Asus RT-AC88U and port 53

Comments

13 comments

  • Avatar
    rotblitz

    You configure this as of section "4.6.4  Network Services Filter" from your manual.
    http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC88U/E10302_RT_AC88U_Manual.pdf

    0
    Comment actions Permalink
  • Avatar
    uniqueone1

    Rotblitz,

    Thanks for the reply.  I did follow the manual as I thought appropriate before posting and configured the router as depicted on the attached image.  I tested the configuration as you advised on the last comment of another post (https://support.opendns.com/entries/40879860-Asus-RT-N66U-Firewall).  

    I get the message "I am not an OpenDNS resolver" with  nslookup -type=txt which.opendns.com.  8.8.8.8

    With nslookup -type=txt which.opendns.comI get the following:

    Server: router.asus.com
    Address: 192.168.0.1
    Non-authoritative answer: which.opens.com text = "1.ash"

     

    Prior to running the nslookup commands I did a ipconfig /flushdns

     

    Thanks for your reply and I look forward to any additional advice.

     

     




    port53.png
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I see that you whitelisted the OpenDNS resolver addresses, but did you also blacklist the rest?

    0
    Comment actions Permalink
  • Avatar
    uniqueone1

    It only allows a blacklist or a whitelist.  It is a toggle button and will not allow for both.   However,  I think I figured it out... 

    By adding these lines via the telnet interface:

    iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

     

    Thanks!

    2
    Comment actions Permalink
  • Avatar
    rotblitz

    Even better!  This does not block, but redirect.  I didn't know that this router has a CLI.  There is no mentioning about that in the manual.

    0
    Comment actions Permalink
  • Avatar
    keithbarrett

    This is what I'm using on my Asus RT-N56U (I can't take credit for this; it was posted elsewhere). I ike that it passes the google dns server redundancy onto the OpenDNS redundancy.

    # Allow traffic to OpenDNS
    iptables -t nat -A PREROUTING -i br0 -p udp -m udp --dport 53 -d 208.67.220.220/32,208.67.222.222/32 -j ACCEPT
    iptables -t nat -A PREROUTING -i br0 -p tcp -m tcp --dport 53 -d 208.67.220.220/32,208.67.222.222/32 -j ACCEPT
     
    # For _some_ resilience, rewite 8.8.8.8 to one OpenDNS address and 8.8.4.4 to the other
    iptables -t nat -A PREROUTING -d 8.8.8.8/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 208.67.222.222
    iptables -t nat -A PREROUTING -d 8.8.8.8/32 -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination 208.67.222.222
    iptables -t nat -A PREROUTING -d 8.8.4.4/32 -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination 208.67.220.220
    iptables -t nat -A PREROUTING -d 8.8.4.4/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 208.67.220.220
     
    # Mop up ANY other DNS servers
    iptables -t nat -A PREROUTING -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination 208.67.220.220
    iptables -t nat -A PREROUTING -i br0 -p tcp

     

     

     

    1
    Comment actions Permalink
  • Avatar
    juanmiguel_431

    I tried to to everything on my asus RT-N66U but it doen't work at all.  I enabled telnet on windows 10 and also in the router. After that, i pasted every line above. Not show errors but it didn't work. 

    Have you any idea to prevent others DNS Server with this router?

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    I'd suggest checking an ASUS forum. Here on the OpenDNS forum we can tell you what you want to accomplish, either blocking all port 53 traffic that is not going to the OpenDNS servers, or intercepting and redirecting all port 53 traffic to the OpenDNS servers. These are fairly routine firewall tasks but we aren't experts here on all the different router models, just on OpenDNS and what you want to accomplish. The ASUS forum would have the experts on manipulating and configuring your specific router model and how to accomplish what you want to accomplish.

    Granted, someone here might know how to do this with your specific model, but the odds of finding someone on the ASUS forums who know how to do it are higher there, and you'll likely find someone who knows how faster.

    0
    Comment actions Permalink
  • Avatar
    jovianskye
    uniqueone1 your two lines worked magic 
    0
    Comment actions Permalink
  • Avatar
    phantasus

    I know this is an old thread, but here is how I did it with my Asus router.  Hope this helps.

    I know DNS operates on UDP port 53,  but I have found it can sometimes operate on TCP port 53 as well.  The first two rules you see in my picture blocks all DNS servers, then the next set of rules only allows OpenDNS servers to be used.  All others will be blocked.  Doing this works on all of the Asus routers I have setup not only for myself, but friends and family as well.  Hope this helps.

    3
    Comment actions Permalink
  • Avatar
    serrnovik

    I'm trying to do the same. Instructions from uniqueone1 does work like charm except they do not persist after router reboot (Asus RT-AC57U) Any ideas how to do it?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    This is a very specific router related question, related to OpenDNS in no way.  You better ask this in an Asus support forum.  Here you may not get an answer at all or not for a long time.

    0
    Comment actions Permalink
  • Avatar
    serrnovik

    Actually I'll post the answer that I found after some time. I'm not too good with this things, so maybe somebody will optimize what I did. Here we go:

    On any (most?) Asus routers you can achieve that with stock firmware (I couldn't install popular alternative more feature full firmware). You have to do following steps:

    1. Enable ssh in admin panel if it is not already enabled. (Administration -> System -> Enable ssh). Or you can do the same with telnet.

    2.Ssh to you router and create folder : mkdir /jffs/scripts/ 

    jffs is the folder/small file system that will survive reboot

    3. Create file with a name (name is important): vi services-start\ (for more about user scripts see https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts)

    4: put following content to the file:

    #!/bin/sh
    iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

    5. Save file: press esc, then type  wq! and enter. If you need help - google how to work with vi tool

    6. give rights to your script : chmod a+rx /jffs/scripts/*

    7. reboot 

    8. test https://welcome.opendns.com/

     

    Links that helped me to do it: 

    https://medium.com/@johnsercel/asus-router-usb-modem-initial-reliability-hacks-74885a2ff318
    https://www.snbforums.com/threads/asus-rt-ac68u-how-to-add-scripts.27271/

    https://github.com/RMerl/asuswrt-merlin/wiki/Scheduled-LED-control

     

    Hope that will save couple of hours in the evening to smbd. 

    0
    Comment actions Permalink

Please sign in to leave a comment.