URL filter interact with DNS filter?

[helloguys]

Merlin 386.1, RT-AC86U.

URL Filter:
steampowered
protonvpn

DNS Filter:
Global Filter Mode: OpenDNS Home

Everything seems to work as expected. For example, my kid's computer cannot access steampowered.com and protonvpn.com.

Then I added my computer to the DNS filter exception (i.e. my computer uses ISP DNS instead of OpenDNS). What I expected was: my computer will still be blocked to access steampowered.com and protonvpn.com. As URL filter is configured locally on the router, regardless what DNS to use. However, my computer was able to access those websites freely.

Is there any dependencies between URL filter and DNS filter? When used together, which one is checked first? Thanks!

 

[dave14305]

URL filter is not useful with https URLs, only http URLs. Perhaps OpenDNS Home was blocking them instead of URL Filter?

 

[helloguys]

Correct me if I'm wrong. Here are my test results and observations:

When Internet access was blocked by OpenDNS or URL Filter, the web browser has different behaviors.

If it was blocked by OpenDNS, web browser will give a "certificate warning". The certificate was "Cisco Umbrella", which is used by OpenDNS servers. So that's expected.

If it was blocked by Asus router's URL filter, the browser just trying and trying. Then it finally gives up and display "This site cannot be reached". I've attached both screenshots here so you can see the difference.

My observations are:
1) URL filter works with HTTPS. I deliberately type https://store.streampowered.com. It was blocked ty URL filter. I got "This site cannot be reached" message.
2) If both URL filter and DNS filter are enabled, URL filter seems to take precedence. I got "This site cannot be reached" message.

Now the question is:
If I add a computer to the DNS filter exception list, why URL filter doesn't catch that?

URL filter is not useful with https URLs, only http URLs. Perhaps OpenDNS Home was blocking them instead of URL Filter?

 

[ColinTaylor]

URL filter is not useful with https URLs, only http URLs. Perhaps OpenDNS Home was blocking them instead of URL Filter?

The URL filter was enhanced at some point. Now it looks for the blocked keyword in two types of traffic. First it looks in DNS requests (UDP port 53), then it looks for the word in HTTP (port 80) packets.

So the reason why @helloguys was seeing an NXDOMAIN error was because the DNS request was being intercepted and dropped.

 

[helloguys]

Interesting. So URL filter is doing DNS filtering in my case. When I put my computer in the "LAN > DNS Filter" exception list, does that bypass the "Firewall > URL Filter" as well? Because essentially, it is DNS filtering.

The URL filter was enhanced at some point. Now it looks for the blocked keyword in two types of traffic. First it looks in DNS requests (UDP port 53), then it looks for the word in HTTP (port 80) packets.

So the reason why @helloguys was seeing an NXDOMAIN error was because the DNS request was being intercepted and dropped.

 

[ColinTaylor]

What are you directing your computer to use in the exception list?

 

[helloguys]

Computer in the exception list uses "No Filtering". I guess "No Filtering" here bypasses not only DNS filtering, but also the URL filtering(as part of it uses DNS filtering as well).

It starts making sense now. Thanks!

What are you directing your computer to use in the exception list?

 

[MvW]

Is this Cisco Umbrella?

OpenDNS is indeed now Cisco Umbrella.