I try to block google dns on my network, I followed a tuto on internet, but the open wrt build is older than mine so not sur if I'm ok.... On the doc, I see :
Match ICMP type : any
Source zone : Select lanSource MAC address: any
Source address: any
and on my build, I don't have the ''any'' option, so according to you, what should I do?
You should be able to block DNS to 188.8.131.52 by simply adding destination port 53 to the rule you already have. Keep in mind, though, that you only block one such DNS service/IP address with this rule. 184.108.40.206 is another Google DNS server, 220.127.116.11 and 18.104.22.168 are CloudFlare, and so on). If you want to block all non-whitelisted DNS servers (or ensure that only the one you have running on your own network is functional), remove the destination address and just keep destination zone as WAN.
I will do the same yes with 22.214.171.124 as well.
Just re-reading this -- what version of OpenWrt are you using? What is your device?
R7800 with the last Hnyman build.
and what about source address? the doc says to select ''any'' but dont have this option, if I dont select any, I'm ok?
Just the zone is sufficient. If you see "--add IP--" in your interface, that means that there isn't currently a specific address added, and that is then interpreted as "any"
btw, I ping google dns in cmd and I thought I could not, but the ping is still
octets=32 temps=298 ms TTL=49
octets=32 temps=519 ms TTL=49
octets=32 temps=430 ms TTL=49
octets=32 temps=129 ms TTL=49
Ping will still work, but dns won’t. If you want to block everything, take out the destination port.
ok, and is there something to do to check if google dns still work or not?
Set your computer network settings manually - specifically set the dns server to only 126.96.36.199. Then try to open a web page or do a ping to a site by the domain name (preferably one you haven’t visited recently, to avoid possible local cache of the dns records)
destination port or address? You mean address? just keep 53?
I added 188.8.131.52 and 184.108.40.206 on my manual dns on my laptop and unfortunately I can open any web pages and ping websites...
Port 53 is dns. If you want to specifically block dns requests, use this in destination port. (It won’t block other services or pings). If left empty, it will block everything to the address.
Destination address is specified if you want to block a specific address, not all addresses. If left empty, it will block all on the specified zone (wan in this case).
If you do not specify an address and also do not specify a port, it will block all internet traffic.
ok, thanks for the infos, I can still access to website and / or ping sites but I guess it works
Post your latest config - I’ll check to see if it looks right.
here we go, thanks again
EDIT: I removed the port 53, still the same result
That should work. But order matters, so make sure it is in the right place.
Also, you can combine both of those rules into a single one - just add op address in the first rule and remove the second one.
I tried : tracert -d 220.127.116.11
and : nslookup google.com 18.104.22.168
and I have access to google dns with both tests
I did that with cmd windows
Did you double check that your network settings on your computer are set to use google dns (and only google dns). Also, did you verify that the changes have been applied to the firewall in the router?