2

I have a dlink DIR 600L, and now I want to configure my router firewall to block outgoing packets to Google DNS Servers (8.8.8.8 and 8.8.4.4) for TCP/UDP and port 53 (DNS), this is so that I can use Chromecast to watch Netflix outside US.

You only need to put two rules on your router firewall to block outgoing packets to Google DNS Servers (8.8.8.8 and 8.8.4.4) for TCP/UDP and port 53 (DNS). This way, Chromecast will get a timeout trying to reach Google DNS Servers and will fallback to your router defined DNS servers and your Netflix or Hulu will work again!

In other words, this is what I aim to do:

What I need is a router capable of filtering outgoing connections, and every router I have seen can do this as part of the built-in firewall without need of flashing an alternate firmware that supports iptables (such as openwrt).

Please note that I am not looking for solution such as routing the DNS request to a bogus gateway, that solution requires the knowledge of the IP address ( 192.168.x.x), which for the sake of this question, is unknowable.

Any idea how I can do this? If dlink router can't handle this, please suggest a consumer grade router( such as tp link, ASUS, Netgear etc, but no dd-wrt or tomato firmware router) that can do this. Please note that I am not looking at the iptables solution.

Resources:

  1. You can find a dlink emulator here. Username: Admin, password: blank
Hennes
  • 65,804
  • 7
  • 115
  • 169
Graviton
  • 5,900

7 Answers7

1

Not sure if you'll find a solution to do that on your consumer grade router. Essentially you need a server to sit in the middle of your connection, or proxy to sit in the middle and intercept all traffic going to the Google DNS servers and rebuild the packets to redirect to an alternate destination.

I'm sure you looked into the windows HOSTS file, and realized that it will only supersede DNS requests, which is not going to help you here.

Looks like you'll need to sit a Linux or Server 2003+ machine between your server and the router. Take a look at IPv4 to IPv4 Interface PortProxying.

http://technet.microsoft.com/en-us/library/cc731068%28v=ws.10%29.aspx

beeks
  • 1,082
  • 8
  • 13
1

The D-Link DIR-600 User Manual that you linked to, describes the router's firewall on page 39.

The manual page is too brief to be sure, but you should be able to set up a firewall rule that will block these IP addresses.

harrymc
  • 498,455
1

Sounds like you just want to block outgoing UDP to 8.8.8.8 and 8.8.4.4, which you should be able to do fine if your system DNS is not set to that (guess Chromecast insists on using Google's DNS servers first? Did not know that)

You probably want to block TCP as well, I can't remember but Google might take TCP replies on these IPs as well.

Of the manual you posted, page 39 is what you need.

  • Enable SPI
  • Don't worry about DMZ
  • You'll need to make 4 rules, set to Deny, one for protocol UDP, IP address 8.8.8.8, UDP 8.8.4.4, TCP 8.8.8.8 and TCP 8.8.4.4. (If it lets you specify "Both" for protocol, then that means TCP and UDP, and you only need two)
  • Port range should be 53 only, or 53 to 53 if it insists on making you specify two numbers
  • Save settings and restart router
  • Verify by opening a cmd.exe on a system behind the router and type nslookup google.com 8.8.8.8 - it should fail.
LawrenceC
  • 75,182
1

The only two options that may work with this router are: Advanced / Routing - Which you said you don't want to do.

Or Advanced / Inbound Filtering if you can figure out what IP address Google will return information to your chromecast on. It would likely be the same, 8.8.8.8 and 8.8.4.4, but there probably is some load balancing magic goin on there.

So that leave Advanced / Router. Can you route traffic to a LAN ip address with that router? Try routing it to a non existent host on your local subnet 8.8.8.8/255.255.255.255 and your next hop would be something like 192.168.0.253 if you are using factory settings.

Otherwise, you need to invest in a different router that is more capable.

I would perhaps recommend the Buffalo AirStation N150. I have had reasonable success with them in the past, and I have been able to load dd-wrt/openwrt when I have been so inclined.

Refer to page 56, in its manual, second link below. Operations should be drop or ignore, direction lan-->internet, source 0.0.0.0, destination 8.8.8.8, protocol all.

http://www.buffalotech.com/products/wireless/single-band-routers/airstation-n150-wireless-router http://cdn.cloudfiles.mosso.com/c85091/WCR-GN-Manual.pdf

David
  • 2,362
0

You don't need to know any specific IP address in the local network, to route these addresses to a bogus gateway.

From Wikipedia:

In the Internet Protocol version 4 the address 0.0.0.0 is a non-routable meta-address used to designate an invalid, unknown or non applicable target.

A typical implementation used in the field is to route the destination hosts (8.8.8.8, 8.8.4.4) towards 0.0.0.0.

This is called a Null route.

Squeezy
  • 9,850
  • 1
  • 18
  • 18
0

A Simple way to block any dns address is to add it to the WEBSITE FILTER on the D-Link Router I use it to block some IP blocks from my online gaming.

Matt
  • 1
-1

As beeks said, it's not possible with your dlink official software and maybe you need a Linux server to redirect the traffic.

But I think you can upgrade your router using dd-wrt. It's an alternative firmware for your router, offering a lot more possibilities. Maybe it can help you. The link to the wiki for your router is: http://www.dd-wrt.com/wiki/index.php/DIR-600

Gp2mv3
  • 123