Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

RT-N66U DNS Filter

Discussion in 'Asuswrt-Merlin' started by Drom, Sep 19, 2017.

  1. Drom

    Drom New Around Here

    Joined:
    Sep 19, 2017
    Messages:
    4
    I run RT-N66U with the newest 3.68_2 firmware.

    Since 3.68 I have had an issue with DNS-based Filtering.
    I run my traffic through OpenDNS with the DNS-servers set to 208.67.220.220 and 208.67.222.222.
    The Global Filter mode is set to "No Filtering", and I have selected "OpenDNS Home" for the devices I want to use the filter. All good so far, it works.

    The problem is that all other devices get caught in the same filter. If I don't add these devices to the list, it filters them. And even if I add these devices to the list and select either "No filtering" or "Router", it doesn't matter. They all get caught in the OpenDNS-filter.

    In the last couple of weeks it stopped filtering these devices a couple of times, but then just seemingly random jumped into filtering again.

    I have tried to reboot and upgrade, at no luck.

    Please advise me here.

    Drom

    dns.png
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    3,702
    Location:
    UK
    Very strange. Do you have any non-standard customisations to the router, user scripts, etc.? It will be quite hard to debug if it works sometimes and doesn't another time.
     
  3. Drom

    Drom New Around Here

    Joined:
    Sep 19, 2017
    Messages:
    4
    Thanks for replying!

    No, no user scripts or non-standards. An yes, the filtering seems to happen in some random long intervals. It can work for a day or two, and then filter every device for weeks now.

    I just can't seem to get past it, even though I let the "Router" setting be applied.
    At the moment I'm still filtered, even though I turned DNS-based filtering OFF! (Browser cookies and cache are wiped clean.)

    Is there such a thing as a router cache that needs to be wiped as well?
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    3,702
    Location:
    UK
    Not that would apply to DNS Filtering. The way it works is by intercepting the DNS requests at the packet level and redirecting them on-the-fly to the specified server.

    How have you setup the DNS that the router uses itself, are you using your ISP's DNS servers? (WAN > Internet Connection > WAN DNS Setting)
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    3,702
    Location:
    UK
    Also double check your settings at LAN > DHCP Server > DNS and WINS Server Setting, which should be left at the defaults (DNS Server 1&2 both blank).
     
  6. Drom

    Drom New Around Here

    Joined:
    Sep 19, 2017
    Messages:
    4
    WAN DNS Setting
    Connect to DNS Server automatically
    Yes

    LAN > DHCP Server > DNS and WINS Server Setting

    DNS Server 1 Empty
    DNS Server 2 Empty
    Advertise router's IP in addition to user-specified DNS Yes
    Forward local domain queries to upstream DNS No
    Enable DNSSEC support No

    When I check devices, they seem to get their manually assigned IP correctly.
    Parental Control > DNSFiltering is still turned OFF, and I'm getting filtered on all devices.

    Thanks again
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    3,702
    Location:
    UK
    The only thing I can suggest is that having enabled Telnet or SSH access to the router you log into it and issue the following from the command line. If you post the results here we might be able to see what's happening.

    iptables-save
     
  8. Drom

    Drom New Around Here

    Joined:
    Sep 19, 2017
    Messages:
    4
    I have SSHed to the router and have generated two iptables rulesets.

    This is when the filter is turned on.

    Code:
    # Generated by iptables-save v1.3.8 on Tue Sep 19 14:29:05 2017
    *nat
    :PREROUTING ACCEPT [92:6071]
    :POSTROUTING ACCEPT [8:1180]
    :OUTPUT ACCEPT [8:1180]
    :DNSFILTER - [0:0]
    :LOCALSRV - [0:0]
    :PCREDIRECT - [0:0]
    :PUPNP - [0:0]
    :VSERVER - [0:0]
    :VUPNP - [0:0]
    -A PREROUTING -d XXX.XX.XX.XXX -j VSERVER 
    -A PREROUTING -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 53 -j DNSFILTER 
    -A PREROUTING -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 53 -j DNSFILTER 
    -A POSTROUTING -o eth0 -j PUPNP 
    -A POSTROUTING -s ! XXX.XX.XX.XXX -o eth0 -j MASQUERADE 
    -A POSTROUTING -m mark --mark 0x8000/0x8000 -j MASQUERADE 
    -A DNSFILTER -m mac --mac-source A4:71:74:F5:F1:8C -j DNAT --to-destination 208.67.222.222 
    -A DNSFILTER -m mac --mac-source 00:26:C6:B6:0A:72 -j RETURN 
    -A DNSFILTER -m mac --mac-source 78:F8:82:9E:CD:DB -j RETURN 
    -A VSERVER -p tcp -m tcp --dport 23222 -j DNAT --to-destination 192.168.1.50:23222 
    -A VSERVER -p udp -m udp --dport 23222 -j DNAT --to-destination 192.168.1.50:23222
    -A VSERVER -j VUPNP 
    COMMIT
    # Completed on Tue Sep 19 14:29:05 2017
    # Generated by iptables-save v1.3.8 on Tue Sep 19 14:29:05 2017
    *mangle
    :PREROUTING ACCEPT [106642:10369996]
    :INPUT ACCEPT [73791:7725031]
    :FORWARD ACCEPT [32491:2593519]
    :OUTPUT ACCEPT [70215:224669769]
    :POSTROUTING ACCEPT [102735:227270943]
    -A PREROUTING -d XXX.XX.XX.XXX -i ! eth0 -j MARK --set-mark 0x8000/0x8000 
    -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MARK --set-mark 0x1/0x7 
    COMMIT
    # Completed on Tue Sep 19 14:29:05 2017
    # Generated by iptables-save v1.3.8 on Tue Sep 19 14:29:05 2017
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [438:808389]
    :ACCESS_RESTRICTION - [0:0]
    :FUPNP - [0:0]
    :INPUT_ICMP - [0:0]
    :NSFW - [0:0]
    :PControls - [0:0]
    :PTCSRVLAN - [0:0]
    :PTCSRVWAN - [0:0]
    :SECURITY - [0:0]
    :logaccept - [0:0]
    :logdrop - [0:0]
    -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop 
    -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept 
    -A INPUT -m state --state INVALID -j logdrop 
    -A INPUT -i ! br0 -j PTCSRVWAN 
    -A INPUT -i br0 -j PTCSRVLAN 
    -A INPUT -i br0 -m state --state NEW -j ACCEPT 
    -A INPUT -i lo -m state --state NEW -j ACCEPT 
    -A INPUT -p udp -m udp --sport 67 --dport 68 -j logaccept 
    -A INPUT -p icmp -j INPUT_ICMP 
    -A INPUT -j logdrop 
    -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept 
    -A FORWARD -i ! br0 -o eth0 -j logdrop 
    -A FORWARD -i eth0 -m state --state INVALID -j logdrop 
    -A FORWARD -i br0 -o br0 -j logaccept 
    -A FORWARD -i eth0 -j SECURITY 
    -A FORWARD -j NSFW 
    -A FORWARD -m conntrack --ctstate DNAT -j logaccept 
    -A FORWARD -i br0 -j logaccept 
    -A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN 
    -A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN 
    -A INPUT_ICMP -p icmp -j logaccept 
    -A PControls -j logaccept 
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop 
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop 
    -A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN 
    -A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop 
    -A SECURITY -j RETURN 
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options 
    -A logaccept -j ACCEPT 
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 
    -A logdrop -j DROP 
    COMMIT
    # Completed on Tue Sep 19 14:29:05 2017
    
    I see the MAC-addresses related. But all MACs are still filtered.

    The below is from when the filter is turned Off completely. All devices still filtered at the moment.

    Code:
    # Generated by iptables-save v1.3.8 on Tue Sep 19 14:32:26 2017
    *nat
    :PREROUTING ACCEPT [68:4963]
    :POSTROUTING ACCEPT [16:1807]
    :OUTPUT ACCEPT [16:1807]
    :DNSFILTER - [0:0]
    :LOCALSRV - [0:0]
    :PCREDIRECT - [0:0]
    :PUPNP - [0:0]
    :VSERVER - [0:0]
    :VUPNP - [0:0]
    -A PREROUTING -d XXX.XX.XX.XXX -j VSERVER 
    -A POSTROUTING -o eth0 -j PUPNP 
    -A POSTROUTING -s ! XXX.XX.XX.XXX -o eth0 -j MASQUERADE 
    -A POSTROUTING -m mark --mark 0x8000/0x8000 -j MASQUERADE 
    -A VSERVER -p tcp -m tcp --dport 23222 -j DNAT --to-destination 192.168.1.50:23222 
    -A VSERVER -p udp -m udp --dport 23222 -j DNAT --to-destination 192.168.1.50:23222
    -A VSERVER -j VUPNP 
    COMMIT
    # Completed on Tue Sep 19 14:32:26 2017
    # Generated by iptables-save v1.3.8 on Tue Sep 19 14:32:26 2017
    *mangle
    :PREROUTING ACCEPT [108334:10532803]
    :INPUT ACCEPT [74852:7848696]
    :FORWARD ACCEPT [33114:2631577]
    :OUTPUT ACCEPT [71311:225710273]
    :POSTROUTING ACCEPT [104454:228349505]
    -A PREROUTING -d XXX.XX.XX.XXX -i ! eth0 -j MARK --set-mark 0x8000/0x8000 
    -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MARK --set-mark 0x1/0x7 
    COMMIT
    # Completed on Tue Sep 19 14:32:26 2017
    # Generated by iptables-save v1.3.8 on Tue Sep 19 14:32:26 2017
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [551:842794]
    :ACCESS_RESTRICTION - [0:0]
    :FUPNP - [0:0]
    :INPUT_ICMP - [0:0]
    :NSFW - [0:0]
    :PControls - [0:0]
    :PTCSRVLAN - [0:0]
    :PTCSRVWAN - [0:0]
    :SECURITY - [0:0]
    :logaccept - [0:0]
    :logdrop - [0:0]
    -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop 
    -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept 
    -A INPUT -m state --state INVALID -j logdrop 
    -A INPUT -i ! br0 -j PTCSRVWAN 
    -A INPUT -i br0 -j PTCSRVLAN 
    -A INPUT -i br0 -m state --state NEW -j ACCEPT 
    -A INPUT -i lo -m state --state NEW -j ACCEPT 
    -A INPUT -p udp -m udp --sport 67 --dport 68 -j logaccept 
    -A INPUT -p icmp -j INPUT_ICMP 
    -A INPUT -j logdrop 
    -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept 
    -A FORWARD -i ! br0 -o eth0 -j logdrop 
    -A FORWARD -i eth0 -m state --state INVALID -j logdrop 
    -A FORWARD -i br0 -o br0 -j logaccept 
    -A FORWARD -i eth0 -j SECURITY 
    -A FORWARD -j NSFW 
    -A FORWARD -m conntrack --ctstate DNAT -j logaccept 
    -A FORWARD -i br0 -j logaccept 
    -A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN 
    -A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN 
    -A INPUT_ICMP -p icmp -j logaccept 
    -A PControls -j logaccept 
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop 
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop 
    -A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN 
    -A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop 
    -A SECURITY -j RETURN 
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options 
    -A logaccept -j ACCEPT 
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 
    -A logdrop -j DROP 
    COMMIT
    # Completed on Tue Sep 19 14:32:26 2017
    I'm lost here.
     
  9. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,184
    Location:
    Canada
    Check the DNS configuration on your devices themselves, make sure they are set to DHCP and not with a static DNS.
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    3,702
    Location:
    UK
    I can't see anything wrong there. I see one device (A4:71:74:F5:F1:8C) directed to 208.67.222.222. And two devices (00:26:C6:B6:0A:72 & 78:F8:82:9E:CD DB) explicitly ignoring DNS Filter. All the other devices will default to ignoring the DNS Filter.

    Check what RMerlin said.
     
  11. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,702
    Location:
    United States
    But shouldn't DNS Filter intercept the DNS requests even if this was the case?

    One very strange thing, in the first iptables-save that was posted with the filter active, the DNSFILTER chain got no hits (the count was [0:0] ). Are you sure you don't have another device on the network with an address conflict with the router?
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    3,702
    Location:
    UK
    Usually, but not in this specific case where he's talking about devices set to "No Filtering", so they are not subject to any interception.
     
  13. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,702
    Location:
    United States
    Ahh...yes of course :oops:

    Then Merlins suggestion definitely goes along with my observation on the chain count.
     

Share This Page