What's new

If a user change the DNS setting in windows (say 8.8.8.8), can AsusWRT-Merlin OS block the DNS traffic ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

If this is for someone like a child, where you are admin for their PC. Remove admin rights on their PC and setup a computer policy that doesn't allow them to change the DNS.
 
You can use default and it can prevent something if someone changes the dns in the computer or phone, this helps to a certain extent with this with 1.1.1.3 and so on
 

Attachments

  • Screenshot_20221116-222753_1.jpg
    Screenshot_20221116-222753_1.jpg
    19.3 KB · Views: 88
Same as the DNS filter we've been discussing.
Yes, at the moment on my DNSFilter tab,
Enable DNS-based filtering = ON
Global Filter Mode = Router
You can use default and it can prevent something if someone changes the dns in the computer or phone, this helps to a certain extent with this with 1.1.1.3 and so on
Prevent someone from changing the DNS setting = don't think so.
 
Why did you start a new thread for this?

What you're asking for is not possible, at least not automatically. They will still have internet access, but you CAN prevent them from doing DNS lookups to external servers. There is no way, even with Merlin, to block all internet access if the router senses that the person is not using DHCP or has set a static DNS. That would be a very advanced script that would need to update your firewall rules every time a DHCP lease is issued, essentially only permitting traffic if the IP was assigned by DHCP. While a script like that may be possible, it would be pretty complex. And it still would not prevent them from setting a custom DNS entry since that is separate from DHCP, you would still need to do DNS filtering or blocking to prevent that part.

To prevent them from reaching external DNS servers, you have two options:

Option 1 is what you've already done, using dnsfilter to intercept their DNS traffic and force it to use your router's DNS. You already have that configured, and it is working. The user won't know it, they'll think it is hitting 8.8.8.8 or whatever but in reality the response is coming from your router. The only thing you need to tweak is your WAN DNS settings are currently using "adguard" but if you want to block malicious sites you'd be better with one of the other options like Quad9.

The other option is to go into Firewall - Network services filter and add two deny rules, one for UDP 53 and one for TCP 53. That will block them from hitting all servers other than your router IP. It will not redirect traffic, their DNS lookup will fail. You would disable the dnsfilter if you wanted to do that (have their lookup fail instead of being redirected).

They can still use a VPN or encrypted DNS (DOH, etc) to bypass this. There are blacklists you can install to block those but you'll need to update them periodically and it won't catch them all.

As I mentioned in the other thread, if you do want to try and block static IPs from hitting the internet at all, and don't mind having a lot of management overhead, you could give every client a random IP reservation in DNS (from a large subnet that is difficult to guess), then add that IP to your firewall rules (with the firewall set to "permit list" which means it will block all others). All clients not matching will have no internet access. But again, that will not stop a client with a DHCP IP from changing their DNS server. You would still need to block DNS requests or use DNS filtering.

Can you be more clear on what you want to do?
1. If a user sets a static IP (not static DNS server, static IP address), block their internet entirely (which will require a lot of work on your part to manually assign IPs to each device and create 2 firewall rules for each, this must be done every time a new device connects). NOTE this option will limit you to 64 devices (possibly 32 if you also want to block external DNS, which would require 4 firewall rules per client).
2. If a user sets a custom DNS server, ignore that setting and use your router instead (DNS filter)
3. If a user sets a custom DNS server, block them from doing any DNS lookups (not blocking internet, but unless they know an IP to connect to, effectively making their internet pretty useless).

Or a combination of 1 and 2 or 1 and 3 (if you do option 1, you still need one of the other options to stop them from setting a custom DNS server).
here is a pretty decent nobypass list

 
The other option is to go into Firewall - Network services filter and add two deny rules, one for UDP 53 and one for TCP 53. That will block them from hitting all servers other than your router IP
I know this reply long overdue, but anyway, I like to confirm your statement is true.
Thank you. 👍 :)
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top