NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

RogerSA's avatar
RogerSA
Aspirant
Dec 13, 2021

RBR20 service blocking blocks internal traffic

I have 3 piholes with unbound running on my internal network. I set up service blocks to only permit those 3 devices to connect to the internet via tcp/udp 53 and tcp 853 (DoH). But when I enable tho...
RogerSA's avatar
RogerSA
Aspirant
Dec 13, 2021

I can ping and ssh into the pihole devices just fine. It's DNS that's blocked by the router. I've verified it:

 

Ran dig a couple of ways: dig ebay.com times out. dig @192.168.1.225 ebay.com works fine (bypass the Orbi and direct connect to dns).

 

The Orbi knows the addresses of the piholes as DNS. It doesn't seem to know to direct traffic to them when it sees port 53 traffic--it just bit buckets it.

 

I'd move the piholes to the LAN that resides between my modem and the Orbi (running as a router) and do the service block on the modem but I fear the modem may operate the same as the Orbi and not let the traffic route to the piholes. Like the Orbi it lacks any sort of ACL capability that can instruct the router to, well, route to specific addresses.

 

Thanks for giving it a shot. Hopefully you'll figure out what I might be overlooking.

CrimpOn's avatar
CrimpOn
Guru - Experienced User
Dec 13, 2021

I fear you may be onto something. Everyone went to the store, so I configured the Orbi to use my two Pi-hole DNS servers.  I see on the Pi-hole administration interface that it is now receiving a stream of DNS queries from 192.168.1.1 (the Orbi router).  So that part of the DNS business is working correctly.  Then, I put a DNS block on a PC, and nothing gets resolved.  The queries appear to 'die' at the Orbi.

Strangely enough, the other computer with a DNS block is merrily resolving against CloudFlare and Google.

 

My sense so far is:

  • DNS appears to be 'special' as far as the Orbi router is concerned.
    When DNS requests hit the Orbi itself, it is happy to block them from reaching the Orbi DNS mechanism.
  • When DNS requests are directed to different IP's, either on the local LAN or on the WAN, the Orbi router simply does not see them.
    They go right through. This entirely defeats the purpose of "Block Services".

What a cluster f**k.

 

Gotta put things back for a while. It is enormously frustrating not to have an answer for the question or to be able to reach anyone at Netgear who might know what is going on.

  • RogerSA's avatar
    RogerSA
    Aspirant
    Dec 13, 2021

    Thanks for giving it a shot. You're right, this is messed up. I suspect you're seeing traffic to CloudFlare and Google because they do DNS over HTTPS (tcp port 853). I guess the best we can do is block 853 and hope for the best. 

    Do better, Netgear. 

    • CrimpOn's avatar
      CrimpOn
      Guru - Experienced User
      Dec 13, 2021

      My block was like yours, both 53 and 853.  and my ping was v4 (I did not add the /6 parameter).

      This just sucks.