Weird issue with ER605 V2, DOH and Static Routes.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Weird issue with ER605 V2, DOH and Static Routes.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Weird issue with ER605 V2, DOH and Static Routes.
Weird issue with ER605 V2, DOH and Static Routes.
2023-03-16 18:26:52 - last edited 2023-03-16 18:31:35
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2 Build 20230210 Rel.62992

I am playing around with blocking DNS servers, after my Raspberry PiHole died. I am trying both NextDNS and ControlD and have set them up in Services/DNS Proxy/DOH and everything is working, and I can switch between them without issue.

 

I noticed that my Roku TV was still making calls to Google's servers at 8.8.8.8 and 8.8.4.4, so I set up two static routes, in order to push the requests back to the router/DOH. With the static routes, everything works. But if the static routes are enabled, and I switch from one DoH to the other, I lose the network, which then takes about 20 minutes to sort itself out. Now if I disable the routes and then switch the DOH servers, and then re-enable the routes, everything works right away.

 

I read about blocking Google's DNS servers, and it is pretty straightforward. There are many guides for multiply brands of routers. I did notice some of the guides suggest setting the metric to "2", but I have no idea if that would make a difference. TP-Link says the metric is a priority setting, yet some routers say it the number of hops, so I left it at "0", default as suggested by the "?" link in the ER605.

 

Any idea why it would do this?

 

Thanks!

 

 

 

 

 

  0      
  0      
#1
Options
16 Reply
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 14:33:44 - last edited 2023-03-17 14:37:05

@Hemicrusher 

 

That won't work.

 

What you instructed the TP-Link router was to sent any request to 8.8.8.8 public IPs reachable only on the WAN side to be redirected to itself on the LAN.

 

To avoid Roku going to Internet could be tricky, you need to check the Roku configuration to ensure it's getting the TP-Link router IP as its DNS server, so then DoH will follow as expected.

 

Keep in mind, that if a Roku App has hard coded DNS servers (I mean it doesn't care about what Roku itself provides) then you will need to do so in the Roku App (if possible, sometimes is not).

 

For example, you could also bypass the TP-Link as DNS (DoH) if you configure it on your Chrome browser, and the only way to prevent browsers from leaking DNS, will be to put a firewall rule in the TP-Link to forbid outgoing DNS request (Not only on the port 53, but the others related to DNSoverTLS, DNSoverHTTP, etc.), so you really ensure your TP-Link router is the only DNS server available in the LAN.

TP-Link User Since 2008
  1  
  1  
#2
Options
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 16:04:53 - last edited 2023-03-17 16:05:52

  @olafrv 

 

This is a Roku TV, and some apps like Netflix show the DNS servers. Netflix shows, 192.168.0.1 of the ER605, followed by 8.8.8.8 / 8.8.4.4. Was told that these are only fallback servers. I did a search, and all say to do what I did with routing, but you're saying it won't work, so I'll take your word. But as it's set up, no one on my LAN can reach 8.8.8.8 / 8.8.4.4. 

 

Here is one of the sites I read up on how to do this...had to edit the link as this forum said it was an illegal link.

 

https://support dot unlocator dot com/article/131-how-to-bypass-forced-dns-on-roku

 

Anyhow,  they are using regular DNS, not DoH or DoT, so not sure if that makes a difference.

 

I have only seen a few requests to 8.8.8.8 / 8.8.4.4, so, I'll delete the routes and figure out your last suggestion about blocking ports.

 

Thanks!

  0  
  0  
#3
Options
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 16:18:50

@Hemicrusher 

 

I have IoTs devices from Google/TP-Link, all regular streaming services (e.g. Netflix, Amazon), no torrents!, no UPnP cheaters (is disabled on all routers).

 

Apart from one weird Android Apps with strange HTTPS ports, these rules works like a charm for no DNS leaking.

 

The ER605 is upwards to two ISP. Downwards WiFi is serve via TP-Link Deco M9 Plus.

 

 

 

TP-Link User Since 2008
  1  
  1  
#4
Options
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 16:47:51

  @olafrv Would I need all those rules, or just the DNS? I don't do torrents at home, as I got a seedbox for that.

  0  
  0  
#5
Options
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 17:13:03

@Hemicrusher 

 

Those rules are for complete close down to the feasible minimum, and still there is a possibility of leak.

 

If you only want to block Google DNS (because your device Roku and all Apps installed are dummy aka. "standard"), you have two options:
 

- Per IP is tricky, if you only want to block Google, will be enough with a rule per each IP.

  But be aware that some Devices/Apps can use different servers if not available the Google Ones (and fool you completely).

 

AND/OR:

 

- Per Port, depending on what you want to achieve several ports requires blocking, so I will give you counter examples (now more and more common on IoTs):

  - Some Devices/Apps use the traditional DNS on port UDP/53, if you have a local DNS server like Pihole then TCP/53 is also needed.

  - Some (Smart) Devices/Apps switch to DoH (DNS over HTTPS) so you need to block TCP/443, but you can't, or ... Youtube will fail if you miss an IP in the rule.

  - Some (Smart) Devices/Apps switch to DoS (DNS over TLS) so you need to block por TCP/853.

 

The recommendation will be to start with 1-2 rules and add more rules, until you get the desired behavior.

 

Be careful when blocking DNS on the ER605, whatever is downward will suffer instantly if something fails, you will notice it just later (due to DNS caches).

 

TP-Link User Since 2008
  1  
  1  
#6
Options
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 17:24:06

  @olafrv 

 

I see you have "block all" as the last entry...So, I assume any line/port above marked "allow", overrides the block all, and the block all just picks up anything that tries to get by?

 

I'll give your entire list a try, after my wife ends her work day. She gets annoyed when I "accidentally" cut her off. She uses Citrix, so, I have to keep that in mind.

 

Thanks for all your help!

  0  
  0  
#7
Options
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 17:29:36

  @Hemicrusher correct last line picks everything else.

TP-Link User Since 2008
  1  
  1  
#8
Options
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 17:56:10 - last edited 2023-03-17 17:57:11

  @olafrv 

 

One more question...

 

I see you have blocks on MC_UDP, and MC_TCP, but do not see that as available choices in the "Service Type" dropdown. How were those added?

 

And Citrix is easy as it only uses TCP 80/443

 

Thanks!

  0  
  0  
#9
Options
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 18:02:56

  @Hemicrusher 

 

 

-- 13 HTTPS TCP Source Port = 0-65535; Destination Port = 443-443 HTTPS
-- 14 MC_TCP TCP Source Port = 0-65535; Destination Port = 25565-25565 Minecraft Java
-- 15 MC_UDP UDP Source Port = 0-65535; Destination Port = 19132-19132 Minecraft Bedrock
-- 16 VPN_CAC UDP Source Port = 0-65535; Destination Port = 443-443 Cisco AnyConnect VPN
-- 17 VPN_EXP TCP/UDP Source Port = 0-65535; Destination Port = 1195-1195 ExpressVPN
-- 18 DNS_TLS TCP Source Port = 0-65535; Destination Port = 853-853

 

 

TP-Link User Since 2008
  1  
  1  
#10
Options
Re:Weird issue with ER605 V2, DOH and Static Routes.
2023-03-17 18:56:38

  @olafrv 

 

Thanks again!

 

This is about the best explanation, and solution to my question...and, the firewall in the ER605 makes perfect sense now.

 

Have a great weekend!

 

 

  0  
  0  
#11
Options