Where can I find DNS director? I cannot find it my RT-AC86U router.You can use default and it can prevent something if someone changes the dns in the computer or phone, this helps to a certain extent with this with 1.1.1.3 and so on
Where can I find DNS director? I cannot find it my RT-AC86U router.
Yes, at the moment on my DNSFilter tab,Same as the DNS filter we've been discussing.
Prevent someone from changing the DNS setting = don't think so.You can use default and it can prevent something if someone changes the dns in the computer or phone, this helps to a certain extent with this with 1.1.1.3 and so on
Check at http://router.asus.com/QoS_Stats.asp for more information look at the list of dns in ClassificationYes, at the moment on my DNSFilter tab,
Enable DNS-based filtering = ON
Global Filter Mode = Router
Prevent someone from changing the DNS setting = don't think so.
Check at http://router.asus.com/QoS_Stats.asp for more information look at the list of dns in Classification
This works for me and my sister's router, so it should work for you and others too
here is a pretty decent nobypass listWhy did you start a new thread for this?
What you're asking for is not possible, at least not automatically. They will still have internet access, but you CAN prevent them from doing DNS lookups to external servers. There is no way, even with Merlin, to block all internet access if the router senses that the person is not using DHCP or has set a static DNS. That would be a very advanced script that would need to update your firewall rules every time a DHCP lease is issued, essentially only permitting traffic if the IP was assigned by DHCP. While a script like that may be possible, it would be pretty complex. And it still would not prevent them from setting a custom DNS entry since that is separate from DHCP, you would still need to do DNS filtering or blocking to prevent that part.
To prevent them from reaching external DNS servers, you have two options:
Option 1 is what you've already done, using dnsfilter to intercept their DNS traffic and force it to use your router's DNS. You already have that configured, and it is working. The user won't know it, they'll think it is hitting 8.8.8.8 or whatever but in reality the response is coming from your router. The only thing you need to tweak is your WAN DNS settings are currently using "adguard" but if you want to block malicious sites you'd be better with one of the other options like Quad9.
The other option is to go into Firewall - Network services filter and add two deny rules, one for UDP 53 and one for TCP 53. That will block them from hitting all servers other than your router IP. It will not redirect traffic, their DNS lookup will fail. You would disable the dnsfilter if you wanted to do that (have their lookup fail instead of being redirected).
They can still use a VPN or encrypted DNS (DOH, etc) to bypass this. There are blacklists you can install to block those but you'll need to update them periodically and it won't catch them all.
As I mentioned in the other thread, if you do want to try and block static IPs from hitting the internet at all, and don't mind having a lot of management overhead, you could give every client a random IP reservation in DNS (from a large subnet that is difficult to guess), then add that IP to your firewall rules (with the firewall set to "permit list" which means it will block all others). All clients not matching will have no internet access. But again, that will not stop a client with a DHCP IP from changing their DNS server. You would still need to block DNS requests or use DNS filtering.
Can you be more clear on what you want to do?
1. If a user sets a static IP (not static DNS server, static IP address), block their internet entirely (which will require a lot of work on your part to manually assign IPs to each device and create 2 firewall rules for each, this must be done every time a new device connects). NOTE this option will limit you to 64 devices (possibly 32 if you also want to block external DNS, which would require 4 firewall rules per client).
2. If a user sets a custom DNS server, ignore that setting and use your router instead (DNS filter)
3. If a user sets a custom DNS server, block them from doing any DNS lookups (not blocking internet, but unless they know an IP to connect to, effectively making their internet pretty useless).
Or a combination of 1 and 2 or 1 and 3 (if you do option 1, you still need one of the other options to stop them from setting a custom DNS server).
I know this reply long overdue, but anyway, I like to confirm your statement is true.The other option is to go into Firewall - Network services filter and add two deny rules, one for UDP 53 and one for TCP 53. That will block them from hitting all servers other than your router IP
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!