What's new

How force all DNS traffic must go through my RT-AC86U router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

liukuohao

Regular Contributor
Hi all,

My aim is to block any user on my network manipulating its DNS server on Windows PC,
by changing its DHCP leased IP address to a static IP, and also changing its
Preferred DNS server = 192.168.88.1 (router's IP), to 8.8.8.8.

2022-11-05_13-26-59.jpg


If this happens, my router should block the PC from surfing the internet.

How to configure this arrangement?

I followed the steps (see the picture below) but I could not get working.
I tested on my local PC, and I am still able to surf the internet using a fixed IP
and a DNS server pointing to: 8.8.8.8

2022-11-05_13-19-53.jpg
 
You don't need to specify 192.168.88.1 if you select "router" from the dropdown, assuming that is the IP of your router.

But on the PC, close your browser, flush your DNS cache and try again, most likely it is using a cached entry and not actually looking up to 8.8.8.8. You can confirm by trying nslookup to your router IP and to 8.8.8.8.

Note though that this will not stop someone with a static IP from surfing the web. As long as they know to use your router's DNS IP, they'll be able to set a static.
 
So, are saying someone can manipulate the DNS server IP = 8.8.8.8 and
the user can surf the internet?

What I'm saying is as long as they specify the IP of your router as their DNS, they can set a static IP. While not every user would be able to figure that out, one that knows how to set a static IP might. Or they could set a static IP and leave the DNS as automatic, and be able to surf.

All the router is doing is blocking DNS requests (UDP port 53) from hitting any server other than what you specify, in this case the router IP. It has no idea if the user has specified that manually or is using learned settings.

In theory an advanced device could do some sort of checking and block any IPs not assigned by DHCP, but that isn't a feature built in to these routers. You might be able to do it with some sort of script, but it would probably be pretty resource intensive on the router if you could.
 
All the router is doing is blocking DNS requests (UDP port 53) from hitting any server other than what you specify, in this case the router IP. It has no idea if the user has specified that manually or is using learned settings.
In other words, my router cannot prevent this from happening, right? A user can access the malicious website by altering the DNS IP server manually?
 
In other words, my router cannot prevent this from happening, right? A user can access the malicious website by altering the DNS IP server manually?

You originally asked if you can prevent people with static IP from accessing the internet. You cannot do that. You can however force them to use a DNS server you specify.

I misspoke originally, I just tested and the router will not block their request, it just invisibly redirects it to the server you specify. A form of DNS Masquerading. So the user will think the response came from the server 8.8.8.8 but in reality it was coming from your router (or whatever IP you specify).

Keep in mind, specifying "router" won't do any DNS filtering unless you also specify a filtering DNS server on the WAN page. You need to choose one of the preconfigured filtering DNS servers from the WAN screen under DNS, or alternatively specify one or two custom ones from another service that isn't listed. You'll need to research which one is best for your needs. Each one will typically have a test site you can look up to confirm the filtering is working.

Doing it this way (via the WAN screen) will mean clients can still resolve local hosts, they are still using your router as their server, which is then forwarding non-local queries upstream. So any dns query they send, no matter what the destination IP, will be handled by your router DNS. It then will forward non-local requests to the filtering DNS service you've specified on the WAN, and responding to local queries itself.

The other way to do it is to leave your WAN DNS at the default (learned from your ISP, essentially these servers will be ignored), then on the LAN dns filter page you select one of the filtering servers in that dropdown, instead of "router". It will redirect all DNS queries directly to that server, bypassing your router's DNS, meaning local resolution will no longer work. While this in theory may make lookups a fraction of a millisecond faster, you lose the ability to have DNS resolution on your LAN devices doing it this way.

You can add exceptions at the bottom, for example if you want your own computer to be able to use other DNS servers, add it at the bottom and select "no filtering". So by default you'll still use the router DNS server and the filtering DNS service, but if you do an NSLOOKUP to another DNS server, or manually set the DNS on your computer, you'll be able to bypass the filtering, where others won't be able to.

Whichever way you go, I'd recommend setting the same thing on the LAN DHCP settings screen. If you are using your router as DNS proxy and specifying the filtering DNS on the WAN page, then just leave both DNS servers blank under DHCP and make sure "advertise router" is set to yes. If you are having clients directly access external filtering DNS servers, then put those servers in the DHCP settings and set "advertise router" to "no". This will not change the behavior of DNS filtering at all, it just makes things cleaner for troubleshooting, the DNS server reported by "ipconfig" will match the actual DNS that is responding. And it will actually save the router some effort in redirecting and masking the replies.

You can also enable Aiprotection which offers some additional malicious site blocking features via packet inspection rather than DNS filtering (it may use DNS filtering also, haven't done a ton of research on it but it claims to be doing Deep Packet Inspection). Some people have issues with the fact that Trend Micro can track you and sell statistics to advertisers etc, but since pretty much every website does that, I don't think it is a huge concern. This gives you some additional protection beyond just URL filtering.

If you want to test it out, leave your client set with a static DNS of 8.8.8.8.
Leave dns filter disabled
Do a lookup for a LAN device hostname. It should come back as "non-existent"
Now enable dns filter and specify "router"
Do a lookup for that same LAN device, and it will respond with an IP, and the response will appear to have come from 8.8.8.8, which is impossible since google doesn't know about your LAN devices.
 
Last edited:
LAN>DNSfilter intercepts and routes the DNS requests at the point the requests pass through the router - irrespective of DHCP-issued addresses or manual assignments on individual devices.

As is often the case I'd be asking what you are trying to do? I have a family member who used to be very good at visiting malicious websites. I'd suggest that giving them enough web access, but not cutting off everything, leads to a far quieter life! That and remembering that the internet is an appalling babysitter! Using diversion, or Pi-hole, or Ad-guard Home may be a far better solution!
 
You originally asked if you can prevent people with static IP from accessing the internet. You cannot do that. You can however force them to use a DNS server you specify.

I misspoke originally, I just tested and the router will not block their request, it just invisibly redirects it to the server you specify. A form of DNS Masquerading. So the user will think the response came from the server 8.8.8.8 but in reality it was coming from your router (or whatever IP you specify).

Keep in mind, specifying "router" won't do any DNS filtering unless you also specify a filtering DNS server on the WAN page. You need to choose one of the preconfigured filtering DNS servers from the WAN screen under DNS, or alternatively specify one or two custom ones from another service that isn't listed. You'll need to research which one is best for your needs. Each one will typically have a test site you can look up to confirm the filtering is working.

Doing it this way (via the WAN screen) will mean clients can still resolve local hosts, they are still using your router as their server, which is then forwarding non-local queries upstream. So any dns query they send, no matter what the destination IP, will be handled by your router DNS. It then will forward non-local requests to the filtering DNS service you've specified on the WAN.

The other way to do it is to leave your WAN DNS at the default (learned from your ISP, essentially these servers will be ignored), then on the LAN dns filter page you select one of the filtering servers in that dropdown, instead of "router". It will redirect all DNS queries directly to that server, bypassing your router's DNS, meaning local resolution will no longer work. While this in theory may make lookups a fraction of a millisecond faster, you lose the ability to have DNS resolution on your LAN devices doing it this way.

You can add exceptions at the bottom, for example if you want your own computer to be able to use other DNS servers, add it at the bottom and select "no filtering". So by default you'll still use the router DNS server and the filtering DNS service, but if you do an NSLOOKUP to another DNS server, or manually set the DNS on your computer, you'll be able to bypass the filtering, where others won't be able to.

Whichever way you go, I'd recommend setting the same thing on the LAN DHCP settings screen. If you are using your router as DNS proxy and specifying the filtering DNS on the WAN page, then just leave both DNS servers blank under DHCP and make sure "advertise router" is set to yes. If you are having clients directly access external filtering DNS servers, then put those servers in the DHCP settings and set "advertise router" to "no". This will not change the behavior of DNS filtering at all, it just makes things cleaner for troubleshooting, the DNS server reported by "ipconfig" will match the actual DNS that is responding. And it will actually save the router some effort in redirecting and masking the replies.

You can also enable Aiprotection which offers some additional malicious site blocking features via packet inspection rather than DNS filtering (it may use DNS filtering also, haven't done a ton of research on it but it claims to be doing Deep Packet Inspection). Some people have issues with the fact that Trend Micro can track you and sell statistics to advertisers etc, but since pretty much every website does that, I don't think it is a huge concern. This gives you some additional protection beyond just URL filtering.

If you want to test it out, leave your client set with a static DNS of 8.8.8.8.
Leave dns filter disabled
Do a lookup for a LAN device hostname. It should come back as "non-existent"
Now enable dns filter and specify "router"
Do a lookup for that same LAN device, and it will respond with an IP, and the response will appear to have come from 8.8.8.8, which is impossible since google doesn't know about your LAN devices.
Thanks, I was hoping I can prevent user from accessing the Internet by altering the DNS server
 
Thanks, I was hoping I can prevent user from accessing the Internet by altering the DNS server

Unfortunately, no, the router does not care if they have set a static IP or DNS. But the DNS filter should do what you're looking for, even if they alter the DNS server, it will essentially have no impact, they will still use the DNS that you want them to, they just won't know it. You're basically eliminating their ability to set a custom DNS server (at least one that sits beyond your router).

To automatically block a user from accessing the internet if they've set a static IP, not possible on the Asus using stock code (may be possible with 3rd party firmware and a custom script but would be pretty complex to do). There are devices out there that can do this but much more complex and expensive, and would likely utilize 802.1X authentication or a similar approach to accomplish it.

In reality the Asus could do it, it could have a feature where the default rule is deny and when an IP gets handed out by DHCP it gets added to a permit rule. But that is not a feature that they've implemented. Maybe a feature request to Asus or Merlin?

The only way I could think to do it with stock code and no scripting would be if you know every device on your network, assign every one a manual IP assignment in DHCP, then block all other IPs from accessing the internet (or permit only those IPs you want, either way). This will partially stop them from setting a static IP, and the DNS filter will stop them from being able to access other DNS. Not really a scalable or manageable solution, unless you want to have to go into the router every time a guest wants to use it or someone gets a new device, etc. Even then, if you give IP reservations in the range of like 20-50, and someone sets a static at 25, it will work, but if they set one at 51 it won't. You could try randomly spreading the assignments out throughout the subnet (you could even use a really big subnet like /16 and put them all over the place) making it difficult for people to guess which IPs will work. If you want that kind of control and don't mind the overhead that comes with it, that is a viable solution.

The other thing to keep in mind is the user can bypass the DNS filtering and Aiprotection by connecting to a VPN service. Blocking that is a whole other discussion and ballgame and probably not something you'd be able to do with the Asus, especially not with stock firmware.
 
Last edited:
LAN>DNSfilter intercepts and routes the DNS requests at the point the requests pass through the router - irrespective of DHCP-issued addresses or manual assignments on individual devices.

As is often the case I'd be asking what you are trying to do? I have a family member who used to be very good at visiting malicious websites. I'd suggest that giving them enough web access, but not cutting off everything, leads to a far quieter life! That and remembering that the internet is an appalling babysitter! Using diversion, or Pi-hole, or Ad-guard Home may be a far better solution!
I have DNSFilter turned ON

Global Filter Mode = Router

See below:

2022-11-05_17-27-20.jpg


Scenario 1: DHCP enabled + DNS server = my RT-AC86U router's IP address: 192.168.88.1
For a user accessing an adult site, using a web browser, my router intercepted the DNS request.
Since the 1st line of response is: Server : RT-AC86U-0218

2022-11-05_17-36-33.jpg


Subsequently, the user will face this warning message:

2022-11-05_17-32-28.jpg


Which is what I expected.


Scenario 2: But if a clever user changes the IP address from DHCP leased to Fixed IP, and alters DNS sever = 8.8.8.8,
my router won't intercept it, see below. As a result, the DNS server from google will return the IP address of yahoo.com

Change Fixed IP address + DNS server = 8.8.8.8.jpg


So, the result is the clever user has bypassed the DNS filter, am I correct?
 
Last edited:
The other thing to keep in mind is the user can bypass the DNS filtering and Aiprotection by connecting to a VPN service. Blocking that is a whole other discussion and ballgame and probably not something you'd be able to do with the Asus, especially not with stock firmware.
Thanks for your reply. Yes, I notice this.

In the context of having a clever user, yes he can use VPN to bypass the filter.
 
I have DNSFilter turned ON

Global Filter Mode = Router

See below:

View attachment 45188

Scenario 1: DHCP enabled + DNS server = my RT-AC86U router's IP address: 192.168.88.1
For a user accessing an adult site, using a web browser, my router intercepted the DNS request.
Since the 1st line of response is: Server : RT-AC86U-0218

View attachment 45189

Subsequently, the user will face this warning message:

View attachment 45191

Which is what I expected.


Scenario 2: But if a clever user changes the IP address from DHCP leased to Fixed IP, and alters DNS sever = 8.8.8.8,
my router won't intercept it, see below. As a result, the DNS server from google will return the IP address of yahoo.com

View attachment 45192

So, the result is the clever has bypassed the DNS filter, am I correct?

In your first example, it is not DNS filtering that is blocking the site, it is Trend Micro Aiprotection/parental controls. It will do that whether you have DNS filtering enabled or not. Unrelated to DNS completely.

As I mentioned, to use DNS filtering, you must also configure a filtering DNS service on your WAN DNS screen so your router uses that for DNS lookups.

In your second example, google is NOT returning the DNS response. Your router is intercepting it and just making it look like google is returning the response. Once you configure the filtering DNS server, you should see a totally different IP get returned, no matter what the client DNS settings are. It will look like it is coming from google, but it isn't, it is coming from your router (which is getting it from Quad9 or whatever DNS service you configure).

If you try to visit playboy with your static 8.8.8.8 DNS you should get blocked, but again that is nothing to do with DNS filtering, that is the web filtering via aiprotection/parental controls. That will work no matter what you do for DNS.
 
I don't have a LAN > DNSfilter tab no my RT-AC68P. Is that introduced with Aiprotection or parental controls?

Couldn't he add 8.8.8.8 as a destination IP to Firewall > Network Services Filter and filter as deny to make sure Google DNS is never used? (Maybe that doesn't even matter now after all this discussion.)

Didn't think aiprotection had to be enabled for that, but maybe. Blocking every DNS by IP would be impossible, you could block UDP and TCP ports 53 for everyone, still wouldn't prevent them from setting a static IP, only from setting a DNS other than the router.
 
@drinkingbird

Thank you. Very much appreciated you took the time to explain my shortcomings.
However, the more I read your reply the more I am going confused.
I hope if you do reply, can you please explain it bit by bit.
So my old brain can digest better.
If you don't mind, I am going to start asking again. :)

As I mentioned, to use DNS filtering, you must also configure a filtering DNS service on your WAN DNS screen so your router uses that for DNS lookups.

Regarding my WAN DNS setting here it is below.
What are the settings I need to change in order to get force DNS working.
Thank you again.

2022-11-06_12-03-27.jpg
 
@drinkingbird

I need to apologize, there is a misunderstanding on my behalf.

The title of this thread is really incorrectly named.

The title should something like: If a clever user in the network changes the DNS settings to say: 8.8.8.8, can the AsusWRT-Merlin router block the DNS traffic?

I will start a new thread on this topic

Thank you.
 
Last edited:
@drinkingbird

Thank you. Very much appreciated you took the time to explain my shortcomings.
However, the more I read your reply the more I am going confused.
I hope if you do reply, can you please explain it bit by bit.
So my old brain can digest better.
If you don't mind, I am going to start asking again. :)



Regarding my WAN DNS setting here it is below.
What are the settings I need to change in order to get force DNS working.
Thank you again.

View attachment 45201

If you click the "Assign" button you'll be able to change from your current setting of Adguard to one that blocks malicious sites like Quad9. If you want to block both malicious sites and adult sites, there is a cloudflare for that, it may not be in the pre-assigned ones but you can manually put in the IPs for it. If you google around you may be able to find one that blocks ads, malicious sites, and adult sites. But since you have parental controls already enabled, you're already blocking adult sites and there are other categories you can enable too. That will work regardless of the DNS server, that is based on the actual packet passing through the router.

All of this can be bypassed by using a VPN service, and the DNS filtering can be bypassed by using DNS over HTTP or other secure DNS services. You'd need to install blacklists for those to try and block those.

Your DNS filter is already working, no matter what any user puts for DNS, it is going to use your router. Currently your router is set to only filter advertisement sites, but you can change that as described above to block malware, adult content, etc.

To try and put it another way, when you have DNS filtering enabled, any packet that your router sees with port 53 (DNS), it will intercept that packet and prevent it from going to the internet. It then inserts its own response, and sends it back to the client. So even though the client sees the response coming from 8.8.8.8, the content of that response is provided by your router. It is spoofing the DNS response.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top