Preferred Firmware for Redirecting Port 53 to OpenDNS Address
I'm needing ONE function in a router that is normally not in most off-the-shelf home routers.....the ability to redirect port 53 to the OpenDNS settting, or to block port 53 pass-through via an outbound firewall rule.
From what I understand, one of these 2 is needed to force any attached device to use OpenDNS regardless of their own DNS settings (in other words, I need to close that method of defeating OpenDNS).
I also understand that 3 firmware versions will allow this: Tomato, OpenWRT, and DD-WRT.
Does anyone have experience with any (possibly all) of these firmware versions, with regard to those 2 specific features, and can provide an opinion as to which one is the easiest to configure AND / OR works best for either of those features ?
...Or any other suggestions regarding the best choice / considerations / practices when closing (via the router) the old "just-manually-configure-the-DNS-settings-on-my-device" method of bypassing OpenDNS ?
Thanks very much.
-
I've been using DD-WRT and a variant of Tomato (Toastman) for years, though I've switched over to Tomato for reasons other than DNS traffic.
As I recall in DD-WRT I could prevent DNS traffic from going anywhere but where I chose via scripting.
With Toastman I'm currently intercepting all outbound port 53 UDP traffic and redirecting to the router's internal DNS server. I'm doing this via settings in the GUI. I don't know if this capability exists in the "stock" Tomato firmware, but if not something could probably be done via scripting, just like with DD-WRT.
The limitation with using any of these 3rd party firmwares is they are essentially hobbyist software, produced by a fairly small, but dedicated and skilled community. They can also run on limited numbers of hardware platforms. For home use they are fine, but I would not use them in a business environment. OpenWRT can be an exception to that as a few small hardware vendors are producing commercial routers based on OpenWRT, some of which are suitable for the business environment.
There are also high end business firewalls (generally referred to as UTM devices or firewalls) that have this capability (and many, many more capabilities) but the price for them (generally $1000 plus maintenance subscription) generally makes them cost prohibitive for home use (as well as many small and micro businesses).
Note, even if you are capable of intercepting unencrypted port 53 traffic at the router level there are multiple ways to bypass that via encrypted methods, such as DNSCrypt or even the alternate DNS service that some of the Avast antivirus products have built into them.
-
Instructions for Tomato: https://support.unlocator.com/customer/portal/articles/1696986-how-to-block-google-dns-on-tomato-router
With scripting: https://forums.plex.tv/index.php/topic/70767-using-dnsmasqiptables-to-redirect-dnshttp-traffic-on-tomato/Instructions for DD-WRT: http://www.dd-wrt.com/wiki/index.php/OpenDNS#Intercept_DNS_Port
Instructions for OpenWRT: http://unix.stackexchange.com/questions/36245/force-to-use-specific-dns-provider-at-network
-
Matt, Thanks much for the info. Since directing port 53 to OpenDNS is currently my only reason for using the 3rd-party firmware, do you think there is any compelling reason go with one of the other choices rather than DD-WRT ? (am leaning that direction simply because it seems to be the most common, but would go with another if better). Also, as far as other methods of defeating standard OpenDNS go.... will having OpenDNS installed prevent initial access to DNSCrypt , since it, by definition, enables bypassing OpenDNS (like, by default, OpenDNS blocks proxy sites)? And....are there any other "no-brainer / nothing-else-needed" defeats to the standard OpenDNS service that come to mind ? What I'm hoping to do is catch as many of those via the router as possible, where "nothing-else-needed defeats" refer to methods of getting around the filter that do NOT require installing special software (like Avast) or some other utility.....or accessing a particular type of website (e.g. free proxy sites ). I'm not focused, at the moment, on those methods...just the ones that can be done via the PC / device's settings (like simply changing the DNS)....or using some little known procedure / series of steps. Thanks very much. -
That's a tough question. I like Toastman much better than DD-WRT since it's so much more powerful, has many more management and monitoring features, and frankly, is easier to use. Compared to DD-WRT it's far each to control the UDP port 53 traffic since you only need to check a box, rather than writing and testing a script.
The first flash with any 3rd party firmware is the most difficult, and there's a chance that you can brick it, but Toastman does seem to go pretty easily onto new vintage hardware. However Toastman doesn't seem to be as compatible with as much ardware.
OpenDNS could prevent access to the download site for DNSCrypt, but that's easily circumvented by using something like a thumb drive to carry it in. I'm not familiar enough with DNSCrypt to know if OpenDNS could block it after it was running though. That's something that would probably best be done at the firewall level, but I'm not sure any of the 3rd party firmware we're talking about here could do it.
Be aware though, OpenDNS doesn't block anything by default. What it blocks is solely dependent on the configuration choices you choose.
I'm sure there are many potential ways to bypass or ignore OpenDNS, I just mentioned the ones that came to the top of my head. Being able to negate those methods depends entirely on how much control you have over the network and the devices on it. In a properly configured Active Directory environment where no one has administrator permissions to their devices it's fairly simple to block nearly all bypass methods. In a wide open peer to peer network where everyone has admin rights to their hardware about all you can do is filter and control the unecrypted port 53 traffic. Beyond that finding ways around OpenDNS take a little more effort, but they are abundant. Fortunately, considering how little most people know about actually configuring a computer, redirecting or controlling the port 53 alone will stop the vast majority of attempts to bypass OpenDNS.
-
Please sign in to leave a comment.
Comments
6 comments