1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

can't block DNS port 53 with RV082??

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Kremlar, Aug 11, 2010.

  1. Kremlar

    Kremlar LI Guru Member

    I just wasted 3 hours of my life trying to block traffic to unauthorized DNS servers from my RV082.

    I created rules to block both TCP and UDP port 53 from the LAN side, and created rules to allow traffic to authorized DNS servers (OpenDNS). No matter what I did, workstations could still be set to use other DNS servers and browse the web without issue.

    Looking at the router's online Help, I saw this:

    Custom rules can be created to override the RV082 default rules, but there are four additional default rules that will be always active, and custom rule can not override the four rules.
    * HTTP service from LAN side to RV082 is always allowed.
    * DHCP service from LAN side is always allowed.
    * DNS service from LAN side is always allowed.
    * Ping service from LAN side to RV082 is always allowed.


    I think I just lost faith in my favorite router. Why in the world would they not allow you to block/restrict DNS traffic?

    Anyone aware of a workaround? Cisco was not of any help....

    Thanks
     
  2. torstenj1969

    torstenj1969 Networkin' Nut Member

    After buying a RV082 V2 I also was running into the problem with the DNS crap. I don't know why this problem still exists within the firmware but I guess I found a solution for this. I'm using a RV082 V2 with the currently latest firmware.

    [​IMG]

    If you check my firewall settings you will see my set of DHCP and DNS Settings. Normaly a firewall even when its just a stupid "IPTABLE FIREWALL" should block the DNS request which are not from my LAN. But if you are use the RV082 series it seems this is not valid for CISCO and there firmware developers. :p I just want to know who the hell is beta testing this firmware.

    OK, here are now my settings for the DNS AND (!) DHCP Server within the firewall:

    [​IMG]

    If you are using a Windows DNS and DHCP environment it is imortant that you block DNS AND DHCP!!! I'm using 4 LAN's on the RV082.
    It's just to play around with the non working VLAN Option and also test the non working DNS blocking feature. Great!!!
    I guess I never saw such a big crap from LINKSYS than this device. I will hope the RV082 V3 is better which is now powered by CISCO.

    If you check now to bypass the DNS you will see that it will (!) work. Add the OpenDNS, select as most as possible restrictions by OpenDNS and now change your LAN Adapter within Windows (or LINUX) to use local Google DNS 8.8.8.8 and 8.8.4.4. You will see that you are able to go wherever you want even if you complete disable DNS everywhere on the Router. Uhhhh????
    Not sure if it is a real bug. It might be that this is a unknown feature :D

    Now - how the hell I prevent users to use the local DNS settings on there PC? Just with a short trick. Leave the Settings within the firewall as you see it here and now set this option within your RV082:

    [​IMG]

    Check it, type your LAN DHCP IP and save it. Within a Windows environment do not use the ROUTER as DHCP or disable this feature. Use it as DHCP relay Agent.
    Why? DNS and DHCP closer together than you believe since Windows 2008 & 2008 R2.
    Ok. But w.t.f is this "DHCP RELEAY AGENT"??
    If you don't know this or need further informations then check this site below because this will explain it in a real good way DHCP RELAY AGENT - HOW DOES IT WORK

    Back to the roots because we still have an DNS issue. We need to to a 2nd step within the settings on the router. Therefore we need to set the DNS settings below. Check this m8:
    [​IMG]

    For better confusing you what exactly you need to set here is the layout :cool: :

    [​IMG]

    The first entry is your local domain which is by default "whatever-you-name-it.local". I hate this stupid local name. All you local DOMAIN requests will be answerd by your local DNS. So far it should be clear.

    Add the entries "*" and "*.*" and "*.*." with OpenDNS server to your local DNS database.

    This will mean that everything which is not local will be answerd by the OpenDNS Server. You can now use any other server or whatever you want. Whatever you set here this will be your DEFAULT DNS and any other DNS server will be ignored and overwritten.

    And now the last and also important step. You MUST set this settings to your local DNS.
    OK, don't try to use this address below because you need to set here the IP Address of your RV082 Router. I'm using a Class A/24 network and so I'm using this IP.
    [​IMG]
    It's very important that you have no other public server inside. If you do not remove them the OpenDNS block will fail.

    Heyyyy, that's sooooo cute!!! And - why the hell is this working?

    It's stupid easy why it's working. Let me give a short explaination:
    You will set an DNS request by typing an URL in your browser. Your browser is asking your local machine who is your DNS server. This is now your Windows based DNS server and if you are requesting an local Address you will get the correct answer.
    Now, lets assume you will request www.porn.com as URL. What will happens?
    Browser is asking your local PC. PC will answer, hey, ask your local DNS server. PC will ask and the local DNS will respond "..hi m8! Everything which is not local I don't know it but my forwarder might know him".

    Your local DNS will forward the DNS request and the most important thing the DNS server request will be overwritten from your forward Database. Why? Because it's just a forwarded request. If you still have the local DNS settings on your PC to try your bypass this request will forwarded at the Router. That means that the Router take over ther control about the pending DNS Request. And what DNS server your Router will use for asking??? You're damn right m8! Just only the server within the Database.

    WoW!!!
    Is the no Port 53 a real bug? No - it's one of the best features the have implemented!!!! :D

    Now, when this is done kepp your local DNS settings on your PC and try to go to a restricted website. You will see it fails and you will get the block site from OpenDNS. :)

    I know this is not the solution which will do a real Port 53 block. But I guess as long as CISCO (former LINKSYS) is playing with IPTABELS crap this might be a good solution. And at this point we will see the huge different between an IPTABLE FIREWALL and a real CISCO ASA Firewall.

    Best regards!

    Torsten
     

Share This Page