UBound DNS Override not working

Started by RobLatour, March 08, 2021, 09:12:38 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 18, 2021, 02:23:28 PM #15 Last Edit: March 18, 2021, 02:28:52 PM by chemlud
Hi!

You should NOT have a "allow any any" rule on LAN. Allow single ports, such as HTTP,  HTTPS, SMTPs, IMAPs and whatever you need else on LAN (choose TCP/UDP, depending on the port/your needs).

Then you have one rule (for ipv4, I only use ipv4, if you use ipv6 add an additional one for ipv6) on LAN, nothing else. See attachment.

If you want to keep the "allow any any" you place on TOP of your LAN rules a "BLOCK UDP/TCP !LAN address" (the "!" is "invert", so the rule will block anything on port 53 TCP/UDP EXCEPT to your firewall ("LAN address")....

kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 18, 2021, 05:01:38 PM #16
chemlud

thank you very much for this, it was very helpful - especially the image file which you provided.

I've set this up according to your advice and it appears to be working fine.

I really do appreciate the help and advice from you and pmhausen!

March 19, 2021, 09:02:32 AM #17
Quote from: chemlud on March 18, 2021, 02:23:28 PM
If you want to keep the "allow any any" you place on TOP of your LAN rules a "BLOCK UDP/TCP !LAN address" (the "!" is "invert", so the rule will block anything on port 53 TCP/UDP EXCEPT to your firewall ("LAN address")....
An (IMHO) better alternative to blocking outgoing DNS queries is to redirect them to your firewall's recursive nameserver.

NAT - Port Forward
Interface: LAN
Source: any
Destination: any
TCP/UDP
Destination Port: DNS
Redirect Target IP: 127.0.0.1
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 20, 2021, 01:10:44 PM #18
pmhausen: thank you, I may give that a try as I've noticed that since making the other changes it does take some additional time to resolve some addresses - may be a coincidence, but I would like to try this to see if it helps.

One question, would I not identify the source port range as DNS as well?
March 20, 2021, 02:05:43 PM #19
Quote from: RobLatour on March 20, 2021, 01:10:44 PM
pmhausen: thank you, I may give that a try as I've noticed that since making the other changes it does take some additional time to resolve some addresses - may be a coincidence, but I would like to try this to see if it helps.

One question, would I not identify the source port range as DNS as well?

Nope, source port is usually random. Only target port is usable...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 20, 2021, 03:11:42 PM #20
pmhausen: I have much to learn, thank you :-) . Changes applied.
Print
Go Up Pages 1 2
User actions