How to block access to Google DNS?

Hello there. OpenWrt newbie here ; I searched the forum on this topic with little success. The goal is for all of my LAN devices to use the DNS servers of Smart DNS Proxy.

I've 1) added the appropriate IP addresses in Network > Interfaces > lan > Use custom DNS servers and 2) blocked access to Google DNS in Network > Firewall > Traffic Rules (screenshot attached) - but when I ping 8.8.8.8 I get four solid replies. What am I missing?

Unless access to Google DNS is blocked, my Chromecasts will disregard the Smart DNS servers.

Thanks!

02945×304 17.3 KB

What you probably want to do is perform DNS hijacking. There is a wiki article that explains the process:

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

You can totally block traffic to and from an ip address using blackhole routes, i leave ip6 version to your exercise.

Add to /etc/config/network , then find and enable in Luci/Network/Routing
Metric added as colourful label.

config route
        option interface 'loopback'
        option type 'blackhole'
        option target '8.8.8.8/32'
        option metric '8888'
        option disabled '1'

config route
        option interface 'loopback'
        option type 'blackhole'
        option target '8.8.4.4/32'
        option metric '8888'
        option disabled '1'

Thanks! I had tried this one but I still seem to be able to ping 8.8.8.8 and 8.8.4.4.

Pinging different than dns hijacking.

Let’s see your full firewall file.

I have this rule, which seemingly is identical to yours and I can't ping either IP from a client:

config rule
	option src 'lan'
	option target 'REJECT'
	option dest 'wan'
	option name 'Block Google DNS'
	list dest_ip '8.8.8.8'
	list dest_ip '8.8.4.4'
	list proto 'all'

Thanks! I added these Static IP Routes using the GUI (cheeky I know) and they work! All of the pings to Google DNS servers time out now.

Next challenge now seems to be the Virgin Media (my internet provider) Hub 5, which I use in modem mode. I run a DNS leak test and it shows a DNS leak to a Virgin Media DNS server rather than the Smart DNS Proxy servers I specified in Network > Interfaces > lan > Use custom DNS servers. I'm surprised because I though the Virgin Media Hub would just be pass-through when in modem mode; this was the case with the Hub 3 I had before. Any suggestions? Cheers!

You can switch to a (local) custom DNS server that does encrypted DNS (DoH, DoT, etc.) and use DNS hijacking (mentioned above) on your router to force all local DNS queries to go through said server. If you're using unencrypted servers, nothing is stopping your internet provider from hijacking your DNS queries.

Cheers. As you suggest, I added DNS hijacking on top of the Static IP Routes I had set up earlier - but DNS leak test still returns a Virgin Media DNS server. Might this mean that the DNS servers provided by Smart DNS Proxy are not encrypted?

I'm not sure where you've configured those DNS servers. But with encrypted DNS, the clients need to support the protocol. Which I don't think OpenWrt does out of the box. So if you want your router to do encrypted DNS, you need to configure that first. There are some guides for DoH, DoT, DoQ in the wiki.

I configured the DNS servers in Network > Interfaces > lan > Use custom DNS servers - see screenshot - so not encrypted I understand. I will try one of options for encrypted DNS in you link tomorrow. Thank you!

Screenshot 2025-01-26 2345281023×1159 52.7 KB

I couldn't resist and tried the method " DoH/DoH3, DoT, DoQ and DNSCrypt with Dnsmasq and dnsproxy". DNS leak test now returns Cloudflare IP addresses rather than my Smart DNS Proxy ones

Never mind; I see now that dnsproxy is configured with Cloudflare DNS by default hence my results with the DNS leak test.
So the encrypted DNS route you suggested works... but it would seem that Smart DNS Proxy doesn't offer DoH, DoH3 etc. I will check with them.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.