Weird issue with ER605 V2, DOH and Static Routes.
Weird issue with ER605 V2, DOH and Static Routes.
I am playing around with blocking DNS servers, after my Raspberry PiHole died. I am trying both NextDNS and ControlD and have set them up in Services/DNS Proxy/DOH and everything is working, and I can switch between them without issue.
I noticed that my Roku TV was still making calls to Google's servers at 8.8.8.8 and 8.8.4.4, so I set up two static routes, in order to push the requests back to the router/DOH. With the static routes, everything works. But if the static routes are enabled, and I switch from one DoH to the other, I lose the network, which then takes about 20 minutes to sort itself out. Now if I disable the routes and then switch the DOH servers, and then re-enable the routes, everything works right away.
I read about blocking Google's DNS servers, and it is pretty straightforward. There are many guides for multiply brands of routers. I did notice some of the guides suggest setting the metric to "2", but I have no idea if that would make a difference. TP-Link says the metric is a priority setting, yet some routers say it the number of hops, so I left it at "0", default as suggested by the "?" link in the ER605.
Any idea why it would do this?
Thanks!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
That won't work.
What you instructed the TP-Link router was to sent any request to 8.8.8.8 public IPs reachable only on the WAN side to be redirected to itself on the LAN.
To avoid Roku going to Internet could be tricky, you need to check the Roku configuration to ensure it's getting the TP-Link router IP as its DNS server, so then DoH will follow as expected.
Keep in mind, that if a Roku App has hard coded DNS servers (I mean it doesn't care about what Roku itself provides) then you will need to do so in the Roku App (if possible, sometimes is not).
For example, you could also bypass the TP-Link as DNS (DoH) if you configure it on your Chrome browser, and the only way to prevent browsers from leaking DNS, will be to put a firewall rule in the TP-Link to forbid outgoing DNS request (Not only on the port 53, but the others related to DNSoverTLS, DNSoverHTTP, etc.), so you really ensure your TP-Link router is the only DNS server available in the LAN.
- Copy Link
- Report Inappropriate Content
This is a Roku TV, and some apps like Netflix show the DNS servers. Netflix shows, 192.168.0.1 of the ER605, followed by 8.8.8.8 / 8.8.4.4. Was told that these are only fallback servers. I did a search, and all say to do what I did with routing, but you're saying it won't work, so I'll take your word. But as it's set up, no one on my LAN can reach 8.8.8.8 / 8.8.4.4.
Here is one of the sites I read up on how to do this...had to edit the link as this forum said it was an illegal link.
https://support dot unlocator dot com/article/131-how-to-bypass-forced-dns-on-roku
Anyhow, they are using regular DNS, not DoH or DoT, so not sure if that makes a difference.
I have only seen a few requests to 8.8.8.8 / 8.8.4.4, so, I'll delete the routes and figure out your last suggestion about blocking ports.
Thanks!
- Copy Link
- Report Inappropriate Content
I have IoTs devices from Google/TP-Link, all regular streaming services (e.g. Netflix, Amazon), no torrents!, no UPnP cheaters (is disabled on all routers).
Apart from one weird Android Apps with strange HTTPS ports, these rules works like a charm for no DNS leaking.
The ER605 is upwards to two ISP. Downwards WiFi is serve via TP-Link Deco M9 Plus.
- Copy Link
- Report Inappropriate Content
@olafrv Would I need all those rules, or just the DNS? I don't do torrents at home, as I got a seedbox for that.
- Copy Link
- Report Inappropriate Content
Those rules are for complete close down to the feasible minimum, and still there is a possibility of leak.
If you only want to block Google DNS (because your device Roku and all Apps installed are dummy aka. "standard"), you have two options:
- Per IP is tricky, if you only want to block Google, will be enough with a rule per each IP.
But be aware that some Devices/Apps can use different servers if not available the Google Ones (and fool you completely).
AND/OR:
- Per Port, depending on what you want to achieve several ports requires blocking, so I will give you counter examples (now more and more common on IoTs):
- Some Devices/Apps use the traditional DNS on port UDP/53, if you have a local DNS server like Pihole then TCP/53 is also needed.
- Some (Smart) Devices/Apps switch to DoH (DNS over HTTPS) so you need to block TCP/443, but you can't, or ... Youtube will fail if you miss an IP in the rule.
- Some (Smart) Devices/Apps switch to DoS (DNS over TLS) so you need to block por TCP/853.
The recommendation will be to start with 1-2 rules and add more rules, until you get the desired behavior.
Be careful when blocking DNS on the ER605, whatever is downward will suffer instantly if something fails, you will notice it just later (due to DNS caches).
- Copy Link
- Report Inappropriate Content
I see you have "block all" as the last entry...So, I assume any line/port above marked "allow", overrides the block all, and the block all just picks up anything that tries to get by?
I'll give your entire list a try, after my wife ends her work day. She gets annoyed when I "accidentally" cut her off. She uses Citrix, so, I have to keep that in mind.
Thanks for all your help!
- Copy Link
- Report Inappropriate Content
@Hemicrusher correct last line picks everything else.
- Copy Link
- Report Inappropriate Content
One more question...
I see you have blocks on MC_UDP, and MC_TCP, but do not see that as available choices in the "Service Type" dropdown. How were those added?
And Citrix is easy as it only uses TCP 80/443
Thanks!
- Copy Link
- Report Inappropriate Content
-- | 13 | HTTPS | TCP | Source Port = 0-65535; Destination Port = 443-443 | HTTPS |
-- | 14 | MC_TCP | TCP | Source Port = 0-65535; Destination Port = 25565-25565 | Minecraft Java |
-- | 15 | MC_UDP | UDP | Source Port = 0-65535; Destination Port = 19132-19132 | Minecraft Bedrock |
-- | 16 | VPN_CAC | UDP | Source Port = 0-65535; Destination Port = 443-443 | Cisco AnyConnect VPN |
-- | 17 | VPN_EXP | TCP/UDP | Source Port = 0-65535; Destination Port = 1195-1195 | ExpressVPN |
-- | 18 | DNS_TLS | TCP | Source Port = 0-65535; Destination Port = 853-853 |
- Copy Link
- Report Inappropriate Content
Thanks again!
This is about the best explanation, and solution to my question...and, the firewall in the ER605 makes perfect sense now.
Have a great weekend!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2998
Replies: 16
Voters 0
No one has voted for it yet.