Question Router Access Control List to prevent users from using alternate DNS

[peavey2787]

Thank you to anyone that takes the time to read this, I have an ac750 archer c2 router and I am using OpenDNS. I have set the DNS for the WAN to OpenDNS's servers and I'm trying to follow their instructions on ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53 and BLOCK TCP/UDP IN/OUT all IP addresses on Port 53. I've added the host as the whole range of ip's availabe (192.168.1.0 - 192.168.1.199) on port 53 and named it "All" and the target is OpenDNS's server #1 (208.67.222.222) named "OpenDNS1". I'm just focusing on getting one working right, then I'll add the second. Then for the schedule I have selected all the time available 24/7.

Here is the table in the router control list now:
Description: LAN Host: Target: Schedule: Rule: Status:
Allow DNS IN Any Host OpenDNS1 Any Time Allow Enabled
Allow DNS out Any Host OpenDNS1 Any Time Allow Enabled
all in All Any Host Any Time Deny Enabled
all out All Any Host Any Time Deny Enabled

I've played around with the rules a ton, at one point I had it so I could use the OpenDNS server if my PC was set to auto set the DNS, but if I change it to google's DNS of 8.8.8.8 then it bypasses the OpenDNS and shows adult content and stuff that I don't want. I had ipv6 on before and I was getting weird results, then when I turned ipv6 off it was working as long as I didn't change the DNS.
I've been flushing the DNS Resolver Cache via ipconfig /flushdns, but that doesn't seem to help. I can get a little impatient when trying different rules out, should I try resetting the router/each device after I change the rules? Or will it be near instant like I'm hoping?
My end goal is to only have 2 devices that are allowed to bypass the OpenDNS and use their own/google's DNS.
Thanks for the help!

 

[anotherdrew]

Since your hosts are starting the connection, you would only need to block outgoing traffic. Any incoming DNS traffic should be blocked by the default rules.

Rules should go into effect as soon as you hit save. Rules should run in order.

Every firewall is different and in consumer grade electronics they are often limited in their functionality. Looking at the manual, I'm not sure you can do what you want, but perhaps firmware upgrades have added functionality not included in the manual. I would setup rules like:

Rule 1: Allow special LAN host to contact any REMOTE host on port 53 (that is port 53 on the target, not on the internal host)
Rule 2: Allow all LAN host to contact OpenDNS1 on port 53
Rule 3: Block all LAN host to contact any REMOTE host on port 53

While this will work, it can easily be bypassed by using VPN software.

 

[bill001g]

Before you get real far you are assuming someone is trying to bypass your blocks. Are you going to assume that they are only going to stop at the simple methods.

First there are DNS servers that run on non standard ports. Next someone could run a vpn service to just run the DNS through. Those the free ones with extremely limited bandwidth work well for. They could also just run everything though a vpn. And even stupid kids quickly learn what a HOST file is. It is tedious but if you only need a couple of sites it works well and can not be prevented other than locking down the end device.

Pretty much opendns is for people that want to feel good and think they are protecting something. It is pretty much a waste of time since you must do so much more to block things and at that point you might as well do the complete function on your firewall device.

 

[digitalgriffin]

Locking down people from certain websites is a common problem many people in IT face especilly at a corporate level. This is why corporations install root certificates on your local machine. Not even vpn can hide your traffic then. They then log every place you visit and run it against a rules database to see if you are throwing up red flags.

There are also services providers like verizon that categorize websites with apps like z scaler and block entry based on category.

For android devices, family link is still pretty darn effective. Its effective because it locks down the device from changes and prevents new apps from being installed without permission. You can even block youtube and chrome.

The other thing you can do is install privateeyez. This is similar to a root level certificate program that logs everything including attempts to uninstall it or hard kill it. If you see someone trying to access something they shouldnt just ban their device as a lesson. Its like taking the keys to the car for a couple months for them speeding. Even if a kid were smart enough to go into tue registry and figure out how the services were set up to disable them, it would be an extremely time consuming task and the privateeyez system tray icon would be gone. Plus i think you get notification that privateeyez host computer lost contact with the pc In question when it doesnt ping back every so many days.

Btw banning by mac doesnt work. Windows has a registey hack that allows you to substitute mac numbers. (There are valid reasons to do this but im not going to discuss the technique). The only way to prevent this hack is to turn off dhcp and statically route all devices by static ip based on known macs.

 

[failboat]

You can setup a DNS server and block all outbound DNS port not coming from that server. Set the DHCP to the DNS server. You can also setup forwarding, but DHCP should be enough. If people are manually changing theirs then they can manually change it back after it's not working.

pihole is a great DNS server. You can use that DNS plus use it's filtering to block ads.

Any type of encrypted DNS will get around it. If they use a VPN client not much will stop it. You need client side admin to disable them from installing one. If they're really crafty they can get around that easily as well. There isn't any set it and forget it solution to shut it down.