Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Deleterious]

I've set my home network up to use OpenDNS content filtering.  This works fine until someone manually changes their DNS IP addresses on their machines.  I've read that there's a way to prevent this with firewall rules.

From here: https://support.opendns.com/entries/26374985-Preventing-circumvention-of-OpenDNS-with-firewall-rules

it says :

Essentially, add the following filter or rule to the firewall that is at the edge of the network:
 
ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53

and

BLOCK TCP/UDP IN/OUT all IP addresses on Port 53

I'm having challenges trying to execute this in the firewall rule interface on my 890L.  I can add 2 rules for the "Allow" portion - but can't seem to add the commensurate "Block" portion at the same time. 

Further, I can't seem to block "All (WAN) addresses on Port 53".

What am I missing?

[FurryNutz]

Link>Welcome!

• What Hardware version is your router? Look at sticker under the router case.
• Link>What Firmware version is currently loaded? Found on the routers web page under status.
• What region are you located?

Internet Service Provider and Modem Configurations

• What ISP Service do you have? Cable or DSL?
• What ISP Modem Mfr. and model # do you have?

Are you using DNS Relay on the router and have the custom DNS IP addresses set into the router Internet section and using IP reservations?

I haven't tried your method so I don't know if it will work or not.

 

[Deleterious]

It's hardware Version A running firmware 1.08 (latest)

I'm located in the US

I currently have Cable internet through CableOne.

My modem is a Motorola surfboard - I don't have the version at the moment.

I don't believe that I've set up a DNS Relay, I've set both the primary and secondary DNS entries to point to the OpenDNS servers.

I only have a few IP reservations - most are connecting through DHCP.

As I mentioned before, OpenDNS is working - I'm just having difficulty figuring out how to set up the firewall rules I wish.

[Hard Harry]

If you have one rule to block ALL traffic on port 53, won't that conflict with allowing. I would suggest a whitelist "Turn IPv4 filtering On and Allow".

Name: DNS
Source IP Address Range(WAN): 208.67.220.220-208.67.220.222
Destination IP Address Range(LAN): What ever your networks IP sceme is, IE 192.168.0.1-192.168.0.100
Port Range(Any): 53
Always Enable
Apply.

This will block all outgoing DNS request on port 53 except those going to 208.67.220.220-208.67.220.222. This is not fool proof though. This would not block IPv6 DNS like Google's IPv6 DNS. Also, it may not apply if they set their PC to a static 172.x.x.x IP.

[Deleterious]

I tried that setting, but it completely stopped all network traffic for me.  Nothing would resolve, I couldn't ping, etc.

I'm imagining that "Turn on IPv4 filtering and ALLOW" is whitelisting - only traffic that meets the rules is allowed.  Why it blocked legitimate OpenDNS DNS requests I can't begin to guess.  I even switched the "Source" and "Destination" blocks to no avail.

If "ALLOW" is whitelisting, then "DENY" is blacklisting - but a rule that blocks out the whole internet for that port but that range seems.. dumb.

And why doesn't it seem that you use ALLOW and DENY at the same time? 

[Hard Harry]

I tried that setting, but it completely stopped all network traffic for me.  Nothing would resolve, I couldn't ping, etc.

Could you ping by IP? If not, then it isn't a DNS issue. Also, did you have your PC set to static OpenDNS or just set it via the router's WAN settings?

I'm imagining that "Turn on IPv4 filtering and ALLOW" is whitelisting - only traffic that meets the rules is allowed.  Why it blocked legitimate OpenDNS DNS requests I can't begin to guess.  I even switched the "Source" and "Destination" blocks to no avail.

As I understand it, It blocks all traffic to port 53 except the "allowed" IPs. Setting a black list would block ONLY the IP's set. Since it is impossible to know every possible alternative DNS, I do not believe that would work.

And why doesn't it seem that you use ALLOW and DENY at the same time?

Because they are contradictory. Allow blocks all except those excepted. Deny blocks only those listed. If you used both, how would the router now which rule gets priority?

[Deleterious]

I think the issue I'm seeing is in your own comment.. If "Allow" only allows traffic that's specified, then your rule will block all traffic BUT DNS traffic to those servers as no other port is whitelisted.  That would certainly seem to be in line with what I was seeing.

[FurryNutz]

Any status on this? 

I think the issue I'm seeing is in your own comment.. If "Allow" only allows traffic that's specified, then your rule will block all traffic BUT DNS traffic to those servers as no other port is whitelisted.  That would certainly seem to be in line with what I was seeing.