Firewall "Network Services Filter" Is Bypassed When OpenVPN Client is Enabled 384.19

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Denno

New Around Here
I have an Amazon Fire tablet that by default appends 8.8.8.8 to any DNS settings. The 8.8.8.8 address is the first DNS server contacted by default, bypassing the router DNS setting provided by DHCP unless 8.8.8.8 is blocked. The only way I have found to block this is to

1. Add a network services filter

1601846421966.png


2. Add a URL filter "dns.google"

1601846470476.png


3. Test which DNS is being used by going to website https://dnsleaktest.com/ and using the leak test scan tool.

This seems to work on both routers when traffic goes out the WAN port. I also see this blocking with CLI command "tcpdump -i any host 8.8.8.8". The filter does NOT work when I enable the VPN client on either router and the DNS messages can be seen with the CLI command "tcpdump -i any host 8.8.8.8".

I am running Merlin on an RT-AC3200 (384.13_10) and an RT-AC86U (384.19) with identical configs except for different subnets on the LAN and have an issue blocking 8.8.8.8 when the VPN client is active and connected to a remote provider server on either one.

The DNS settings from VPN provider are set to disabled.

1601846379038.png



Is this by design or a known issue?

Is there a way around this to block 8.8.8.8 when the VPN is active?

Thanks

Thanks
 

eibgrad

Very Senior Member
Try creating a static route to nowhere (or some other bogus gateway) in the LAN->Route section of the GUI for that IP.

8.8.8.8 255.255.255.255 0.0.0.0 LAN
 

Denno

New Around Here
Try creating a static route to nowhere (or some other bogus gateway) in the LAN->Route section of the GUI for that IP.
Static route works as a workaround thanks.

Just use dnsfilter on the lan tab to redirect dns and save yourself any further trouble
dnsfilter works as an option thanks. However I had hoped to use the DNS over TLS feature (DNS Privacy Protocol on the WAN page) which does not seem to be available on this page.
 

Yo_2T

Occasional Visitor
Static route works as a workaround thanks.


dnsfilter works as an option thanks. However I had hoped to use the DNS over TLS feature (DNS Privacy Protocol on the WAN page) which does not seem to be available on this page.

Setting Global Filtering Mode to "Router" should already force all DNS queries to resolve through your router, thus using the DoT server set on the WAN page.
 

Denno

New Around Here
Static route works as a workaround thanks.


dnsfilter works as an option thanks. However I had hoped to use the DNS over TLS feature (DNS Privacy Protocol on the WAN page) which does not seem to be available on this page.

I spoke to soon. This did not work. Somehow the Amazon fire tablet found it's way to the internet.
 
Last edited:

Denno

New Around Here
Setting Global Filtering Mode to "Router" should already force all DNS queries to resolve through your router, thus using the DoT server set on the WAN page.

This seems to work with a laptop (DNS on laptop set to router) as do the other settings, but somehow the Amazon fire tablet finds a way around the block WHEN OpenVPN is active.

Here is a "tcpdump -i any host dns.google" dump
Code:
[email protected]:/tmp/home/root# tcpdump -i any host dns.google
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
23:37:41.958452 IP 192.168.41.183.44082 > dns.google.853: Flags [S], seq 328715705, win 65535, options [mss 1460,sackOK,TS val 82616466 ecr 0,nop,wscale 8], length 0
23:37:41.958452 IP 192.168.41.183.44082 > dns.google.853: Flags [S], seq 328715705, win 65535, options [mss 1460,sackOK,TS val 82616466 ecr 0,nop,wscale 8], length 0
23:37:41.958540 IP 10.7.0.4.44082 > dns.google.853: Flags [S], seq 328715705, win 65535, options [mss 1460,sackOK,TS val 82616466 ecr 0,nop,wscale 8], length 0
23:37:41.988340 IP dns.google.853 > 10.7.0.4.44082: Flags [S.], seq 133903302, ack 328715706, win 60192, options [mss 1323,sackOK,TS val 1505983663 ecr 82616466,nop,wscale 8], length 0
23:37:41.988390 IP dns.google.853 > 192.168.41.183.44082: Flags [S.], seq 133903302, ack 328715706, win 60192, options [mss 1323,sackOK,TS val 1505983663 ecr 82616466,nop,wscale 8], length 0
23:37:41.988408 IP dns.google.853 > 192.168.41.183.44082: Flags [S.], seq 133903302, ack 328715706, win 60192, options [mss 1323,sackOK,TS val 1505983663 ecr 82616466,nop,wscale 8], length 0
23:37:42.001016 IP 192.168.41.183.44082 > dns.google.853: Flags [.], ack 1, win 343, options [nop,nop,TS val 82616477 ecr 1505983663], length 0
23:37:42.001016 IP 192.168.41.183.44082 > dns.google.853: Flags [.], ack 1, win 343, options [nop,nop,TS val 82616477 ecr 1505983663], length 0
23:37:42.017226 IP dns.google.853 > 10.7.0.4.44082: Flags [.], ack 148, win 240, options [nop,nop,TS val 1505983702 ecr 82616477], length 0
23:37:42.017280 IP dns.google.853 > 192.168.41.183.44082: Flags [.], ack 148, win 240, options [nop,nop,TS val 1505983702 ecr 82616477], length 0
23:37:42.037081 IP dns.google.853 > 10.7.0.4.44082: Flags [.], seq 1:1312, ack 148, win 240, options [nop,nop,TS val 1505983721 ecr 82616477], length 1311
23:37:42.037138 IP dns.google.853 > 192.168.41.183.44082: Flags [.], seq 1:1312, ack 148, win 240, options [nop,nop,TS val 1505983721 ecr 82616477], length 1311
23:37:42.037159 IP dns.google.853 > 192.168.41.183.44082: Flags [.], seq 1:1312, ack 148, win 240, options [nop,nop,TS val 1505983721 ecr 82616477], length 1311
23:37:42.045327 IP dns.google.853 > 10.7.0.4.44082: Flags [.], seq 1312:2623, ack 148, win 240, options [nop,nop,TS val 1505983721 ecr 82616477], length 1311
23:37:42.045387 IP dns.google.853 > 192.168.41.183.44082: Flags [.], seq 1312:2623, ack 148, win 240, options [nop,nop,TS val 1505983721 ecr 82616477], length 1311
23:37:42.045410 IP dns.google.853 > 192.168.41.183.44082: Flags [.], seq 1312:2623, ack 148, win 240, options [nop,nop,TS val 1505983721 ecr 82616477], length 1311
23:37:42.053820 IP dns.google.853 > 10.7.0.4.44082: Flags [P.], seq 2623:3077, ack 148, win 240, options [nop,nop,TS val 1505983721 ecr 82616477], length 454
23:37:42.053881 IP dns.google.853 > 192.168.41.183.44082: Flags [P.], seq 2623:3077, ack 148, win 240, options [nop,nop,TS val 1505983721 ecr 82616477], length 454
23:37:42.053920 IP dns.google.853 > 192.168.41.183.44082: Flags [P.], seq 2623:3077, ack 148, win 240, options [nop,nop,TS val 1505983721 ecr 82616477], length 454
23:37:42.055636 IP 192.168.41.183.44082 > dns.google.853: Flags [.], ack 1312, win 353, options [nop,nop,TS val 82616489 ecr 1505983721], length 0
23:37:42.055636 IP 192.168.41.183.44082 > dns.google.853: Flags [.], ack 1312, win 353, options [nop,nop,TS val 82616489 ecr 1505983721], length 0
23:37:42.055716 IP 10.7.0.4.44082 > dns.google.853: Flags [.], ack 1312, win 353, options [nop,nop,TS val 82616489 ecr 1505983721], length 0
23:37:42.055846 IP 192.168.41.183.44082 > dns.google.853: Flags [.], ack 2623, win 363, options [nop,nop,TS val 82616489 ecr 1505983721], length 0
23:37:42.055846 IP 192.168.41.183.44082 > dns.google.853: Flags [.], ack 2623, win 363, options [nop,nop,TS val 82616489 ecr 1505983721], length 0
23:37:42.055909 IP 10.7.0.4.44082 > dns.google.853: Flags [.], ack 2623, win 363, options [nop,nop,TS val 82616489 ecr 1505983721], length 0
23:37:42.056775 IP 192.168.41.183.44082 > dns.google.853: Flags [.], ack 3077, win 373, options [nop,nop,TS val 82616491 ecr 1505983721], length 0
23:37:42.056775 IP 192.168.41.183.44082 > dns.google.853: Flags [.], ack 3077, win 373, options [nop,nop,TS val 82616491 ecr 1505983721], length 0
23:37:42.056848 IP 10.7.0.4.44082 > dns.google.853: Flags [.], ack 3077, win 373, options [nop,nop,TS val 82616491 ecr 1505983721], length 0
23:37:42.062793 IP 192.168.41.183.44082 > dns.google.853: Flags [P.], seq 148:241, ack 3077, win 373, options [nop,nop,TS val 82616492 ecr 1505983721], length 93
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top