How to block outgoing packets to Google DNS Servers on dlink router?

I have a dlink DIR 600L, and now I want to configure my router firewall to block outgoing packets to Google DNS Servers (8.8.8.8 and 8.8.4.4) for TCP/UDP and port 53 (DNS), this is so that I can use Chromecast to watch Netflix outside US.

You only need to put two rules on your router firewall to block outgoing packets to Google DNS Servers (8.8.8.8 and 8.8.4.4) for TCP/UDP and port 53 (DNS). This way, Chromecast will get a timeout trying to reach Google DNS Servers and will fallback to your router defined DNS servers and your Netflix or Hulu will work again!

In other words, this is what I aim to do:

What I need is a router capable of filtering outgoing connections, and every router I have seen can do this as part of the built-in firewall without need of flashing an alternate firmware that supports iptables (such as openwrt).

Please note that I am not looking for solution such as routing the DNS request to a bogus gateway, that solution requires the knowledge of the IP address ( 192.168.x.x), which for the sake of this question, is unknowable.

Any idea how I can do this? If dlink router can't handle this, please suggest a consumer grade router( such as tp link, ASUS, Netgear etc, but no dd-wrt or tomato firmware router) that can do this. Please note that I am not looking at the iptables solution.

Resources:

You can find a dlink emulator here. Username: Admin, password: blank

Graviton

Posted 2014-04-07T02:35:42.457

Reputation: 5 006

Routing the DNS request to a bogus gateway doesn't require knowledge of the IP address. Just route it to 127.0.0.1, which is always a bogus gateway. – David Schwartz – 2014-08-24T20:43:28.790

Answers

Not sure if you'll find a solution to do that on your consumer grade router. Essentially you need a server to sit in the middle of your connection, or proxy to sit in the middle and intercept all traffic going to the Google DNS servers and rebuild the packets to redirect to an alternate destination.

I'm sure you looked into the windows HOSTS file, and realized that it will only supersede DNS requests, which is not going to help you here.

Looks like you'll need to sit a Linux or Server 2003+ machine between your server and the router. Take a look at IPv4 to IPv4 Interface PortProxying.

http://technet.microsoft.com/en-us/library/cc731068%28v=ws.10%29.aspx

beeks

Posted 2014-04-07T02:35:42.457

Reputation: 1 031

Couldn't router handle this piece of function? FYI, I am keen on doing this on a router, not on another machine – Graviton – 2014-04-09T05:55:07.357

@Graviton theoretically yes. but as beeks mentioned in this answer, the ability to do so probably isn't implemented in a consumer router. you'd need OpenWRT or something. – strugee – 2014-04-09T07:07:17.227

That's why he said consumer-grade. This is easily accomplished using OpenWrt (or similar) as long as you have direct access to iptables. – Daniel B – 2014-04-09T07:07:24.090

The D-Link DIR-600 User Manual that you linked to, describes the router's firewall on page 39.

The manual page is too brief to be sure, but you should be able to set up a firewall rule that will block these IP addresses.

harrymc

Posted 2014-04-07T02:35:42.457

Reputation: 306 093

Would you like to elaborate more? There is a dlink router emulator here, you might want to try further. Username: admin, no password

– Graviton – 2014-04-09T07:30:02.993

Your emulator is for the 655, the one for the 600 is here. In addition, the manual you quote does not agree with the emulator - the firewall in the emulator (under Advanced/Firewall settings) is without rules and seems pretty basic. If that's also the case on your router, you might be able to use Advanced/Access control, check Enable access control, then use the Add policy button to add some filtering. Unfortunately this is disabled in the emulator so I can't see what it does exactly.

– harrymc – 2014-04-09T08:51:08.260

are you sure? It seems to me that the Add Policy is for controlling website, not DNS, are you sure this is what I need?

– Graviton – 2014-04-10T04:36:14.443

Parental control might work - the manual says IP addresses are not supported but your video says they are (but no ports), but it's easy for you to check. It's hard to know, when the manual is incomplete and incorrect and when many functions are disabled in the emulator. That router is low-grade and is also on the list of Known incompatible devices of DD-WRT. My suspicion is that you need a better router (after seeing that manual I wouldn't recommend D-Link).

– harrymc – 2014-04-10T05:53:54.670

you have anything to recommend? Anything that I can get out of box ( not like ddwrt which needs me to flash my modem) – Graviton – 2014-04-10T05:56:52.007

My only recommendation is to try out any option on your router that can restrict traffic, seeing whether it can block traffic based on IP and port (IP should be enough). If you find none, then my second recommendation is to change your router or give up. – harrymc – 2014-04-10T08:03:35.723

If you are thinking about getting another router, get MikroTik Routerboard. Those are real routers and using winbox software for it you will be able to easily setup firewall and/or NAT to drop, return, redirect traffic for any protocol on any port to any IP. I use RB750 and it handles 25 computers on 50Mbps connection. And its like 40$. Many do not have Wi-Fi onboard, but you can use the existing one as wireless AP. – Enis P. Aginić – 2014-04-10T12:09:10.373

If you are thinking of a new router, ensure that it's supported by DD-WRT via easy installation, just in case. – harrymc – 2014-04-10T13:38:56.910

Sounds like you just want to block outgoing UDP to 8.8.8.8 and 8.8.4.4, which you should be able to do fine if your system DNS is not set to that (guess Chromecast insists on using Google's DNS servers first? Did not know that)

You probably want to block TCP as well, I can't remember but Google might take TCP replies on these IPs as well.

Of the manual you posted, page 39 is what you need.

Enable SPI
Don't worry about DMZ
You'll need to make 4 rules, set to Deny, one for protocol UDP, IP address 8.8.8.8, UDP 8.8.4.4, TCP 8.8.8.8 and TCP 8.8.4.4. (If it lets you specify "Both" for protocol, then that means TCP and UDP, and you only need two)
Port range should be 53 only, or 53 to 53 if it insists on making you specify two numbers
Save settings and restart router
Verify by opening a cmd.exe on a system behind the router and type nslookup google.com 8.8.8.8 - it should fail.

LawrenceC

Posted 2014-04-07T02:35:42.457

Reputation: 63 487

I have a question, the IP address rule you mention in step 3 above, should be "Source" IP address, or "Dest" IP address? What should I fill in for both of the "Source" and "Dest"? – Graviton – 2014-04-11T07:18:08.703

1Source should be ANY or 0.0.0.0 and Destination should be 8.8.8.8, 8.8.4.4, etc. – LawrenceC – 2014-04-11T12:46:45.683

I tried... but it didn't work, simply because the dlink router doesn't allow me to enter ANY or 0.0.0.0... and if I enter the IP range for my router, although the router allows me a pass, but the firewall can't block the DNS query as expected. – Graviton – 2014-04-14T03:09:45.747

The only two options that may work with this router are: Advanced / Routing - Which you said you don't want to do.

Or Advanced / Inbound Filtering if you can figure out what IP address Google will return information to your chromecast on. It would likely be the same, 8.8.8.8 and 8.8.4.4, but there probably is some load balancing magic goin on there.

So that leave Advanced / Router. Can you route traffic to a LAN ip address with that router? Try routing it to a non existent host on your local subnet 8.8.8.8/255.255.255.255 and your next hop would be something like 192.168.0.253 if you are using factory settings.

Otherwise, you need to invest in a different router that is more capable.

I would perhaps recommend the Buffalo AirStation N150. I have had reasonable success with them in the past, and I have been able to load dd-wrt/openwrt when I have been so inclined.

Refer to page 56, in its manual, second link below. Operations should be drop or ignore, direction lan-->internet, source 0.0.0.0, destination 8.8.8.8, protocol all.

http://www.buffalotech.com/products/wireless/single-band-routers/airstation-n150-wireless-router http://cdn.cloudfiles.mosso.com/c85091/WCR-GN-Manual.pdf

David

Posted 2014-04-07T02:35:42.457

Reputation: 2 222

David, the problem with routing traffic to a LAN ip address is I would need to know the boundary of the LAN address ( is it 192.168.0.x or 192.168.8.x). For the sake of argument, I assume that this is not possible because I want to ask my grandma to install this router and she doesn't know how to read her LAN ip address – Graviton – 2014-04-12T02:28:40.367

The only other option is to block incoming traffic from 8.8.8.8 and 8.8.4.4. That DLink router does not allow your setup custom firewall rules otherwise. It sucks, but it is the truth.

As for having technically naive users read off, or find out basic technical information, I have done this many times by guiding them to use start-->run-->cmd-->ipconfig; the lan ip address is also available from the router, setup-->network settings. – David – 2014-04-12T13:17:49.727

David, do you have another consumer grade router in mind that allows me to do this? – Graviton – 2014-04-14T01:34:23.633

You don't need to know any specific IP address in the local network, to route these addresses to a bogus gateway.

From Wikipedia:

In the Internet Protocol version 4 the address 0.0.0.0 is a non-routable meta-address used to designate an invalid, unknown or non applicable target.

A typical implementation used in the field is to route the destination hosts (8.8.8.8, 8.8.4.4) towards 0.0.0.0.

This is called a Null route.

Squeezy

Posted 2014-04-07T02:35:42.457

Reputation: 5 930

The IP address 0.0.0.0 has many uses and is quite dangerous to use. Its most frequent use is as the default route which actually specifies all networks.

– harrymc – 2014-04-14T21:23:11.767

You are confusing between routing to 0.0.0.0 (null route) and routing 0.0.0.0. The default route is noted as 0.0.0.0/0, which has the meaning of all possible IP addresses. I have updated my answer with the applicable excerpt from the article regarding 0.0.0.0 you linked. – Squeezy – 2014-04-15T20:16:47.733

I know of at least one device that sets itself up as 0.0.0.0 until it gets a better IP via DHCP. I still think that this specific IP has too many functions to be used safely. Your advice has a good chance of working, but may also have side-effects under the wrong conditions or software. Please note that I didn't undervote. – harrymc – 2014-04-15T21:02:15.073

There will be no packets sent to 0.0.0.0 though. DHCP protocol uses it as a source address to specify the fact that there is no IP address assigned yet. – Squeezy – 2014-04-15T21:13:37.727

A Simple way to block any dns address is to add it to the WEBSITE FILTER on the D-Link Router I use it to block some IP blocks from my online gaming.

Matt

Posted 2014-04-07T02:35:42.457

Reputation: 1

An easy way indeed.... but that does also block non port 53 requests. So no more using google as search engine etc etc. – Hennes – 2016-07-30T09:48:26.333

-1

As beeks said, it's not possible with your dlink official software and maybe you need a Linux server to redirect the traffic.

But I think you can upgrade your router using dd-wrt. It's an alternative firmware for your router, offering a lot more possibilities. Maybe it can help you. The link to the wiki for your router is: http://www.dd-wrt.com/wiki/index.php/DIR-600

Gp2mv3

Posted 2014-04-07T02:35:42.457

Reputation: 123

Any OS server as an intermediate router with a firewall should do. Not just linux. Fork over $100 for windows and that will work just as well. (Sorry, I am a fan of Linux/BSDs, but they are not an essential part of this solution. If you have any spare system with two NICs you can trivially do this. I guess many SU visitors have that. OP's granny probabbly does not. – Hennes – 2016-07-30T09:52:18.240