DNS Director

[liukuohao]

I think you need to take a step back and think about what DNS Director can and can't do.

Intercept port 53?

Hello, Can devices be forced to use the DNS from the router? I remember when I used to use Tomato, it had an option to intercept port 53, which prevented users from changing their devices DNS server and were forced to use whatever the router had. But, I see this option in Asus...and according...

www.snbforums.com

Thanks!

Now I know why tampering DNS setting on the windows DNS setting = 8.8.8.8
and use a browser that supports DOH (Use secure DNS) will bypass DNS Director's global redirection.
That is the missing information that looking for so that I can close this topic.

Can you let the developer know this caveat and include this description:-

DNS Director
DNS Director allows you to force LAN devices to use a specific DNS server, which can be useful if you want to force them to use a filtering service that would block malicious or adult sites. You can set a global network-wide server, or client-specific servers. Beside the available presets you can also define up to three different custom servers to use.


A few special System options are available in the presets. "No Redirection" will bypass a global redirection, and "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined).

 

[Tech9]

Does the option: Prevent Client auto DOH (in WAN NDS setting) = YES preventing client bypassing?
The answer is No.

Applies to specific clients only. It's an attempt. You can't filter and stop port 443 requests.

 

[liukuohao]

As indicated previously people tend to overthink what DNS Director does or how it works.

For my use, as I understand things and very simplistically, with the Global Redirection set to Router and with devices (Pi-Holes) in the Client List set to No Redirection; only the two Pi-Hole clients that make DNS requests to the internet are allowed through. DNS Director will "intercept" any requests that don't come from the two Pi-Holes and route them to the DHCP LAN DNS severs (listed on the LAN > DHCP Server tab page). I have those two DNS Server entries in the DHCP LAN DNS section set to my Pi-Hole PI addresses.

Another way to look at it (derived from my older post here):

• Fred's PC makes a DNS request to the Pi-Hole.
• The Pi-Hole (or Pi-Hole+Unbound) makes the DNS request upstream.
• The Pi-Hole's DNS requests are not filtered by the router's DNS Director because the Pi-Holes are listed in the Client List and the Redirection is set to No Redirection; so the DNS request continues upstream to the Internet.
• Other PC's who's DNS requests try to bypass Pi-Hole however are stopped by the router's DNS Director Global Filtering Mode being set to Router and the PC not being in the Client List; so their DNS requests "use the DNS provided by the router's DHCP server" and are sent to the Pi-Hole where the DNS request process starts again. The Pi-Hole Query Log (as my example above) shows these requests as coming from the router.

In other words the only DNS requests that should be let through upstream by the DNS Director are those of the Pi-Hole. Network clients with (static) DNS servers other than the Pi-Hole(s) hit the DNS Director and are sent to the Pi-Hole, the Pi-Hole then sends that request back to the DNS Director which then sends that request upstream.

Thanks for the lengthy explanation.
I appreciated your help here.
I know you are trying to help me.
But I don't have RPI to test.
If I do, then I will follow your explanation to the tee.

 

[liukuohao]

Applies to specific clients only. It's an attempt. You can't filter and stop port 443 requests.

View attachment 49621

I think this option is not working.
When DNS Director is enabled.
Chrome browser by default, secure DNS (DNS over HTTPs) is enabled by default.
When I set Windows PC to point DNS setting = 8.8.8.8
I can bypass the DNS Web filter of Cloudfare Family and browse on adult sites.

 

[bennor]

But I don't have RPI to test.

The example I posted is just one way to use DNS Director. There are other ways, it all depends on what one is seeking to achieve. The example provided indicates what some of the various settings do.

 

[Tech9]

I can bypass the DNS Web filter of Cloudfare Family and browse on adult sites.

For that reason I told you before you need to know what are you doing and what challenges you'll be fighting with.

 

[liukuohao]

As indicated previously people tend to overthink what DNS Director does or how it works.

For my use, as I understand things and very simplistically, with the Global Redirection set to Router and with devices (Pi-Holes) in the Client List set to No Redirection; only the two Pi-Hole clients that make DNS requests to the internet are allowed through. DNS Director will "intercept" any requests that don't come from the two Pi-Holes and route them to the DHCP LAN DNS severs (listed on the LAN > DHCP Server tab page). I have those two DNS Server entries in the DHCP LAN DNS section set to my Pi-Hole PI addresses.

Another way to look at it (derived from my older post here):

• Fred's PC makes a DNS request to the Pi-Hole.
• The Pi-Hole (or Pi-Hole+Unbound) makes the DNS request upstream.
• The Pi-Hole's DNS requests are not filtered by the router's DNS Director because the Pi-Holes are listed in the Client List and the Redirection is set to No Redirection; so the DNS request continues upstream to the Internet.
• Other PC's who's DNS requests try to bypass Pi-Hole however are stopped by the router's DNS Director Global Filtering Mode being set to Router and the PC not being in the Client List; so their DNS requests "use the DNS provided by the router's DHCP server" and are sent to the Pi-Hole where the DNS request process starts again. The Pi-Hole Query Log (as my example above) shows these requests as coming from the router.

In other words the only DNS requests that should be let through upstream by the DNS Director are those of the Pi-Hole. Network clients with (static) DNS servers other than the Pi-Hole(s) hit the DNS Director and are sent to the Pi-Hole, the Pi-Hole then sends that request back to the DNS Director which then sends that request upstream. (again very simplistic explanation)

If DNS Director is activated = that is Global Redirection is switch on = overrides Router WAN DNS setting.
DNS Director = Global Redirection = User Defined 1 = 1.1.1.3 (Cloudflare Family DNS server)
My WAN setting DNS servers are pointing to NextDNS server.
My PC is selected and added under Client list.
Redirection column = No redirection is selected.
Run standard test at dnsleaktest.com on my chrome browser in incognito mode.
Test result = DNS query forward to NextDNS DNS server.

So, under "No redirection" means any devices place under the Client list (I like to think it as the Exception list)
DNS Director has no effect on the device. That is no DNS redirection perform on the client device.
Hence, DNS query is done through the router WAN DNS setting = NextDNS DNS server.

 

[bennor]

If DNS Director is activated = that is Global Redirection is switch on = overrides Router WAN DNS setting.

Generally, DNS Director deals with the LAN settings. It will override the LAN DNS settings.

 

[liukuohao]

@bennor

How to block DOH servers using Asus router?
DOH list: https://github.com/oneoffdallas/dohservers/blob/master/iplist.txt

 

[bennor]

If DNS Director is activated = that is Global Redirection is switch on = overrides Router WAN DNS setting.
DNS Director = Global Redirection = User Defined 1 = 1.1.1.3 (Cloudflare Family DNS server)
My WAN setting DNS servers are pointing to NextDNS server.
My PC is selected and added under Client list.
Redirection column = No redirection is selected.
Run standard test at dnsleaktest.com on my chrome browser in incognito mode.
Test result = DNS query forward to NextDNS DNS server.

What do you have as a DNS setting under LAN > DHCP Server > DNS and WINS Server Setting? Do you have it set to NextDNS server like your screen capture indicates in this post?

If so then what you see is expected. By adding a client under the Client List and setting that client to No Redirection you are telling DNS Director not to send that client to the User Defined 1 (1.1.1.3). Because you used the NextDNS server as the LAN DHCP DNS server the client used it (assuming you are testing from that client) and the correct information is returned by the DNS query indicating the NextDNS server.
If you remove the client(s) from the Client List then those clients should be redirected to using User Defined 1 (1.1.1.3) by the DNS Director with Global Redirection set to User Defined 1.

 

[bennor]

How to block DOH servers using Asus router?

Use the forum search feature. Plenty of past discussion on attempting to block DoH:
https://www.snbforums.com/search/731232/?q=block+DOH+servers&o=relevance

 

[liukuohao]

What do you have as a DNS setting under LAN > DHCP Server > DNS and WINS Server Setting? Do you have it set to NextDNS server like your screen capture indicates in this post?

No I have removed it.
I have left both DNS Server 1 & 2 = blank

 

[bennor]

No I have removed it.
I have left both DNS Server 1 & 2 = blank

Did you also reboot the computer/PC or release and renew it's network connection? If not it may still be using whatever DNS entries were set the last time it obtained it's DHCP IP address information. Or if manually configured, remove any manually configured DNS servers in the PC's network settings.

When testing ensure you are also not using a browser configured for DoH or DoT. Both can potentially bypass DNS Director or similar settings.

 

[liukuohao]

Because you used the NextDNS server as the LAN DHCP DNS server the client used it (assuming you are testing from that client) and the correct information is returned by the DNS query indicating the NextDNS server.
If you remove the client(s) from the Client List then those clients should be redirected to using User Defined 1 (1.1.1.3) by the DNS Director with Global Redirection set to User Defined 1.

Yes, I am testing on the same client PC.
If I set the Redirection column = Router
The dnsleaktest result is the same as = No Redirection

 

[liukuohao]

Did you also reboot the computer/PC or release and renew it's network connection?

Nope. Get back to you later.

 

[bennor]

If I set the Redirection column = Router

View attachment 49623

Except you do not have Global Redirection set to Router. You have it set to User Defined 1 per your screen capture.
And if you didn't reboot your PC it could be still using the NextDNS server as its DNS even though you've changed the router LAN DHCP DNS server values. Again, because you have the PC set in the Client List as No Redirection is will ignore the User Defined 1 DNS value per your screen capture DNS Director settings. And if the LAN DHCP DNS server values are empty then the rebooted PC (No Redirection) should use the router as its DNS server, and what ever the router has set for it's DNS values (likely from the WAN DNS fields).

 

[liukuohao]

And if you didn't reboot your PC

I can simply do a flushing right? ipconfig /flushdns
without reboot the PC?

 

[liukuohao]

ven though you've changed the router LAN DHCP DNS server values

What about?
Ipconfig /release
Ipconfig /renew

 

[ColinTaylor]

If I set the Redirection column = Router
The dnsleaktest result is the same as = No Redirection

With your current settings it's doing exactly what you told it to do. When set to "Router" you force the client to use the router's DNS server. When set to "No Redirection" the client will use its "normal" DNS server... which by default is also the router's DNS server. In both cases the router's DNS server forwards requests upstream to NextDNS (your WAN settings).

 

[liukuohao]

Use the forum search feature. Plenty of past discussion on attempting to block DoH:
https://www.snbforums.com/search/731232/?q=block+DOH+servers&o=relevance

Ok above is the list of all the DOH servers.
How to import the list into my router? Or I need to type in 1 by 1 by?