Traffic rules block dns

hi,

I try to block google dns on my network, I followed a tuto on internet, but the open wrt build is older than mine so not sur if I'm ok.... On the doc, I see :

Match ICMP type : any
Source zone : Select lanSource MAC address: any
Source address: any

and on my build, I don't have the ''any'' option, so according to you, what should I do?

thanksdnstuto dns1

You should be able to block DNS to 8.8.8.8 by simply adding destination port 53 to the rule you already have. Keep in mind, though, that you only block one such DNS service/IP address with this rule. 8.8.4.4 is another Google DNS server, 1.1.1.1 and 1.0.0.1 are CloudFlare, and so on). If you want to block all non-whitelisted DNS servers (or ensure that only the one you have running on your own network is functional), remove the destination address and just keep destination zone as WAN.

1 Like

I will do the same yes with 8.8.4.4 as well.

Just re-reading this -- what version of OpenWrt are you using? What is your device?

R7800 with the last Hnyman build.

and what about source address? the doc says to select ''any'' but dont have this option, if I dont select any, I'm ok?

Just the zone is sufficient. If you see "--add IP--" in your interface, that means that there isn't currently a specific address added, and that is then interpreted as "any"

1 Like

thanks a lot

btw, I ping google dns in cmd and I thought I could not, but the ping is still :slight_smile:

octets=32 temps=298 ms TTL=49
octets=32 temps=519 ms TTL=49
octets=32 temps=430 ms TTL=49
octets=32 temps=129 ms TTL=49
zero lost

Ping will still work, but dns won’t. If you want to block everything, take out the destination port.

ok, and is there something to do to check if google dns still work or not?

Set your computer network settings manually - specifically set the dns server to only 8.8.8.8. Then try to open a web page or do a ping to a site by the domain name (preferably one you haven’t visited recently, to avoid possible local cache of the dns records)

1 Like

destination port or address? You mean address? just keep 53?

I added 8.8.8.8 and 8.8.4.4 on my manual dns on my laptop and unfortunately I can open any web pages and ping websites...

Port 53 is dns. If you want to specifically block dns requests, use this in destination port. (It won’t block other services or pings). If left empty, it will block everything to the address.

Destination address is specified if you want to block a specific address, not all addresses. If left empty, it will block all on the specified zone (wan in this case).

If you do not specify an address and also do not specify a port, it will block all internet traffic.

1 Like

ok, thanks for the infos, I can still access to website and / or ping sites but I guess it works :wink:

Post your latest config - I’ll check to see if it looks right.

here we go, thanks again

EDIT: I removed the port 53, still the same result

That should work. But order matters, so make sure it is in the right place.

Also, you can combine both of those rules into a single one - just add op address in the first rule and remove the second one.

I tried : tracert -d 8.8.8.8

and : nslookup google.com 8.8.8.8

and I have access to google dns with both tests :thinking: :thinking:

I did that with cmd windows

Did you double check that your network settings on your computer are set to use google dns (and only google dns). Also, did you verify that the changes have been applied to the firewall in the router?