Forcing DNS traffic to open DNS

RouterOS General
1

Hi all,

I am trying to setup an RB2011 at a school to force all DNS requests to go to the open DNS family shield name server to block adult content. I’ve tried doing this with a NAT redirect and with a dst-nat rule and neither are working. I can still get to any website I want to even after flushing DNS caches on the router and the host device. Could anyone take a look at the below setup and see if there’s anything that could be causing this? The byte counter is going up on my dst-nat rule for udp port 53 traffic.

DNS settings:

ip dns print

servers: 208.67.222.123
dynamic-servers:
use-doh-server:
verify-doh-cert: no
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 279KiB

DST-NAT Settings:

;;; DST NAT to 192.168.150.1 DNS server UDP
chain=dstnat action=dst-nat to-addresses=192.168.150.1 to-ports=53
protocol=udp src-address=192.168.150.0/24 in-interface=ether3
dst-port=53 log=no log-prefix=“”

;;; DST NAT to 192.168.150.1 DNS server TCP
chain=dstnat action=dst-nat to-addresses=192.168.150.1 to-ports=53
protocol=tcp src-address=192.168.150.0/24 in-interface=ether3
dst-port=53 log=no log-prefix=“”

Alternative settings for a NAT redirect (not used in conjunction with the dst-nat rule)

;;; Redirect to 192.168.88.1 DNS server TCP
chain=dstnat action=redirect to-addresses=192.168.150.1 to-ports=53
protocol=tcp src-address=192.168.150.0/24 in-interface=ether3
dst-port=53 log=no log-prefix=“”

;;; Redirect to 192.168.88.1 DNS server UDP
chain=dstnat action=redirect to-addresses=192.168.150.1 to-ports=53
protocol=udp src-address=192.168.150.0/24 in-interface=ether3
dst-port=53 log=no log-prefix=“”

2

Not a DNS expert but do suggest that the full config or more parts thereof be shown as many parts of a config are inter related…
The answer may lie in running a separate DNS serverr (raspberry Pi like) as its not clear to me if the Router DNS services and rules are up to the job?
There have been many threads on this sort of topic so my memory is jumbled…

The problem lies in ensuring that a PC with its own settings may attempt to get around your attempts to shoe them to Open DNS.

3

Hey Anav, I’ve been going through different threads and following along with a number of different settings some of your suggestions on other posts too. Unfortunately none are working for me. Here’s some more settings that might be helpful:

y/16/2022 15:12:41 by RouterOS 6.47.9

software id = FMQK-ZJ9T

model = RB2011UiAS

/interface bridge
add admin-mac=2C:C8:1B:A1:7B:E4 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=“ether1 [WAN]”
set [ find default-name=ether2 ] name=“ether2 (Vly)”
set [ find default-name=ether3 ] name=“ether3 (Krndl)”

/interface pppoe-client
add add-default-route=yes disabled=no interface=“ether1 [WAN]” name=pppoe-out1
password=* user=*

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=192.168.88.70-192.168.88.254
add name=dhcp_pool2 ranges=192.168.150.100-192.168.150.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=“ether3 (Krndl)” name=dhcp1

/interface bridge port
add bridge=bridge comment=defconf interface=“ether2 (Vly)”
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1

/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=“ether1 [WAN]” list=WAN
add interface=pppoe-out1 list=WAN
add comment=defconf interface=“ether3 (Krndl)” list=LAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=“ether2 (Vly)”
network=192.168.88.0
add address=192.168.150.1/24 interface=“ether3 (Krndl)” network=
192.168.150.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.150.0/24 dns-server=192.168.150.1 gateway=192.168.150.1

/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=forward comment=“Drop DNS” in-interface=
“ether3 (Krndl)” protocol=udp src-address=192.168.150.0/24 src-port=53
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=dst-nat chain=dstnat comment=
“DST NAT Krndl to 192.168.150.1 DNS server TCP” dst-port=53
in-interface=“ether3 (Krndl)” protocol=tcp src-address=192.168.150.0/24
to-addresses=192.168.150.1 to-ports=53
add action=dst-nat chain=dstnat comment=
“DST NAT Krndl to 192.168.150.1 DNS server UDP” dst-port=53
in-interface=“ether3 (Krndl)” protocol=udp src-address=192.168.150.0/24
to-addresses=192.168.150.1 to-ports=53
add action=masquerade chain=srcnat src-address=192.168.150.0/24

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
/lcd
set time-interval=daily
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Valley
/tool bandwidth-server
set authenticate=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

4

Sorry, but you’ve already lost the war at the start, against porn,
because filters don’t block everything, and the students will probably always know more than you do.
The solution, which blocks the most, but still does not prevent completely, is to block EVERYTHING except the allowed sites.

5

https://support.opendns.com/hc/en-us/articles/228006487-FamilyShield-Router-Configuration-Instructions
https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS
is designed for home use and one applies that on browsers but this would not apply to non-school devices and thus one probably need to look at cisco umbrella?

What I could find…

Resolver
IPv4… IPv6… DoH
Umbrella/OpenDNS
208.67.222.222 ------ 2620:119:35::35 ----- https://dns.opendns.com/dns-query or https://dns.umbrella.com/dns-query
208.67.220.220 ------ 2620:119:53::53 ----- …"…

FamilyShield
208.67.222.123 ----- 2620:119:35::123 ----- https://familyshield.opendns.com/dns-query
208.67.220.123 ----- 2620:119:53::123 ----- …"…

Family shield mentions porn protection but mainly for home if you have a school account then likely more corporate/business and thus Umbrella would apply…

This was harder to find…
doh-cisco-umbrella.JPG

6

Thanks for the replies. I know its a losing battle but the post was more to figure out why its not working. All that I want to achieve is forcing dns traffic originating from my lan to the open dns family shield server, which it seems to be doing, but sites like p*rn hub still work just fine.

7

Your infrastructure is both IPv6 and IPv4?
On some browser IPv6 take precedence and some DNS can be reachable by IPv6…

8

Only IPv4 :slight_smile:

9

Just noticed now on your export.

As @anav wrote, simply with one click, for example firefox, can use DoH bypassing all DNS infrastructure…

10

Paste this, empty all caches, also on devices, and retry:

/ip firewall filter
remove [find where comment="Drop DNS"]

/ip dhcp-server network
set [find] dns-server=192.168.88.1,192.168.150.1

/ip firewall nat
set [find where comment~"DST NAT Krndl to 192.168.150.1 DNS server"]  dst-address=!192.168.0.0/16

/interface pppoe-client
set [find] use-peer-dns=no
11

Oh whoops! I added that filter rule in to test something and forgot about it. I’ve removed it and run the scripts you suggest but sadly its still not working as expected. Anyway, I’m rather going to setup a VLAN for the students and only allow certain web access. I think that would be easier.

12

Certain RB2011 models are officially supported by openwrt. Which allows much more customization for special applications, like yours, because being totally opensource.
I.e. content filtering can be forced much better running openwrt compared to RoS, using certain packages of openwrt.
In your case, DoH is the reason, that openDNS is not used.
As a first step to force usage of openDNS, you might install IP-based blocklists of all the “well-known” DoH-servers on the RB2011, to force the browsers to fall back to standard DNS.

In case, you have the possibility to ask all your students to install a special certificate on their devices, you can use an alternative method for content filtering, via proxy.
Assuming, you run openwrt.

13

Whatever Untangle is called these days, might be a good solution.