Solved Help with Forcing All Traffic to DNS

[macster2075]

I used to use Tomato Firmware and it had a feature to "Intercept DNS port 53" which prevented devices from using their own DNS server, and it worked great.
When I came to Asus Firmware, I found that feature enabling this... and it works great as it does what it says.

I then started using Pihole to block ads as well. I know AdGuard is available which also blocks ads and there is no need for Pihole.. but I rather use Pihole.
So, after configuring the router with Pihole as recommended on another thread..

All works great, no issues...but..
With this configuration, I notice I can now bypass Pihole by simply using another DNS server on any wired devices.

How come wired devices can use their own DNS server, but wireless cannot?
Even if I change the DNS server on my phone, it will abide by the Router's DNS, but wired devices can use their own.

In my searching to see how to force all traffic to Router's DNS, another user recommended doing this..

But, If I enable this, it breaks my Internet.
What else can I try to accomplish this?

Thank you.

 

[bennor]

With this configuration, I notice I can now bypass Pihole by simply using another DNS server on any wired devices.

How are you determining the wired clients are bypassing the Pi-Hole? In my case if I input manual DNS servers into my wired clients they are still routed through the Pi-Hole due to DNS Filter/DNS Director. The Pi-Hole shows the DNS request coming from the router.

 

[ColinTaylor]

How do I redirect all port 53 requests?

I've just installed Asuswrt Merlin on my RT-AC86U because I would like to redirect all port 53 requests towards my pihole (also running unbound). What's the best way to do this? Is DNSFilter the way to go? I've set my pihole's IP as the LAN and WAN dns address. I have now set DNSFilter to...

www.snbforums.com

Intercept port 53?

Hello, Can devices be forced to use the DNS from the router? I remember when I used to use Tomato, it had an option to intercept port 53, which prevented users from changing their devices DNS server and were forced to use whatever the router had. But, I see this option in Asus...and according...

www.snbforums.com

Plus numerous other posts explaining this in great detail. Try searching for posts by @dave14305 et al.

 

[bennor]

And per another recent post:

Just a warning: if you enable DoH in web browsers your router DNS will be by-passed.

 

[macster2075]

Because when I use a different DNS server on a wired device, 8.8.8.8-8.8.4.4, I can visit sites that should be blocked by the Pihole's Upstream server (OpenDNS).
Once I remove the google DNS server and set it to automatic, then the site is no longer accessible.

This does not happen with wireless devices.

 

[ColinTaylor]

In the other thread I linked to:

The problem alluded to above is that it is no longer sufficient to just block port 53. For example if you're using Chrome and set your PC to Google DNS it will switch to using "secure DNS" (DNS over HTTP / port 443) and therefore bypass the router's blocking attempts.

View attachment 46723


nslookup will show the google DNS because it's unaware that the request is being redirected somewhere else by the router.

 

[Crimliar]

Okay, so what's been posted kinda works, but not perfectly

LAN> DHCP Server> DNS Server 1 > "Pihole address"
LAN> DHCP Server> Advertise routers DNS... > No
That catches everything that's not trying to play truant!

then
LAN>DNS Director>User Defined DNS 1> "Pihole address"
LAN>DNS Director>Global Redirection>User Defined 1
LAN>DNS Director>Client List Mac: "PiHole MAC">No redirection

After a reboot of all connected devices that should work. If you are not pointing the router DNS at the PiHole, you shouldn't be using a global redirect to the router!

 

[macster2075]

And per another recent post:

THIS.. what?.. this is the culprit! haha.

Thank you.. I disabled it and now the wired device cannot change DNS.
This answers the question as to why wired devices can and wireless cannot.

Now to stir the pot.. anything I can do to prevent users from bypassing using this method?

 

[macster2075]

Okay, so what's been posted kinda works, but not perfectly

LAN> DHCP Server> DNS Server 1 > "Pihole address"
LAN> DHCP Server> Advertise routers DNS... > No
That catches everything that's not trying to play truant!

then
LAN>DNS Director>User Defined DNS 1> "Pihole address"
LAN>DNS Director>Global Redirection>User Defined 1
LAN>DNS Director>Client List Mac: "PiHole MAC">No redirection

After a reboot of all connected devices that should work. If you are not pointing the router DNS at the PiHole, you shouldn't be using a global redirect to the router!

Yep, if you look at my post #1, the pics show this exact setup.

 

[bennor]

Now to stir the pot.. anything I can do to prevent users from bypassing using this method?

Possibly. There is some discussion elsewhere about possibly blocking Firefox's automatic switch to DoH.

Disabling Firefox's automatic switch to DoH

In the coming weeks, Mozilla will be enabling DoH by default in Firefox (starting with US-based users). While it can still be manually enabled/disabled, this opt-out behaviour is unacceptable IMHO. For starter, it means that by default, your browser will ignore whatever configuration you have...

www.snbforums.com

The following article (trying to sell its services) discusses some ways to try and deal with DoH bypassing.

Is DNS-over-HTTPS (DoH) Bypassing Your Web Filter? | CurrentWare

DNS over HTTPS (DoH) allows employees to bypass web filtering. Here's what you can do to prevent your users from bypassing your company’s web filter.

www.currentware.com

Edit to add: Some discuss blocking specific IP's as a way to block DoH but that could end up being a loosing battle or block other services/apps.

https://www.reddit.com/r/dnscrypt/comments/cect1v

https://www.reddit.com/r/dns/comments/exloyo

 

[Crimliar]

Yep, if you look at my post #1, the pics show this exact setup.

Actually no! You have the global DNS set to the "router" not to "user defined 1". So unless you had the WAN>Internet Connection: DNS pointed at the PiHole (if that still works) then you'd actually be directing every DNS request that hits the router first to the router and not the PiHole!

 

[ColinTaylor]

Actually no! You have the global DNS set to the "router" not to "user defined 1". So unless you had the WAN>Internet Connection: DNS pointed at the PiHole (if that still works) then you'd actually be directing everything to the router and not the PiHole!

That's incorrect because he has a DNS address specified as DHCP's DNS server 1.

and "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined).

 

[Crimliar]

That's incorrect because he has a DNS address specified as DHCP's DNS server 1.

Surely the router's DNS address are those supplied by the router's DHCP server being those defined in WAN > Internet connection and not LAN > DHCP server!

 

[ColinTaylor]

Surely the router's DNS address are those supplied by the router's DHCP server being those defined in WAN > Internet connection and not LAN > DHCP server!

No. The router's DHCP server (dnsmasq) supplies LAN clients with their DNS addresses. There is no DHCP server on the WAN side, only (optionally) a DHCP client (udhcpc).

 

[dave14305]

Surely the router's DNS address are those supplied by the router's DHCP server being those defined in WAN > Internet connection and not LAN > DHCP server!

To look in the code, it assumes “Router” means nvram field dhcp_dns1_x, but if it ends up blank, use the router’s LAN IP address.

asuswrt-merlin.ng/release/src/router/rc/dnsfilter.c at da1fb68913638061a28b1859cc6c77c9c8271665 · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[bennor]

Surely the router's DNS address are those supplied by the router's DHCP server being those defined in WAN > Internet connection and not LAN > DHCP server!

https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Director

You can configure a redirection rule to force your clients to use whichever DNS is provided by the router's DHCP server (if you changed it from the default value, otherwise it will be the router's IP). Set the filtering rule to "Router" for this.

 

[dave14305]

I actually believe the options should be expanded to include:

1. Router (always LAN IP address)
2. DHCP DNS 1

It would (hopefully) eliminate the confusion from the existing documented behavior.

 

[macster2075]

So based on what I've been reading, this doh feature will be enabled by default in FireFox and maybe other browsers.
What's the point of having rules on the router if clients won't abide by them simply by using a browser with doh enabled?

 

[L&LD]

Yes, the war of control of the networks is on.

Just like it has always been.

 

[bennor]

What's the point of having rules on the router if clients won't abide by them simply by using a browser with doh enabled?

Its an age old problem. As technology (and software) changes, ways to deal with it also have to change. Eventually either Asus or a programmer will create the rules or add-on script that will block or reroute browser DoH. Until such time one has other options like not having such browsers installed on their LAN clients, locking computers down so users cannot install such browsers, buying other hardware/software or a better router/gateway/firewall that has support for blocking browser based DoH, blocking those DNS addresses that DoH browsers are using. It's likely going to be a never ending battle.