Thank you to anyone that takes the time to read this, I have an ac750 archer c2 router and I am using OpenDNS. I have set the DNS for the WAN to OpenDNS's servers and I'm trying to follow their instructions on ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53 and BLOCK TCP/UDP IN/OUT all IP addresses on Port 53. I've added the host as the whole range of ip's availabe (192.168.1.0 - 192.168.1.199) on port 53 and named it "All" and the target is OpenDNS's server #1 (208.67.222.222) named "OpenDNS1". I'm just focusing on getting one working right, then I'll add the second. Then for the schedule I have selected all the time available 24/7.
Here is the table in the router control list now:
Description: LAN Host: Target: Schedule: Rule: Status:
Allow DNS IN Any Host OpenDNS1 Any Time Allow Enabled
Allow DNS out Any Host OpenDNS1 Any Time Allow Enabled
all in All Any Host Any Time Deny Enabled
all out All Any Host Any Time Deny Enabled
I've played around with the rules a ton, at one point I had it so I could use the OpenDNS server if my PC was set to auto set the DNS, but if I change it to google's DNS of 8.8.8.8 then it bypasses the OpenDNS and shows adult content and stuff that I don't want. I had ipv6 on before and I was getting weird results, then when I turned ipv6 off it was working as long as I didn't change the DNS.
I've been flushing the DNS Resolver Cache via ipconfig /flushdns, but that doesn't seem to help. I can get a little impatient when trying different rules out, should I try resetting the router/each device after I change the rules? Or will it be near instant like I'm hoping?
My end goal is to only have 2 devices that are allowed to bypass the OpenDNS and use their own/google's DNS.
Thanks for the help!
I've added the host as the whole range of ip's availabe (192.168.1.0 - 192.168.1.199) on port 53 and named it "All"
You're missing an important detail that every TCP or UDP packet has two ports: sender and destination. When your LAN hosts send DNS queries, they have 192.168.1.x as the source address, but they do not have 53 as the source port. (They have 53 as the destination port.)
So filtering 192.168.1.x:53 -> any:any will never match any DNS queries, unless they're inbound to your LAN (i.e. if you're running a DNS server). The filter you need is 192.168.1.x:any -> any:53, with LAN IP addresses on the source but port 53 only on the target.
(Aside: You can often specify the whole LAN (.1 to .255) as a single 192.168.1.0/24 entry.)
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments