Block internet with custom DNS on client device

Hello.
I bought Flint 2, set up wireguard (client), global proxy. Enabled AdGuard and everything works as expected, DNS requests of all clients get to AdGuard. But if manually set up custom DNS on the client, then DNS requests of this client will not get to AdGuard. Question: how to block the Internet for clients who set up custom DNS or how to ignore the custom DNS of the client and direct his dns requests to the local adguard ?

You can't if it's DoH or DNS-over-quic or any other modern protocol.
For just plain DNS you can enable Override DNS Settings for All Clients

This setting is enabled, but the router itself writes that all the settings on this page will not work because AdGuard Home is enabled.
Quote: "AdGuard Home is enabled and this router will use the DNS server provided by AdGuard Home as the custom DNS server. The DNS server settings will not work."
Maybe there is a way to check that if there is traffic on the device, but there are no DNS requests for this device in AdGuard, then block this device?

The statement there is wrong for the overriding part. Override will work anyway.
The only thing that does not work is the DNS server IPs you entered there, because they will be overwritten by AGH.

Issue is modern clients now use fancy DoH and DoT, even when they come with these fancy disable buttons, the browser can also come with their own resolver and options, and sometimes also hardcoded like on android.

and to make things worse they can also use a hardcoded list which gives you a false sense of security i almost thought my firewall was not working only to figure out how messed up these implementations work, you can have a system dns with doh toggle, you can setup chrome to follow system dns, yet it still uses a hardcoded list of doh, only solution is to disable what they call 'secure dns', and then hope the bests clients don't use it hardcoded.

As for now there is a fallback mechanism to prevent these types of bypasses but i can ensure you its on their afford they can easily disable it, you need a DoH block list this makes clients fallback to 53 port which is classic dns, DoT is more easily blocked just block destination port 853, but DoH is a nightmare since you cannot just block 443 access to the full internet :slight_smile: .

As for blocklists im not sure if banip works on gl software, especially since the vpn is different it might not be possible for banip to listen on it, currently this works excellent for me on normal OpenWrt, but the developer already have mentoided he only developes for OpenWrt.

Since i wanted nextdns in my use case and nextdns also depends on cloudflare for their ddos protection they also made some sort of loophole that cloudflares dns kept accessible i started using routing tables to blackhole it :sweat_smile:, but for Adguard that is not needed.

Im pretty confident they will also take out the fallback mechanism its more for legacy purposes i guess, but not for googles interest, which is scary since they kind of hold a browser monopoly.

The real solution is endpoint monitoring. With everything going to secure later, you can't monitor much or even protect the network outside of IP filtering.

This is why firewall companies are stuck at a cross road. Either mitm the local device to try and protect the network or do endpoint protection. Alot of companies are ditching firewall protection for endpoint.

The first company to come out with endpoint protection + firewall will be king of the castle :japanese_castle:

If gl.inet could create something like Bark, not just 3rd party install, it would be a Instant winner.

2 Likes

Hi,
This is indeed an issue because the router intercepts all domain name resolution requests with dest port 53. As a result, the client cannot customize its own DNS server, and the switch Override DNS Settings of All Clients is invalid.
Here are some instructions. After being executed in the background, the DNS request for the client's customized DNS server will not be processed. Of course, this is when Override DNS Settings of All Clients is turned off.

uci -q delete firewall.dns_vpn;
uci -q delete firewall.dns_vpn_guest;
uci -q delete firewall.adguard_home;
uci -q delete firewall.adguard_home_guest;
uci -q commit firewall;
sed '/firewall\.adguard_home\.proto/a uci set firewall\.adguard_home\.extra="-m addrtype --dst-type LOCAL"' -i /etc/init.d/adguardhome;
sed '/firewall\.adguard_home_guest\.proto/a uci set firewall\.adguard_home_guest\.extra="-m addrtype --dst-type LOCAL"' -i /etc/init.d/adguardhome;
sed '/firewall\.dns_vpn\.dest_port/a set firewall\.dns_vpn\.extra="-m addrtype --dst-type LOCAL"' -i /lib/functions/vpn_func.sh;
sed '/firewall\.dns_vpn_guest\.dest_port=/a set firewall\.dns_vpn_guest\.extra="-m addrtype --dst-type LOCAL"' -i /lib/functions/vpn_func.sh;

After executing these instructions, please restart the device to apply them.

This may solve the problem you are facing.

Thank you very much.
When I return to home in per week, I will definitely check it out.