Asus RT-N66U Firewall
My previous router, a Draytek model, had a rule in its firewall that blocked local port 137-139 connecting to remote port 53. I have heard port 53 mentioned a few times in various threads. Should I have a rule like this in my new routers firewall and if so, what should I put in the various boxes? I have attempted to emulate the Draytek firewall rule in my Asus router, but I don't know what it is doing or even, whether it is necessary (see attached screenshot). Could someone advise me please?
Screenshot - 25_05_2014 , 11_45_51.jpg
-
"My previous router, a Draytek model, had a rule in its firewall that blocked local port 137-139 connecting to remote port 53."
That would be a useless rule, because there is no traffic from ports 137-139 to port 53. :(
If you don't know what a rule is good for, you would not apply it. would you?
If you want to prevent devices in your network from using another DNS service, circumventing OpenDNS, then you want to block traffic to remote (destination) port 53 for UDP and TCP. Leave all other fields empty.
-
i have an asus rt-ac66u router. i configured the firewall as shown in the attached screenshot. as far as i can tell, this is not preventing the circumvention of opendns. i configured my wireless internet connection to use a specific dns server (not optain dns server automaticall) and went to opendns.com/welcome, the page said i was not currently using opendns.
is there a different way to configure this router?
-
attaching the file for my previous comment
asus_firewall_screenshot.png -
No, this is not where you would intercept port 53 traffic or force all port 53 traffic to a specific destination. All that this section of the router's settings do is filter incoming traffic, in this blocking all port 53 traffic. If this also filtered outgoing traffic you would prevented all DNS services from working. You'd have to consult the manual for your router's firmware to know if you can do this. You might need to use third party firmware such as DD-WRT or a variant of Tomato to do this with your hardware.
As for your wireless internet connection, that's completely separate from your ASUS router so belongs in it's own thread. That said it's very likely that your mobile provider is intercepting all DNS traffic and routing it to their own DNS servers.
-
This post : https://support.opendns.com/entries/26374985-Preventing-circumvention-of-OpenDNS-with-firewall-rules seems to suggest that adding firewall rules like the ones I added prevent bypassing/circmventing opendns. rotblitz's post also seems to suggest the same thing. Are they incorrect?
To be clear, the test I performed were on a computer which was connected to the WIFI network of this router. If I configure my wireless connection properties to obtain dns server automatically and access opendns.com/welcome, it tells me I am using OpenDNS . However, if I configure my wirless connection to use a specific dns server, then it says I am not using OpenDNS. I am using this test to confirm if adding the firewall rules is preventing the bypass/circumvention of OpenDNS. It seems related to me.
-
Adding firewall rules like the one in that post will prevent circumventing your DNS settings, that's correct. But like I said in my post the "firewall" rules you used are not the correct ones to do that, and are not in the correct place to accomplish what you want. Rotblitz post was referring to *outbound* rules, the settings you added only impact *inbound* traffic, so will have no impact on DNS circumvention.
It doesn't matter whether you tested with a device connected via Wi-Fi or via wired connection, those are not the settings that you need to accomplish what you want. The results you are getting are exactly the results that you should be getting because you are doing nothing to filter or control your outbound DNS traffic. You need to consult your router's manual and find out where you configure outbound filtering rules, assuming that your router even supports that kind of functionality. It's very possible that it doesn't. If it doesn't you'll either need to use 3rd party router firmware that works with your router, or get a different router/firmware combination that does support it.
FWIW, if you say wireless internet connection that communicates to IT people that you are talking about service provided by your mobile phone provider, not Wi-Fi. If you mean Wi-Fi then say Wi-Fi so that it's clear to everyone what you are talking about.
-
From your screen shot it seems you configured it correctly, as outbound firewall rule, blocking port 53 for TCP and UDP.
Do not change the DNS settings on your end user devices, but leave them to accept the DNS settings automatically via DHCP.
To test if you can circumvent OpenDNS, you attempt to reach another DNS service like Google's:
nslookup -type=txt which.opendns.com. 8.8.8.8
If you get "I am not an OpenDNS resolver", then your firewall rule on the router does not take effect most likely due to a misfunction of this feature.
If you get a time-out on your DNS query, then the firewall rule is working perfectly.To see if you blocked all DNS traffic, including the one to OpenDNS, execute:
nslookup -type=txt which.opendns.com.
If you get a time-out on your DNS query, then the firewall rule also blocks OpenDNS, and you're left without any DNS which is not what you can live with.
Please sign in to leave a comment.
Comments
11 comments