Cannot figure out fios G1100 router setting to block port 53
I need to implement the below (link) but cannot figure it out on the Verison G1100 router. Does someone know how?
https://support.opendns.com/entries/26374985-Preventing-circumvention-of-OpenDNS-with-firewall-rules
-
If this router came from Verizon it's likely that you can't do this with their router. As the article you linked to implied, it's not possible to do this on all hardware. As the article suggested you need to either check the manual for your router or contact Vierzon to see if this is even possible.
-
You'll want to block port 53 passthrough as from page 93 or 95 of your manual, Access Control.
https://www.verizon.com/cs/groups/public/documents/adacct/verizonfqg_userguide150121.pdf
https://www.verizon.com/cs/groups/public/documents/adacct/fios-qgr-userguide140925.pdf -
Thanks for the reply. I have looked there but that documentation is not intuitive. I tried a few setting but apparently not the right combination. I assume I need 2 rules. the top level is to allow OpenDNS IP with :53 and then to block all other :53. I cannot get either one setup, not can I find an example. I get the feeling I will be wasting my time calling Fios Tech support. But it may come down to that...
-
Unfortunately it may come down to contacting your ISP to find out if and how you can do this with their equipment.
I don't have time to dig through 200 page manuals, but yes, that's what you'd need to accomplish, i.e. allow traffic to OpenDNS, and then block all other port 53 traffic. If you do it in the other order you won't get any DNS resolution at all, which would effectively knock you off the internet. I've done it that way on some UTM firewalls and routers. There might also be an option to redirect all 53 port traffic to an address of your choosing. It accomplishes the same thing, but I haven't seen anything that offers both options.
It's also possible that the router and it's firmware ignores these kinds of customizations. It's not unknown for equipment from some ISP's to appear to accept the settings that you specific, and then ignore them in favor of doing whatever your ISP wants you to do.
-
Hi, I have done it..
DHCP group can't use any other DNS server and only static IP below 182.168.0.100 allowed to use other DHCP server.
Please see the screenshot.
2-3-2016 6-00-56 PM.jpg -
But a bit confusing. This could be optimized and minimalized.
- DNS TCP any --> 53 This is the same as 3.
- UDP any --> 53 This is the same as 5.
- TCP 1024-65535 --> 53 This is the same as 1.
- UDP 53 --> 53 This is nonsense. It does not occur in reality and doesn't cover anything.
- UDP 1024-65535 --> 53 This is the same as 2.
That said, either number 1 and 2, or number 3 and 5 would do it already. Only two rules are needed, one for UDP and one for TCP.
-
Is it possible to port forward all DNS requests to OpenDNS DNS servers? I have crafty users that know how to bypass the DHCP enabled DNS and enter their own. Rather than just deny them and listen to the whine, I would rather just they think they are getting away with something and get name resolution from OpenDNS anyway. Plus I can see where they tried to go when they initially enter URLs.
-
"Is it possible to port forward all DNS requests to OpenDNS DNS servers?"
Sure, if your router or internal DNS server supports this, then yes, else no. As you posted in this thread, is this for the Fios G1100 router? If not, why did you post it here instead of opening your own thread or searching for threads with the same topic? (They do exist.)
"Plus I can see where they tried to go when they initially enter URLs."
This is not what OpenDNS can do for you. They can capture only DNS traffic, not web traffic. The one is only loosely related to the other.
-
trying to implement this on my router and i seem to be halfway there. with my current settings it seems everything works just find if i don't set a dns on my device. once i do set a custom dns server the internet disappears. while this will be effective in discovering if anyone is setting their own dns which i suspect they are, i would prefer to be more stealthy and just reroute their dns but i cant seem to figure out what step i'm missing... see the screenshot for my current settings...
-
Hi,
Please see my updated setting.
This setting is to control which IP group is allowed or not allowed to use external DNS such 8.8.8.8.
The reason for having this setting is some clever kids know how to change DNS setting on the device to
bypass OpenDNS control.
IP range from 100 (usually DHCP clients) will be blocked to use external port# 53 while IP range below 100 allowed.
-
rotblitz, i do have a fios G1100 router and since this forum is entitled "Cannot figure out fios G1100 router setting to block port 53" and the first question is "I need to implement the below (link) but cannot figure it out on the Verison G1100 router. Does someone know how?
https://support.opendns.com/entries/26374985-Preventing-circumvention-of-OpenDNS-with-firewall-rules" which is exactly what i want to do, also, when serching for "fios G1100 router redirect port 53 traffic" this is the first thread on the list and the only one on the list that actually talked about the fios g1100. i believe i have reached the right support forum.
cosland, thank you for your kind and helpful response. i have changed my protocol rules to match yours but i am curious, how does a change from "any" to a range of everything possible change anything? regardless the results are unchanged. dns to 8.8.8.8 is blocked instead of redirected. i hate to admit it but rotblitz, however rudely, did point out the problem. i'm still missing a redirect rule. i'm also guessing that i dont make it in account control. the port forwarding area seems to require being set to current ips on the lan so perhaps a port triggering rule of some kind? while the thread title does say "block" the opening question asks about preventing circumvention which is what i want and it did come up in the search so i'm really hopeful you have the answer to this setup
thank you for your time
-
"however rudely" - I disagree.
Unfortunately the link you posted isn't about this specific device, but a general advice for routers where this is supported.
"i believe i have reached the right support forum."
Yes, the right forum, but not the best. The Fios G1100 nerds are elsewhere...
-
Thanks for responding to this thread, looks like it's as simple as adding an any block for DNS at the top in addition to the DNS rule specified above. Keep in mind that is presumes that you changed the DNS setting in your WAN connection to OpenDNS servers. If you need help with this, I can provide screenshot/instructions.
Doing a nslookup now fails when trying to specify non OpenDNS server (in this case, it's the Verizon DNS server, but you can specify anyone):
nslookup cnn.com 71.252.0.12
server: 71.252.0.12
address1: 71.252.0.12
nslookup: can't resolve 'cnn.com'
nslookup cnn.com succeeds just fine, so I know we're resolving (I tried one I don't use so it wouldn't be in cache). So if somebody on your network suddenly can't access some, eventually all, pages (depending on how long their DNS cache lives), then you know to check their DNS settings to make sure they didn't get changed. I haven't looked yet, but you should see DNS blocks in the security log for anyone trying to bypass this rule.
So create the DNS rule using default DNS protocol setup(has the weird 53 - 53 port) to only allow your home network (as others have specified above), then put the block rule as the attached screenshot shows (basically any to DNS).
-
Here you go: http://bfy.tw/DMfv
-
Thanks, I was searching for this particular problem, and there are so many groups, I thought maybe you had some insight into the best "nerd zone", rather than just sending me to do a web search.
Here's a link to how to bypass DNS security that the fix above resolves two and half of the six and does not prevent all tricks (so the half is blocking Proxy/Anonymizer, which blocks download of Tor (#5) on your network), so you have to do some creative defense in depth:
http://www.wikihow.com/Bypass-OpenDNS-Internet-Security
I'm trying out blocking webcache.googleusercontent.com (#4). If someone is willing to manually create their own list of websites in hosts (#3), or use a modem/external device (#6) to connect, then it might be better to setup an unrestricted DMZ network to let them risk their own device, but not your network, unless you can lock down their devices/laptops. At some point you have to make a management call on how far you want to go, and how hard you want to work at it.
Please sign in to leave a comment.
Comments
18 comments