Author Topic: UBound DNS Override not working (Read 9879 times)

chemlud · « **Reply #15 on:** March 18, 2021, 02:23:28 pm »

Hi!

You should NOT have a "allow any any" rule on LAN. Allow single ports, such as HTTP, HTTPS, SMTPs, IMAPs and whatever you need else on LAN (choose TCP/UDP, depending on the port/your needs).

Then you have one rule (for ipv4, I only use ipv4, if you use ipv6 add an additional one for ipv6) on LAN, nothing else. See attachment.

If you want to keep the "allow any any" you place on TOP of your LAN rules a "BLOCK UDP/TCP !LAN address" (the "!" is "invert", so the rule will block anything on port 53 TCP/UDP EXCEPT to your firewall ("LAN address")....

RobLatour · « **Reply #16 on:** March 18, 2021, 05:01:38 pm »

chemlud

thank you very much for this, it was very helpful - especially the image file which you provided.

I've set this up according to your advice and it appears to be working fine.

I really do appreciate the help and advice from you and pmhausen!

Patrick M. Hausen · « **Reply #17 on:** March 19, 2021, 09:02:32 am »

Quote from: chemlud on March 18, 2021, 02:23:28 pm

If you want to keep the "allow any any" you place on TOP of your LAN rules a "BLOCK UDP/TCP !LAN address" (the "!" is "invert", so the rule will block anything on port 53 TCP/UDP EXCEPT to your firewall ("LAN address")....

An (IMHO) better alternative to blocking outgoing DNS queries is to redirect them to your firewall's recursive nameserver.

NAT - Port Forward
Interface: LAN
Source: any
Destination: any
TCP/UDP
Destination Port: DNS
Redirect Target IP: 127.0.0.1

RobLatour · « **Reply #18 on:** March 20, 2021, 01:10:44 pm »

pmhausen: thank you, I may give that a try as I've noticed that since making the other changes it does take some additional time to resolve some addresses - may be a coincidence, but I would like to try this to see if it helps.

One question, would I not identify the source port range as DNS as well?

chemlud · « **Reply #19 on:** March 20, 2021, 02:05:43 pm »

Quote from: RobLatour on March 20, 2021, 01:10:44 pm

pmhausen: thank you, I may give that a try as I've noticed that since making the other changes it does take some additional time to resolve some addresses - may be a coincidence, but I would like to try this to see if it helps.

One question, would I not identify the source port range as DNS as well?

Nope, source port is usually random. Only target port is usable...

RobLatour · « **Reply #20 on:** March 20, 2021, 03:11:42 pm »

pmhausen: I have much to learn, thank you :-) . Changes applied.

Author Topic: UBound DNS Override not working (Read 9879 times)

chemlud

Re: UBound DNS Override not working

RobLatour

Re: UBound DNS Override not working

Patrick M. Hausen

Re: UBound DNS Override not working

RobLatour

Re: UBound DNS Override not working

chemlud

Re: UBound DNS Override not working

RobLatour

Re: UBound DNS Override not working