If a user change the DNS setting in windows (say 8.8.8.8), can AsusWRT-Merlin OS block the DNS traffic ?

[liukuohao]

Hi all,

Can I create firewall rules in my router to stop users from bypassing my customized DNS setting?
If a user alters the Windows DNS setting to 8.8.8.8, I would like my router to block internet access entirely.
That is all DNS requests must go through my router first, if not, no internet access is allowed.

Thank you.

 

[drinkingbird]

Why did you start a new thread for this?

What you're asking for is not possible, at least not automatically. They will still have internet access, but you CAN prevent them from doing DNS lookups to external servers. There is no way, even with Merlin, to block all internet access if the router senses that the person is not using DHCP or has set a static DNS. That would be a very advanced script that would need to update your firewall rules every time a DHCP lease is issued, essentially only permitting traffic if the IP was assigned by DHCP. While a script like that may be possible, it would be pretty complex. And it still would not prevent them from setting a custom DNS entry since that is separate from DHCP, you would still need to do DNS filtering or blocking to prevent that part.

To prevent them from reaching external DNS servers, you have two options:

Option 1 is what you've already done, using dnsfilter to intercept their DNS traffic and force it to use your router's DNS. You already have that configured, and it is working. The user won't know it, they'll think it is hitting 8.8.8.8 or whatever but in reality the response is coming from your router. The only thing you need to tweak is your WAN DNS settings are currently using "adguard" but if you want to block malicious sites you'd be better with one of the other options like Quad9.

The other option is to go into Firewall - Network services filter and add two deny rules, one for UDP 53 and one for TCP 53. That will block them from hitting all servers other than your router IP. It will not redirect traffic, their DNS lookup will fail. You would disable the dnsfilter if you wanted to do that (have their lookup fail instead of being redirected).

They can still use a VPN or encrypted DNS (DOH, etc) to bypass this. There are blacklists you can install to block those but you'll need to update them periodically and it won't catch them all.

As I mentioned in the other thread, if you do want to try and block static IPs from hitting the internet at all, and don't mind having a lot of management overhead, you could give every client a random IP reservation in DNS (from a large subnet that is difficult to guess), then add that IP to your firewall rules (with the firewall set to "permit list" which means it will block all others). All clients not matching will have no internet access. But again, that will not stop a client with a DHCP IP from changing their DNS server. You would still need to block DNS requests or use DNS filtering.

Can you be more clear on what you want to do?
1. If a user sets a static IP (not static DNS server, static IP address), block their internet entirely (which will require a lot of work on your part to manually assign IPs to each device and create 2 firewall rules for each, this must be done every time a new device connects). NOTE this option will limit you to 64 devices (possibly 32 if you also want to block external DNS, which would require 4 firewall rules per client).
2. If a user sets a custom DNS server, ignore that setting and use your router instead (DNS filter)
3. If a user sets a custom DNS server, block them from doing any DNS lookups (not blocking internet, but unless they know an IP to connect to, effectively making their internet pretty useless).

Or a combination of 1 and 2 or 1 and 3 (if you do option 1, you still need one of the other options to stop them from setting a custom DNS server).

 

[liukuohao]

3. If a user sets a custom DNS server, block them from doing any DNS lookups (not blocking internet, but unless they know an IP to connect to, effectively making their internet pretty useless).

Ok, this is more appropriate for my case

 

[liukuohao]

Why did you start a new thread for this?

Because I thought the subject is a bit different from the previous thread

 

[liukuohao]

The user won't know it, they'll think it is hitting 8.8.8.8 or whatever but in reality the response is coming from your route

How to check if this is really the case? Is there a tool which I can use to prove that my router is handling all the DNS request?

 

[drinkingbird]

How to check if this is really the case? Is there a tool which I can use to prove that my router is handling all the DNS request?

Yup, as previously mentioned, do an nslookup for a local device (one on your LAN). Do it to both your router IP and to 8.8.8.8. If filtering is working correctly, both will give you a response with a local IP. Since google does not know DNS for your local LAN IPs, you know that response can't possibly be coming from them, even though it appears to be.

Then do the same thing with DNS filter off. You'll see that lookup to your router IP succeeds, and to 8.8.8.8 fails with "not found".

Another test you can do is to visit a site you know would be blocked by the DNS service you're using. Currently you're using adguard. Should be pretty easy to find a site they block. With DNS filtering on and your client set to 8.8.8.8 DNS IP, you should get an adguard page telling you the site is blocked when you try to visit it. That tells you that the DNS settings in your WAN are being used, which means the router is being used as the DNS server, and not the 8.8.8.8.

Make sure the Name Servers on your DHCP page are blank, and the "advertise router" is set to "yes".

 

[drinkingbird]

Ok, this is more appropriate for my case

Go into firewall, then the tab "network services filter". Click "yes" next to enable. The defaults for the rest (deny list, hours, etc) should all be fine.

Then add two firewall rules. Make it look exactly like the below and click apply. Then disable your dnsfilter so they will be blocked rather than redirected.

This will result in anyone pointing to your router IP for DNS being fine, and anyone pointing to anything else not being able to get any DNS responses.

On the WAN page, you can set your WAN DNS servers to whichever service you want to use. Right now you're using adguard but if you want to block malicious sites, porn, etc you would want to pick one of the others, or enter a custom one (there are many more out there than the predefined ones).

Make sure the Name Servers on your DHCP page are blank, and the "advertise router" is set to "yes". That ensures your clients only learn 1 DNS server, your router.

Note that if you leave parental controls enabled and aiprotection "malicious site blocking" enabled as well, you'll basically have two layers of protection now. DNS will take priority but if for some reason a site isn't filtered there but is on trend micro, then aiprotection will block it. Aiprotection also helps block something if someone tries to visit it by IP instead of hostname (which DNS filtering would never see).

As mentioned before, this will not block DNS over HTTPS (DOH), VPN, and some other forms of secure DNS. To do that you'll need to move to merlin and install addons to blacklist as many of those as possible. But this is a good start.

One other note - if all you're doing is trying to prevent someone from bypassing the "parental controls", there is no need to do any of this. Parental controls do not use DNS, they use packet inspection to see what site the person is visiting. They will work no matter what the DNS server is set to. However if you want them to be forced to use the filtering DNS service on the WAN page (adguard as you ahve it set now, or one of the others in there), then this will work for that.

 

[liukuohao]

@drinkingbird

I just want to be clear here.

Refer to the picture below.
If type in:

nslookup playboy.com

The 1st 2 lines Window command prompt reply:

Server: RT-AC68U-0218
Address: 192.168.88.1

This means my router is handling the DNS request and passing on
the DNS query to assigned DNS servers (which in my case, are
AdGuard DNS servers found in WAN DNS setting) correct?

 

[liukuohao]

Note that if you leave parental controls enabled and aiprotection "malicious site blocking" enabled as well, you'll basically have two layers of protection now. DNS will take priority but if for some reason a site isn't filtered there but is on trend micro, then aiprotection will block it. Aiprotection also helps block something if someone tries to visit it by IP instead of hostname (which DNS filtering would never see).

Good to know there 2 layer protection. Thank you.

 

[liukuohao]

Parental controls do not use DNS, they use packet inspection to see what site the person is visiting.

Do you know whether packet inspection works with https traffic when the data traffic is encrypted?

 

[ugandy]

Go into firewall, then the tab "network services filter". Click "yes" next to enable. The defaults for the rest (deny list, hours, etc) should all be fine.

Then add two firewall rules. Make it look exactly like the below and click apply. Then disable your dnsfilter so they will be blocked rather than redirected.

This will result in anyone pointing to your router IP for DNS being fine, and anyone pointing to anything else not being able to get any DNS responses.

On the WAN page, you can set your WAN DNS servers to whichever service you want to use. Right now you're using adguard but if you want to block malicious sites, porn, etc you would want to pick one of the others, or enter a custom one (there are many more out there than the predefined ones).

Make sure the Name Servers on your DHCP page are blank, and the "advertise router" is set to "yes". That ensures your clients only learn 1 DNS server, your router.

Note that if you leave parental controls enabled and aiprotection "malicious site blocking" enabled as well, you'll basically have two layers of protection now. DNS will take priority but if for some reason a site isn't filtered there but is on trend micro, then aiprotection will block it. Aiprotection also helps block something if someone tries to visit it by IP instead of hostname (which DNS filtering would never see).

As mentioned before, this will not block DNS over HTTPS (DOH), VPN, and some other forms of secure DNS. To do that you'll need to move to merlin and install addons to blacklist as many of those as possible. But this is a good start.

One other note - if all you're doing is trying to prevent someone from bypassing the "parental controls", there is no need to do any of this. Parental controls do not use DNS, they use packet inspection to see what site the person is visiting. They will work no matter what the DNS server is set to. However if you want them to be forced to use the filtering DNS service on the WAN page (adguard as you ahve it set now, or one of the others in there), then this will work for that.

View attachment 45207

this will help, but some devices may not use port 53 at all for their dns queries, right?

 

[ColinTaylor]

this will help, but some devices may not use port 53 at all for their dns queries, right?

He said that in the penultimate paragraph of the text that you quoted.

 

[Tech9]

Do you know whether packet inspection works with https traffic when the data traffic is encrypted?

It can't inspect anything, if the traffic is encrypted end to end.

 

[drinkingbird]

@drinkingbird

I just want to be clear here.

Refer to the picture below.
If type in:

nslookup playboy.com

The 1st 2 lines Window command prompt reply:

Server: RT-AC68U-0218
Address: 192.168.88.1

This means my router is handling the DNS request and passing on
the DNS query to assigned DNS servers (which in my case, are
AdGuard DNS servers found in WAN DNS setting) correct?


View attachment 45227View attachment 45228

In this case yes it is correct, but when you have DNSfilter enabled, those two lines essentially become meaningless. DNSfilter intercepts the packet and changes the contents, but in order to not break DNS, it still makes it look like the reply is coming from whatever server the person specified. So when you have DNSfilter enabled, you cannot trust those two lines anymore. No matter what those two lines say, it is your router responding with whatever it got from adguard.

You can confirm this by doing "nslookup playboy.com" and "nslookup playboy.com 8.8.8.8". Both should respond with the same IP, even though the second response APPEARS to be coming from 8.8.8.8. Now if you go to http://94.140.14.35 (or whatever IP is returned), you'll see that it is an "adguard blocked" website, so you know that both responses came from your router/adguard and 8.8.8.8 did NOT get used.

 

[drinkingbird]

Do you know whether packet inspection works with https traffic when the data traffic is encrypted?

If someone simply visits an https site, yes, it will still work. The initial packets sent when https/ssl/tls setup is done are enough for it to block the URL. It can also snoop the DNS packets (even if you aren't using DNS filter) and know what they're hitting that way. They may get an asus/trend micro page saying the site is blocked, or they may just get an SSL error screen, it depends on their browser and how strict it is (since it will be trying to show the router's "blocked" page but it won't have a valid certificate). But either way, the site is blocked.

If someone uses a VPN service that uses HTTPS/SSL encryption, then no, it won't be able to see or block those sites, those are completely invisible to the router and any other device on your LAN other than their PC.

There are also proxy websites (like proxysite.com) you can use that may not be blocked, but then on that site you can go to a blocked site and the router won't be able to see that either, since it is essentially the same as using a VPN.

So short of blocking all VPN and proxy sites, there will always be ways around your filtering. You can install blacklists to block many of these services (there are probably DNS services that will block them also). Even DNS filtering can be bypassed by going to a DNS lookup website, getting the IP of the website, then visiting the site by IP address. Most sites won't allow direct IP access but some still do.

You could watch traffic stats and if you see a computer where the majority of traffic is to one IP using SSL/TLS/ESP or other encryption protocols with large amounts of traffic, check that site and see if it is a proxy or VPN, then block it. But they'll just find another. Turns into a game of cat&mouse. Eventually you'll block all the free VPN providers but you may run out of firewall rules/url filters before you get them all.

The only way to really apply parental controls is keep the computer in a common area and supervise. You could go crazy and put in a proxy server with a service that updates its filters regularly, and then reconfigure all your computers to use it, but that's not realistic. And there are ways around that too (but far fewer). You can also consider locking down the computer so the user doesn't have admin access (assuming you have control over the computer) and cannot install VPN apps, change settings, etc. You could install extensions to the web browser to block stuff, or lock it into kids mode, etc.

So long story short, enabling aiprotection, parental controls, and dnsfilter (or blocking DNS other than your router) with a WAN DNS service that blocks everything you want blocked (malicious, adult, advertising, possibly VPN/proxy etc) is as much as you can do. Potentially blocking IPs or URLs of the most common VPN and proxy services too.

It will stop some stuff, make other stuff more difficult, and for people who know what they're doing, basically just annoy them a bit but not stop them. You have to couple these measures with supervision and punishment (24 hour block of their MAC address for example) to make it effective. For the person who keeps changing their DNS to 8.8.8.8, sounds like they're not terribly advanced so it may work for them, at least until they start researching ways around that and find they get get a free VPN subscription from any number of sites.

Of course most people have smart phones, they can just disable wifi and use mobile data totally bypassing your network and filters.

 

[ugandy]

He said that in the penultimate paragraph of the text that you quoted.

was just wondering if services like apple-dns.net (queried by some apple clients) tend to use port 53 too.

 

[drinkingbird]

was wondering if services like apple-dns.net (queried by some apple clients) tend to use port 53 too.

Quick web search shows that isn't an actual DNS service just a domain that apple uses, so queries for it should use standard DNS and port 53.

I'm sure there are plenty of apps that could potentially use secure DNS services and would bypass this filtering. Best you can do is try to block the most common ones or install a blacklist, but none of this filtering is fool proof (or even close to it).

Luckily the windows box the OP is talking about is pretty much going to use standard DNS for everything unless someone installs a utility or driver that suports secure DNS.

 

[liukuohao]

if someone simply visits an https site, yes, it will still work. The initial packets sent when https/ssl/tls setup is done are enough for it to block the URL. It can also snoop the DNS packets (even if you aren't using DNS filter) and know what they're hitting that way. They may get an asus/trend micro page saying the site is blocked, or they may just get an SSL error screen, it depends on their browser and how strict it is (since it will be trying to show the router's "blocked" page but it won't have a valid certificate). But either way, the site is blocked.

So in other words, from your reply above, the answer is: YES, HTTPS traffic can be inspected.

However which of the following is responsible for HTTPS inspection?

1) Malicious Site Blocking
2) 2-Way IPS
3) Infected Device Prevention & Blocking

Is it item no. 2 ?

 

[liukuohao]

If someone simply visits an https site, yes, it will still work. The initial packets sent when https/ssl/tls setup is done are enough for it to block the URL. It can also snoop the DNS packets (even if you aren't using DNS filter) and know what they're hitting that way. They may get an asus/trend micro page saying the site is blocked, or they may just get an SSL error screen, it depends on their browser and how strict it is (since it will be trying to show the router's "blocked" page but it won't have a valid certificate). But either way, the site is blocked.

If someone uses a VPN service that uses HTTPS/SSL encryption, then no, it won't be able to see or block those sites, those are completely invisible to the router and any other device on your LAN other than their PC.

There are also proxy websites (like proxysite.com) you can use that may not be blocked, but then on that site you can go to a blocked site and the router won't be able to see that either, since it is essentially the same as using a VPN.

So short of blocking all VPN and proxy sites, there will always be ways around your filtering. You can install blacklists to block many of these services (there are probably DNS services that will block them also). Even DNS filtering can be bypassed by going to a DNS lookup website, getting the IP of the website, then visiting the site by IP address. Most sites won't allow direct IP access but some still do.

You could watch traffic stats and if you see a computer where the majority of traffic is to one IP using SSL/TLS/ESP or other encryption protocols with large amounts of traffic, check that site and see if it is a proxy or VPN, then block it. But they'll just find another. Turns into a game of cat&mouse. Eventually you'll block all the free VPN providers but you may run out of firewall rules/url filters before you get them all.

The only way to really apply parental controls is keep the computer in a common area and supervise. You could go crazy and put in a proxy server with a service that updates its filters regularly, and then reconfigure all your computers to use it, but that's not realistic. And there are ways around that too (but far fewer). You can also consider locking down the computer so the user doesn't have admin access (assuming you have control over the computer) and cannot install VPN apps, change settings, etc. You could install extensions to the web browser to block stuff, or lock it into kids mode, etc.

So long story short, enabling aiprotection, parental controls, and dnsfilter (or blocking DNS other than your router) with a WAN DNS service that blocks everything you want blocked (malicious, adult, advertising, possibly VPN/proxy etc) is as much as you can do. Potentially blocking IPs or URLs of the most common VPN and proxy services too.

It will stop some stuff, make other stuff more difficult, and for people who know what they're doing, basically just annoy them a bit but not stop them. You have to couple these measures with supervision and punishment (24 hour block of their MAC address for example) to make it effective. For the person who keeps changing their DNS to 8.8.8.8, sounds like they're not terribly advanced so it may work for them, at least until they start researching ways around that and find they get get a free VPN subscription from any number of sites.

Of course most people have smart phones, they can just disable wifi and use mobile data totally bypassing your network and filters.

Thanks for your thorough explanation.

Yes, I know turning on the DNS filter is not a "sliver bullet"

There are many other ways to circumvent the restriction.

 

[drinkingbird]

So in other words, from your reply above, the answer is: YES, HTTPS traffic can be inspected.

However which of the following is responsible for HTTPS inspection?

1) Malicious Site Blocking
2) 2-Way IPS
3) Infected Device Prevention & Blocking

Is it item no. 2 ?

No, not really. Malicious site blocking and parental controls are both URL filters, and they'll be able to block both http and https sites. They are NOT inspecting https traffic but rather blocking the site before the https even gets established.

IPS is looking more for traffic patterns, and infected device blocking is looking at clients on your LAN that are showing signs of potential malware. Neither is really related to HTTP or HTTPS and neither would be able to inspect https traffic once it is encrypted (nothing can other than a proxy or a device designed to intercept ssl and act as a "man in the middle").