VMG3925-B10B - catch dns requests and forward to local DNS
Options
Kiesel
Posts: 5 
Freshman Member
Freshman Member
Hi,
I am running a VMG3925-B10B (firmware V5.13(AAVF.14)C0) and I am trying to force all devices in my lan to use my DNS. From what I gathered I need to:
- reroute all traffic to port 53 to my local DNS server
- allow my local dns server to connect authoritative dns servers on port 53 (so exclude it from any blocking).
Can I do this with this router/firmware-combination? I tried to set up a static nat route ("Network Settings"->Routing) but this seems to only forward to WAN.
Any help is appreciated, thank you!
I am running a VMG3925-B10B (firmware V5.13(AAVF.14)C0) and I am trying to force all devices in my lan to use my DNS. From what I gathered I need to:
- reroute all traffic to port 53 to my local DNS server
- allow my local dns server to connect authoritative dns servers on port 53 (so exclude it from any blocking).
Can I do this with this router/firmware-combination? I tried to set up a static nat route ("Network Settings"->Routing) but this seems to only forward to WAN.
Any help is appreciated, thank you!
#SP_May_2020
0
All Replies
-
Not sure what you real want. From your description, you want all LAN traffic goes to your local DNS server? Then can your local DNS server handle all traffic as a gateway? It sounds a bit strange for me. If you can show your planned topology and idea clearly, it will be easy to understand what you try to do.0
-
Sounds like @Kiesel trying to build Traffic Control for Local LAN and use port 53 as the gateway. Routing everything through the local DNS Server to direct traffic.0
-
@Kiesel - The best way is to build yourself a DNS Server and have everyone log on to it. Like Windows Network. It will automatically force every computers to use the server DNS by default.0
-
I have a pihole (ad and tracking blocker) running on 192.168.178.11. It acts as a dns server and discards requests to domains on the "banned"-list.
I set 192.168.178.11 as DNS in my zyxel and that works fine for devices that query the zyxel for DNS names.
The issue: some devices, like my chromecasts, have a hardcoded DNS server (8.8.8.8/8.8.4.4) and circumvent my DNS server.
What I am trying to do is basically running these iptable-rules:<b>iptables -t nat -A PREROUTING -i br0 -p udp ! --</b><b>source</b><b>192.168.178.11 ! --destination </b><b>192.168.178.11 </b><b>--dport 53 -j DNAT --to </b>192.168.178.11<b>iptables -t nat -A PREROUTING -i br0 -p tcp ! --</b><b>source</b><b>192.168.178.11</b><b>! --destination </b><b>192.168.178.11 </b><b>--dport 53 -j DNAT --to </b>192.168.178.11
Thank you for your help.0 -
@Kiesel - You sounds like one of my friend/ex-coworker, he build his home network that way. You are going to need more than a VMG3925-B10B to do that. DNS won't helps you do what you need in that aspect you are trying to do. My first thought was right, you were trying to do "Intrusion Detection Protection" of some type. But I wasn't quite sure after I read your first post.
You will needs a dedicated Linux Server in the DMZ that will catch all the package before it enter your network, and use it to blocked the packages. I can serves as protecting your network and filters unwanted contents. But you'll have to knows what you are doing. From the looks of what you just posted, seems like you do. Good luck.0 -
@Emerald Dragon
Is that IDP? I want the packages to be filtered/rerouted before they leave my network.
The traffic is supposed to flow like this:
Chromecast--->My Router-->router redirects to my own DNS-->my own DNS-server queries DNS-server outside my LAN--->My Router--->Chromecast.
The magic is supposed to happen in "router redirects to my own DNS".0 -
Yes, more or less IDP.
All traffic [in/out](Chromecast included) ---> Router --> IDP [sit in the DMZ] (IDP filtered traffic and blocked unwanted) --> Router --> All Traffic [in/out] (Chromecast included)
Similar concept to what you are trying to do. How are you setting up your DNS Server? Are you just setting it up as a Traffic Redirection?0 -
BTW! Do you even know what DNS Server purpose is? Just want to makes sure you understand what DNS Server is "Domain Name Service" Server. It resolves IP Address to a conventional name. Just want to be clear. Since you are using the terms a lot.0
-
@Emerald Dragon
I am pretty sure a DNS resolves host names to ip-addresses, so the other way around?
Anyway, do you maybe know a way for me to redirect all traffic on port 53 from inside my network to a host inside my network?0 -
My provider gave me the supervisor pw to the box so now I can use iptables
0
Master Member
Ally MemberCategories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
