Asus RT-AC88U and port 53
I recently upgraded my router to an Asus RT-AC88U. However, I can't figure out how to isolate DNS traffic via port 53 to OpenDNS servers. I had this configured on my prior DIR-655 with port forwarding; however, the ASUS interface does not appear to support this functionality???
If you are able to confirm this, please let me know. I'm also interested in solutions or options to to restrict port 53 to openDNS servers via this router if possible.
Thanks in advance!
-
You configure this as of section "4.6.4 Network Services Filter" from your manual.
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC88U/E10302_RT_AC88U_Manual.pdf -
Rotblitz,
Thanks for the reply. I did follow the manual as I thought appropriate before posting and configured the router as depicted on the attached image. I tested the configuration as you advised on the last comment of another post (https://support.opendns.com/entries/40879860-Asus-RT-N66U-Firewall).
I get the message "I am not an OpenDNS resolver" with nslookup -type=txt which.opendns.com. 8.8.8.8
With nslookup -type=txt which.opendns.com. I get the following:
Server: router.asus.com
Address: 192.168.0.1
Non-authoritative answer: which.opens.com text = "1.ash"Prior to running the nslookup commands I did a ipconfig /flushdns
Thanks for your reply and I look forward to any additional advice.
port53.png -
It only allows a blacklist or a whitelist. It is a toggle button and will not allow for both. However, I think I figured it out...
By adding these lines via the telnet interface:
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)Thanks!
-
This is what I'm using on my Asus RT-N56U (I can't take credit for this; it was posted elsewhere). I ike that it passes the google dns server redundancy onto the OpenDNS redundancy.
# Allow traffic to OpenDNS
iptables -t nat -A PREROUTING -i br0 -p udp -m udp --dport 53 -d 208.67.220.220/32,208.67.222.222/32 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp -m tcp --dport 53 -d 208.67.220.220/32,208.67.222.222/32 -j ACCEPT
# For _some_ resilience, rewite 8.8.8.8 to one OpenDNS address and 8.8.4.4 to the other
iptables -t nat -A PREROUTING -d 8.8.8.8/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 208.67.222.222
iptables -t nat -A PREROUTING -d 8.8.8.8/32 -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination 208.67.222.222
iptables -t nat -A PREROUTING -d 8.8.4.4/32 -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination 208.67.220.220
iptables -t nat -A PREROUTING -d 8.8.4.4/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 208.67.220.220
# Mop up ANY other DNS servers
iptables -t nat -A PREROUTING -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination 208.67.220.220
iptables -t nat -A PREROUTING -i br0 -p tcp -
I'd suggest checking an ASUS forum. Here on the OpenDNS forum we can tell you what you want to accomplish, either blocking all port 53 traffic that is not going to the OpenDNS servers, or intercepting and redirecting all port 53 traffic to the OpenDNS servers. These are fairly routine firewall tasks but we aren't experts here on all the different router models, just on OpenDNS and what you want to accomplish. The ASUS forum would have the experts on manipulating and configuring your specific router model and how to accomplish what you want to accomplish.
Granted, someone here might know how to do this with your specific model, but the odds of finding someone on the ASUS forums who know how to do it are higher there, and you'll likely find someone who knows how faster. -
uniqueone1 your two lines worked magic -
I know this is an old thread, but here is how I did it with my Asus router. Hope this helps.
I know DNS operates on UDP port 53, but I have found it can sometimes operate on TCP port 53 as well. The first two rules you see in my picture blocks all DNS servers, then the next set of rules only allows OpenDNS servers to be used. All others will be blocked. Doing this works on all of the Asus routers I have setup not only for myself, but friends and family as well. Hope this helps.
-
I'm trying to do the same. Instructions from uniqueone1 does work like charm except they do not persist after router reboot (Asus RT-AC57U) Any ideas how to do it?
-
Actually I'll post the answer that I found after some time. I'm not too good with this things, so maybe somebody will optimize what I did. Here we go:
On any (most?) Asus routers you can achieve that with stock firmware (I couldn't install popular alternative more feature full firmware). You have to do following steps:
1. Enable ssh in admin panel if it is not already enabled. (Administration -> System -> Enable ssh). Or you can do the same with telnet.
2.Ssh to you router and create folder : mkdir /jffs/scripts/
jffs is the folder/small file system that will survive reboot
3. Create file with a name (name is important): vi services-start\ (for more about user scripts see https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts)
4: put following content to the file:
#!/bin/sh
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)5. Save file: press esc, then type wq! and enter. If you need help - google how to work with vi tool
6. give rights to your script : chmod a+rx /jffs/scripts/*
7. reboot
8. test https://welcome.opendns.com/
Links that helped me to do it:
https://medium.com/@johnsercel/asus-router-usb-modem-initial-reliability-hacks-74885a2ff318
https://www.snbforums.com/threads/asus-rt-ac68u-how-to-add-scripts.27271/https://github.com/RMerl/asuswrt-merlin/wiki/Scheduled-LED-control
Hope that will save couple of hours in the evening to smbd.
Please sign in to leave a comment.
Comments
13 comments