Asus wifi AP re-writing DNS packets

Anurag Bhatia me at anuragbhatia.com
Wed Oct 28 20:33:43 UTC 2020


On Thu, Oct 29, 2020 at 1:54 AM Ryan Hamel <ryan at rkhtech.org> wrote:

> I'm curious to know why they would add such a thing,
>
No idea

> and how you got the iptables rules from the device. Do these Asus routers
> provide SSH directly into the shell?
>
Yes, it does.


The input/output/forward chains are empty as one would expect but looking
at PREROUTING:

anurag at RT-AC58U:/tmp/home/root# iptables -t nat  -L PREROUTING -v -n
Chain PREROUTING (policy ACCEPT 751K packets, 133M bytes)
 pkts bytes target     prot opt in     out     source
destination
 361K   25M DNAT       udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:53 to:172.16.0.6:53
anurag at RT-AC58U:/tmp/home/root#



 Note: 172.16.0.6 is the management IP of the Asus AP.





> Ryan
> On Oct 28 2020, at 11:33 am, Anurag Bhatia <me at anuragbhatia.com> wrote:
>
> Hello,
>
> Wondering anyone from Asus here or anyone who could connect me to the
> developers there?
>
> Using Asus RT-AC58U in Access Point(AP) mode and expect it to simply
> bridge wired with wireless but seems like it's re-writing DNS packets
> source as well as the destination.
>
>
>    1. DNS port 53 traffic going out, the source is re-written with the
>    management IP of the AP on the LAN. So virtually all DNS traffic hits the
>    router from the (management) IP of the Asus AP instead of real clients.
>
>    2. If I define DNS as x.x.x.x on DHCP, the Asus AP picks that up and
>    re-writes destination to x.x.x.x and hence even if any client uses y.y.y.y,
>    the packets are simply re-written.
>
>
> I see the rule in iptables on Asus AP. All these issues give an idea that
> someone created AP mode (besides regular routing mode) and missed to
> disable the DNS related NATing features in the AP mode. So far my
> discussions with their support have been going quite slow and would greatly
> appreciate if someone could connect me to right folks in there so they can
> release a firmware fix for it.
>
>
>
> Thanks.
>
> --
> Anurag Bhatia
> anuragbhatia.com
>
>

-- 
Anurag Bhatia
anuragbhatia.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201029/afaad956/attachment.html>


More information about the NANOG mailing list