IPv6 DNS connections on the router was by design to allow local name resolution to still work. If it still allows queries to be forwarded then I will have to rethink the implementation.
 

Frank Monroe

Regular Contributor
Allowing inbound IPv6 DNS connections on the router was by design to allow local name resolution to still work. If it still allows queries to be forwarded then I will have to rethink the implementation.
And it looks like this change was just made in the most recent release as it did not do this in prior releases. Is this correct? Also, I'm not sure the change is fully providing local resolution anyway as the IPv4 DNS server still filters as before without any regards to the local DNS server. Because of this, if your client picks the IPv4 DNS, or when it does, you lose local resolution for that query.
 

NoDiosMio

New Around Here
I'm using the DNS filter "router" option where I have Cloudflare IPv4 and IPv6 addresses in the DNS over TLS server list of the WAN Internet Connection page.

I ran https://dnscheck.tools/ DNS test and both IPv4 and IPv6 are resolving via Cloudflare.

I wrongly believed that I'd need a new HND model router to support IPv6 DoT requests via Cloudflare. Basically I misunderstood the changelog.
 

Frank Monroe

Regular Contributor
I'm using the DNS filter "router" option where I have Cloudflare IPv4 and IPv6 addresses in the DNS over TLS server list of the WAN Internet Connection page.

I ran https://dnscheck.tools/ DNS test and both IPv4 and IPv6 are resolving via Cloudflare.

I wrongly believed that I'd need a new HND model router to support IPv6 DoT requests via Cloudflare. Basically I misunderstood the changelog.
Using IPv6 servers on the DoT settings on the WAN page has worked on my RT-AC5300 ever since the feature was released quite some time ago. The RT-AC5300 is not an HND router.
 

RMerlin

Asuswrt-Merlin dev

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top