Safe access vs statically configured external DNS can something be done?

Currently reading
Safe access vs statically configured external DNS can something be done?

L

leriak

75
32
NAS
DS920+
Router
  1. WRX560
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
  2. iOS
I finally got a synology router a few weeks ago. I did basic setup when it arrived and now I'm trying some deeper functionality.

In the runup to turning on safe access, I'm first monkeying with DNS and I've come to a halt, here's the problem.

I have piholes inside the lan for split zone dns, dhcp serves them as dns servers and everything works. Obviously if a device changes its dns to something different the piholes are bypassed, which is not desirable if safe access is to be used, I guess?.

Next I've activated the "Do not allow clients to use DoH servers", and sure, I had firefox in my PC configured to use Cloudflare DoH and now seems not use it.

Next step is to configure piholes to use Synology router as upstream server and activate DoH on the router (DNS over HTTPS: things to consider when you go “private”).
Now I have the router blocking acces to external DoH and serving dns to the piholes over DoH. Good for now.

But what about simple good'ol dns? well, as before, if I configure an static external server all above is sidesteppeds.

So what now? I go to firewall and block port 53 to all external ips... and done!! except, nope! The chromecast stops working (I already suspected it had a hardcoded dns and it would break), but also my samsung phone. It turns out the phone must use a hardcoded dns (no idea which one) when connecting to wifi to determine if there is internet connectivity, and it refuses to connect to the wifi.

I don't know if there is a setting to bypass the connectivity check, but I would rather not depend on individual devices to be set, if only for maintenance sake...

The only thing that occurs to me is to somehow redirect external traffic to port 53 to the piholes or the router itself, but I can't find a way to do it, and I don't know if it would even work.

Anyone has dealt with something like this?
 
Sort by date Sort by votes
User defined Destination NAT (DNAT) /Source NAT (SNAT) is what is needed.

My last router had this and made life simple:
  1. Setup DNS Piholes IP set in DHCP all clients get pointed for thier DNS.
  2. Add a DNAT rule to capture all requests heading out to an IP address that is NOT the Pihole(s) and send that request to the IP Address of Pihole(s)
  3. All devices trying to bypass the DHCP specified DNS servers on Port 53 TCP/UDP are redirected to the DHCP specified DNS servers/Piholes.
For Example:
IoT device 192.168.53.100 has a hardcoded DNS server 8.8.8.8, so it ignores the DHCP assigned IP for Pihole ( 10.20.30.40)​
  • IoT Request: SRC IP 192.168.53.100 DEST IP 8.8.8.8 Port 53 (TCP)
  • DNAT captures rewrites as:
    • SRC IP 192.168.53.100 DEST IP 10.20.30.40 Port 53 (TCP)
The Router remaps the request, its really very handy.

I have a similar setup but I don't use DoH on Synology. I have setup UNBOUND as a caching/forwarding server as the upstream for Pihole, takes up very little resource running alongside the Pihole. Now I have:
LAN Devices --> PIHOLE ---> UNBOUND <- DoT Port 853- TLS -> Quad9/Cloudflare
It's working really well, DoH is blocked on SRM and through a DoH blocklist on the pihole.

The best you can do at present restrict DNS as you have already done.
  • LAN > INTERNET ALLOW ROUTER + PIHOLES IP TCP/UDP 53/853
  • LAN > Pihole ALLOW ALL TCP/UDP 53
  • LAN > INTERNET DENY ALL TCP/UDP 53/853
Hope Synology add DNAT/SNAT rules to SRM, it one feature I am really missing.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

P
Safe Access - "Please try again later"
On a Windows 10 Enterprise in Edge browser when I try to enter Safe Access it says the same, just more...
Replies
4
Views
587
PaUser
P
F
RT6600ax Safe access and NAS alert ?
Safe Access is an outbound access control mechanism, meaning that it controls requests coming from your...
Replies
5
Views
1,183
fredbert
fredbert
S
  • Question
RT2600ac Safe Access does not apply to wired computers on LAN. Is it only me?
Fredbert, thanks a lot! Your primary/secondary DNS configuration did the trick! Works!
Replies
7
Views
1,396
satcat66
S
X
Question about Safe Access, blocking sites, Cert errors and 3 non located security warning screens
I've already posted this in Synology official forum, but maybe here I get more help, or quicker :-) I'm...
Replies
0
Views
785
xvilar
X
K
RT2600ac Safe Access wired network issue
Interesting. It’s likely this is just a one off. It seems the wired devices I could see before the upgrade...
Replies
2
Views
1,575
klapidus
K
B
Safe Access for family security - advice
When you are considering about bridge mode in the exist Asus router then 2200 as primary managed router =...
Replies
5
Views
2,688
jeyare
jeyare
maravac
RT2600ac Safe Access on router and Pi-hole on NAS
From memory of setting up Safe Access: Safe Access intercepts DNS requests sent to the router and it...
Replies
2
Views
4,418
fredbert
fredbert

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top