Question Router/DNS/Site Blocking

Toggle sidebar Toggle sidebar
I

IGotAnAngle

Prominent
Aug 18, 2022
29
1
535
Hi All,
I came across some unexpected behavior and thought I should ask about it since I'm just starting.

After setting up OpenDNS (working fine), I started blocking stuff. I quickly found that OpenDNS has a 25 site limit. Ok, I'll block the extras in my router. Then I saw in the OpenDNS Stats page that sites I blocked in my router were still creating DNS hits in the OpenDNS Stats page. This is what I don't understand. If the site is blocked at the router (confirmed by the router "Blocked" message in the browser, why is it getting to OpenDNS?

I understand that https doesn't get blocked, but I'm talking about http sites. I am using scripting.com as a test sample.

Anyone know the particulars about this? Thanks.
 
IGotAnAngle said:
Hi All,
I came across some unexpected behavior and thought I should ask about it since I'm just starting.

After setting up OpenDNS (working fine), I started blocking stuff. I quickly found that OpenDNS has a 25 site limit. Ok, I'll block the extras in my router. Then I saw in the OpenDNS Stats page that sites I blocked in my router were still creating DNS hits in the OpenDNS Stats page. This is what I don't understand. If the site is blocked at the router (confirmed by the router "Blocked" message in the browser, why is it getting to OpenDNS?

I understand that https doesn't get blocked, but I'm talking about http sites. I am using scripting.com as a test sample.

Anyone know the particulars about this? Thanks.
Click to expand...
Since you didn't identify what router you have, it will be difficult for anyone to contribute constructively.

You could pay the $20 / year to be a VIP member and have 100 domain blocking limit. Seems pretty reasonable.
 
That's not the point. I would like to understand how a blocked site makes a DNS hit.

It didn't seem that the router would matter (but what do I know, right?), but it's a Belkin F7D7302.
 
You have to remember opendns does not actually block any sites. What is happening is your machine asks the dns server to give it the IP of some URL. OPENDNS will basically pretend the blocked sites don't exist and not return the IP. Opendns does not prevent traffic from going to the IP it only refuses to tell your machine the IP.

This really is no security it only works if someone does not attempt to bypass it. Very young children know how to override the DNS settings in their device so it does use OPENDNS to find IP addresses.

Your router basically is blocking the IP address itself. This is somewhat more secure....at least for sites are not cloud based and have many addresses. When the pc issues a DNS request that apppear to the router to be standard traffic on port 53 to the OPENDNS server. The router will allow that to go because it not going to the actual site you blocked. If OPENDNS gives the device a IP and the device then attempt to open that IP your router has a chance to block it.

The problem is your router would somehow have to get the large list of IP that a site uses. These IP change mostly because of the attempt of the cloud data centers to load balance the traffic.

If you are basically trying to block yourself...and you won' hack yourself :)..you can use dummy entries in the HOST file to block DNS entries. The host files is kinda your own private DNS server. Note this is also how the smart kids bypass things like opendns.
 
  • Like
Reactions: 35below0
If I'm understanding you correctly, I think maybe it "tries" to route it. After entering "scripting.com" I saw a brief flash of https in the url before it changed to http and gave me the blocked message. If I enter http://www.scripting.com/ it immediately blocks.

So maybe, entering the short text causes an auto try at https. I heard chrome was doing something like that. I will wait until tomorrow and try again after the Stats page resets. That could be it! Thanks!

Did you know that was happening or just a hunch?
 
Last edited:
DNS query results are not aggregated among all the DNS servers. Once a device (your PC, smartphone, tablets) get a response from a specific DNS (even it respond with an IP address 0.0.0.0 instead saying I don't know the domain's IP address), it stop querying.

Usually how sites get blocked is via DNS sinkhole or blackhole technology. That means predefined domain names you query will return with an IP address 0.0.0.0 and the browser has no idea where to download the website contents.

When you put OpenDNS as the first DNS server and you query a domain name and it responses with 0.0.0.0 , it will not forward the query to your router.

You have to setup your own DNS sinkhole on your network, like Pi-Hole running on Linux (a lot of people use RasperryPi) or Technetium DNS on Windows (Win10/11 or Server) and add/import blacklist into them if you don't want to pay OpenDNS for extra domains.
 
Last edited:
bill001g said:
You have to remember opendns does not actually block any sites. What is happening is your machine asks the dns server to give it the IP of some URL. OPENDNS will basically pretend the blocked sites don't exist and not return the IP. Opendns does not prevent traffic from going to the IP it only refuses to tell your machine the IP.

This really is no security it only works if someone does not attempt to bypass it. Very young children know how to override the DNS settings in their device so it does use OPENDNS to find IP addresses.

Your router basically is blocking the IP address itself. This is somewhat more secure....at least for sites are not cloud based and have many addresses. When the pc issues a DNS request that apppear to the router to be standard traffic on port 53 to the OPENDNS server. The router will allow that to go because it not going to the actual site you blocked. If OPENDNS gives the device a IP and the device then attempt to open that IP your router has a chance to block it.

The problem is your router would somehow have to get the large list of IP that a site uses. These IP change mostly because of the attempt of the cloud data centers to load balance the traffic.

If you are basically trying to block yourself...and you won' hack yourself :)..you can use dummy entries in the HOST file to block DNS entries. The host files is kinda your own private DNS server. Note this is also how the smart kids bypass things like opendns.
Click to expand...
If I'm understanding you correctly, you're talking about OpenDNS and how it "blocks" sites. I'm asking how a router blocked site gets to OpenDNS.
 
lantis3 said:
DNS query results are not aggregated among all the DNS servers. Once a device (your PC, smartphone, tablets) get a response from a specific DNS, it stop querying.

Usually how sites get blocked is via DNS sinkhole or blackhole technology. That means predefined domain names you query will return with an IP address 0.0.0.0 and the browser has no idea where to download the website contents.
Click to expand...
I think you're talking about the DNS side. I'm talking about the router side.
 
i believe your answer lies in how DNS works.

when you type in "facebook.com" your browser asks the pc if it knows the ip address. if it does then it gives it to the browser. if it does not, then the browser goes to the router asking if it knows and so on and so on until it gets to the world wide dns servers. it keeps asking the next level until something finally gives it the ip address.

so blocking a site at the router level does not stop your opendns from being asked if it knows the ip address. it does not, so it passes the request to the router which then returns the bad ip stoping the process. this is what you are seeing. dns starts at the browser and works outward, so opendns is seeing the request before it passes it on to the router and it is showing in the log.

dns does not start outside your network for the router to prevent it from coming in. rather it stops it from going out
 
  • Like
Reactions: 35below0
The router blocks via IP address. What it does is if you key in a URL it will ask the DNS server for the IP and then put in a rules to block that IP. Generally the router will only ask the DNS server for the IP when you first set it up.

Many years ago in the days before HTTPS router could actually look inside the packets and see the actual URL including data past the site name. You could then for example block google.com/photos but allow google.com/games....as a over simplified example. None of that works anymore.
 
lantis3 said:
DNS query results are not aggregated among all the DNS servers. Once a device (your PC, smartphone, tablets) get a response from a specific DNS (even it respond with an IP address 0.0.0.0 instead saying I don't know the domain's IP address), it stop querying.

Usually how sites get blocked is via DNS sinkhole or blackhole technology. That means predefined domain names you query will return with an IP address 0.0.0.0 and the browser has no idea where to download the website contents.

When you put OpenDNS as the first DNS server and you query a domain name and it responses with 0.0.0.0 , it will not forward the query to your router.

You have to setup your own DNS sinkhole on your network, like Pi-Hole running on Linux (a lot of people use RasperryPi) or Technetium DNS on Windows (Win10/11 or Server) and add/import blacklist into them if you don't want to pay OpenDNS for extra domains.
Click to expand...
When you put OpenDNS as the first DNS server and you query a domain name and it responses with 0.0.0.0 , it will not forward the query to your router.

I don't understand this. Are you saying a site that is specifically blocked in the router firewall is still allowed to make a DNS request? If so, that makes no sense to me. It's blocked. It should be stopped at the router. Otherwise, it really isn't blocked.
 
IGotAnAngle said:
When you put OpenDNS as the first DNS server and you query a domain name and it responses with 0.0.0.0 , it will not forward the query to your router.

I don't understand this. Are you saying a site that is specifically blocked in the router firewall is still allowed to make a DNS request? If so, that makes no sense to me. It's blocked. It should be stopped at the router. Otherwise, it really isn't blocked.
Click to expand...
R4500 is old, I really don't know how it implement site blocking, sorry. Most ad-blocking or site-blocking nowadays use DNS sinkhole tech I believe.
 
lantis3 said:
R4500 is old, I really don't know how it implement site blocking, sorry.
Click to expand...
Ok, but is there "ever" a case where a router would let a request for a specifically blocked site past the firewall? Regardless of age, technology, protocols, whatever. Can you give me an example where that makes sense? This is where I'm at. I don't understand how a DNS request is getting past the router.
 
Router is just a router, it's never a firewall. A firewall will let you define a lot of complex rules, A simple, cheap home NAT (Network Address Translation)router just won't let you do that. Basically it just forward everything out to the internet. It's just like a simple PBX phone system doing all the call forwarding in and out.

You can look at Freshtomato.org to see if your router is supported and flash it with its more advanced firmware.

https://www.linksysinfo.org/index.php?forums/tomato-firmware.33/ for Freshtomato firmware discussion

View: https://www.youtube.com/watch?v=gSqk8CoVGKA
 
Last edited:
It's 100% impossible for a router to actually block a website with URL filtering it can prevent delivery of non-secured traffic but that's it. You'd need something far more advanced in functionality if you wanted to be able to prevent all traffic. OPNsense, pfSense and Pi-hole all have similar capability to one another where you can use them as the DNS and they will flat out block all traffic requests to whatever you've setup to be blocked.
 
IGotAnAngle said:
Ok, but is there "ever" a case where a router would let a request for a specifically blocked site past the firewall? Regardless of age, technology, protocols, whatever. Can you give me an example where that makes sense? This is where I'm at. I don't understand how a DNS request is getting past the router.
Click to expand...
You just have to carefully read what you yourself wrote.

You are not blocking DNS requests you are blocking the actual web site.

So the pc talks to the opendns server and inside that communication it ask about certain web sites. Your router does not go into the communication between your machine and the opendns server and prevent it from asking the server about the web site.

These are 2 completely independent sessions. You are only blocking the one to the web site itself.
 
  • Like
Reactions: IGotAnAngle
bill001g said:
You just have to carefully read what you yourself wrote.

You are not blocking DNS requests you are blocking the actual web site.

So the pc talks to the opendns server and inside that communication it ask about certain web sites. Your router does not go into the communication between your machine and the opendns server and prevent it from asking the server about the web site.

These are 2 completely independent sessions. You are only blocking the one to the web site itself.
Click to expand...
Ok, that makes sense. Sort of. You're saying there's more to blocking a site than what the router can do. I think that's pretty silly, since they call it "Blocking". But that's ok. I can see how what you're saying is true.

Thanks for a clear explanation!
 
It will still initially go out to OpenDNS but you can set up a DNS (caching) server on a Raspberry Pi or Ubuntu Laptop.


After set up, say you type in poopmcgee.pooface, it will go to OpenDNS, try and resolve. It will save OpenDNS' respone that it's "blocked" and sent back say 0.0.0.0.

Next time that address is typed in it will go to YOUR DNS Server to resolve rather than go to OpenDNS again. I'm not 100% sure but you can probably modify the list yourself. If so just look for malicious site or adult-site filters, import them and set a manual redirect to 0.0.0.0.
 
this can all be accomplished using the standard host file as well. same idea, give it the site name and route it to 0.0.0.0 or 127.0.0.0 and it'll come up blank as well.

none of us asked, but why is this not an option? that's the first place the browser looks which will stop any dns requests from going out or anything else related to that site.
 
  • Like
Reactions: 35below0
sycoreaper said:
It will still initially go out to OpenDNS but you can set up a DNS (caching) server on a Raspberry Pi or Ubuntu Laptop.


After set up, say you type in poopmcgee.pooface, it will go to OpenDNS, try and resolve. It will save OpenDNS' respone that it's "blocked" and sent back say 0.0.0.0.

Next time that address is typed in it will go to YOUR DNS Server to resolve rather than go to OpenDNS again. I'm not 100% sure but you can probably modify the list yourself. If so just look for malicious site or adult-site filters, import them and set a manual redirect to 0.0.0.0.
Click to expand...
Thanks, I might look into that.
 
Math Geek said:
this can all be accomplished using the standard host file as well. same idea, give it the site name and route it to 0.0.0.0 or 127.0.0.0 and it'll come up blank as well.

none of us asked, but why is this not an option? that's the first place the browser looks which will stop any dns requests from going out or anything else related to that site.
Click to expand...
That would work for a single device but not the entire network, correct?
It's not what I was after.
 
I think your largest issue is you want to do this for free. You can use opendns or the router ip blocking for very basic stuff but when you want something more advanced it can get expensive fast.

It really depends on what your needs are. A simple raspberry pi running pihole will do basic blocking of DNS.

What is key here is blocking DNS is not a really a security it is more to block say advertising or tracking sites.

You need to think of a DNS as a old style telephone book. If you would hide the telephone book your kids for example could not look up the phone number of their friends. It does not though stop them from actually making a phone call to the phone number if they find it using a different method. Web site names and IP work very similar.

To really block traffic you need a actual firewall that would ether replace your router or sit between your router and the network.
 
  • Like
Reactions: lantis3
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom