Intercept port 53?

[Mr. Boniato]

Hello,
Can devices be forced to use the DNS from the router?
I remember when I used to use Tomato, it had an option to intercept port 53, which prevented users from changing their devices DNS server and were forced to use whatever the router had.

But, I see this option in Asus...and according to what I am reading, when set to router, it will force the clients to use the DNS provided by the router, but I am still able to change the DNS on my PC bypassing the router's DNS.
Is there another setting I need to change?

I appreciate the help.

 

[ColinTaylor]

But, I see this option in Asus...and according to what I am reading, when set to router, it will force the clients to use the DNS provided by the router, but I am still able to change the DNS on my PC bypassing the router's DNS.

It works exactly the same way as Tomato. Changing the DNS on your PC won't stop the router intercepting it.

 

[Mr. Boniato]

Why am I able to change the DNS server on my PC?
With Tomato, I couldn't change it.

 

[ColinTaylor]

Why am I able to change the DNS server on my PC?

Your PC has no way of knowing that the router is intercepting and redirecting its DNS requests.

With Tomato, I couldn't change it.

I think your memory is incorrect. A router cannot control what you configure in your PC's settings.

 

[Mr. Boniato]

What is that setting for then?
It was my understanding that if I enable that feature, it will prevent devices from using their own DNS server because the router will force them to use the Router's own DNS server no matter what they set on their own devices.

is this not correct?

 

[ColinTaylor]

What is that setting for then?

What setting?

 

[Mr. Boniato]

What setting?

What does selecting Router supposed to do?

 

[ColinTaylor]

View attachment 46717

It does exactly what you asked for in your title/first sentence and was explained in the GUI text that you showed in post #1.

 

[dave14305]

View attachment 46717

What does selecting Router supposed to do?

The PC is none-the-wiser that its queries have been intercepted by the router, but they have been.

 

[fryedchikin]

How are you testing to determine which DNS server is resolving addresses for you ?

 

[ColinTaylor]

What does selecting Router supposed to do?

and "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined).

In other words it's doing what you asked for. Check that LAN - DHCP Server has both DNS servers left undefined.

 

[bennor]

But, I see this option in Asus...and according to what I am reading, when set to router, it will force the clients to use the DNS provided by the router, but I am still able to change the DNS on my PC bypassing the router's DNS.

How are you determining that your PC's are bypassing DNS Director (formerly DNS Filter), assuming you have properly configured DNS Director by enabling the feature and selecting Global Redirection: Router? Are you using VPN either on the router or on the LAN clients?

 

[Mr. Boniato]

I have set AdGuard as the DNS Server and it works great, but if I change the DNS server on my device to 8.8.8.8-8.8.4.4, the ads and adult sites are no longer blocked.
When I check nslookup it shows the google DNS instead of the Router's.

 

[Mr. Boniato]

I guess the question I would ask is..
How can I force all traffic to only use the Router's DNS server, even if they try to use another DNS server?
Are you saying this is not possible in this firmware?

 

[fryedchikin]

Check this setting..

 

[bennor]

I have set AdGuard as the DNS Server and it works great, but if I change the DNS server on my device to 8.8.8.8-8.8.4.4, the ads and adult sites are no longer blocked.

But have you enabled DNS Director/DNS Filter and set Global Redirection to Router then hit the Apply button at the bottom of the page? If not, do it and report back if your LAN clients are bypassing the DNS Director/DNS Filter.

Another option, is to block specific DNS servers.
Block Google DNS on Asus

 

[Mr. Boniato]

But have you enabled DNS Director/DNS Filter and set Global Redirection to Router then hit the Apply button at the bottom of the page? If not, do it and report back if your LAN clients are bypassing the DNS Director/DNS Filter.

Another option, is to block specific DNS servers.
Block Google DNS on Asus

Please see post #1. Is that the option you are referring to?
I have already selected Router as the Global Redirection thinking this feature was going to do what I need.

 

[Mr. Boniato]

Check this setting..
View attachment 46722

Mine is set to None as well.

 

[ColinTaylor]

Another option, is to block specific DNS servers.
Block Google DNS on Asus

The problem alluded to above is that it is no longer sufficient to just block port 53. For example if you're using Chrome and set your PC to Google DNS it will switch to using "secure DNS" (DNS over HTTP / port 443) and therefore bypass the router's blocking attempts.

When I check nslookup it shows the google DNS instead of the Router's.

nslookup will show the google DNS because it's unaware that the request is being redirected somewhere else by the router.

 

[bennor]

Please see post #1. Is that the option you are referring to?

Of course that feature page is called either DNS Filter or DNS Director, depending on which Asus-Merlin firmware one is running. That feature when configured as explained is supposed to (in very general terms) intercept LAN client DNS requests and route them to the DNS server used by the router. If that isn't happening, since you indicated you are running AdGuard, perhaps you need to double check you have Adguard configured properly if you are running Adguard as an add-on script. As a troubleshooting step manually configure the LAN DHCP DNS servers (for example set to Adguard's DNS servers used in the WAN DNS field) and see if the LAN clients that use hard coded DNS servers are being intercepted and routed to the router's LAN DNS servers.