Asus wifi AP re-writing DNS packets

Wed Oct 28 20:47:04 UTC 2020

Have you tried disabling the 'redirect when wan down' feature? I'm guessing
they hijack the dns to redirect the user to a captive portal "your internet
is down" error page possibly?

On Wed, Oct 28, 2020 at 1:42 PM Anurag Bhatia <me at anuragbhatia.com> wrote:

> I tried deleting the rule and it drops the traffic completely. So DNS
> resolution stops working and I am unsure why. It's not like default drop or
> anything. I can edit the rule and whatever active port 53 related rule is
> there works. But I want case of no such rule at all. :-)
>
>
> I setup pihole on Intel NUC little while ago and all Pihole gets is 100%
> of wifi client traffic behind Asus wifi management IP. :-\
>
>
> Plus no matter what DNS I put, queries goes via whatever router gave up
> when Asus booted up.
>
>
> Here's how creepy it gets:
>
> On Rasberry Pi (which is not behind Asus AP but a different switch)
>
> anurag at raspberrypi:~ $ dig whoami.akamai.com @1.1.1.1 a +short
> whoami.akamai.net.
> 162.158.226.218
> anurag at raspberrypi:~ $ dig whoami.akamai.com @8.8.8.8 a +short
> whoami.akamai.net.
> 172.253.244.3
> anurag at raspberrypi:~ $ dig whoami.akamai.com @9.9.9.9 a +short
> whoami.akamai.net.
> 103.224.242.10
> anurag at raspberrypi:~ $
>
> All normal and good.
>
>
>
> Now, from the device (which is behind Asus AP):
>
>  ~> dig whoami.akamai.net @1.1.1.1 a +short
> 172.217.34.65
>
> ~> dig whoami.akamai.net @8.8.8.8 a +short
> 172.217.34.65
>
> ~> dig whoami.akamai.net @9.9.9.9 a +short
> 172.217.34.65
>
> dig whoami.akamai.net @1.2.3.4 a +short
> 172.217.34.65
>
> dig whoami.akamai.net @5.6.7.8 a +short
> 172.217.34.65
>
>
> Essentially Asus picked 8.8.8.8 because I put that during the test and
> rebooted the AP. I will stick with 8.8.8.8 until DHCP lease expires and the
> new server is provided.
>
>
> On Thu, Oct 29, 2020 at 2:01 AM Neil Hanlon <neil at shrug.pw> wrote:
>
>> And if so, can you set up your own service to remove their iptables rule
>> after it's been added or otherwise counteract it.
>>
>> At least temporarily, anyways.
>>
>> -Neil
>>
>> On Wed, Oct 28, 2020 at 4:26 PM Ryan Hamel <ryan at rkhtech.org> wrote:
>>
>>> I'm curious to know why they would add such a thing, and how you got the
>>> iptables rules from the device. Do these Asus routers provide SSH directly
>>> into the shell?
>>>
>>> Ryan
>>> On Oct 28 2020, at 11:33 am, Anurag Bhatia <me at anuragbhatia.com> wrote:
>>>
>>> Hello,
>>>
>>> Wondering anyone from Asus here or anyone who could connect me to the
>>> developers there?
>>>
>>> Using Asus RT-AC58U in Access Point(AP) mode and expect it to simply
>>> bridge wired with wireless but seems like it's re-writing DNS packets
>>> source as well as the destination.
>>>
>>>
>>>    1. DNS port 53 traffic going out, the source is re-written with the
>>>    management IP of the AP on the LAN. So virtually all DNS traffic hits the
>>>    router from the (management) IP of the Asus AP instead of real clients.
>>>
>>>    2. If I define DNS as x.x.x.x on DHCP, the Asus AP picks that up and
>>>    re-writes destination to x.x.x.x and hence even if any client uses y.y.y.y,
>>>    the packets are simply re-written.
>>>
>>>
>>> I see the rule in iptables on Asus AP. All these issues give an idea
>>> that someone created AP mode (besides regular routing mode) and missed to
>>> disable the DNS related NATing features in the AP mode. So far my
>>> discussions with their support have been going quite slow and would greatly
>>> appreciate if someone could connect me to right folks in there so they can
>>> release a firmware fix for it.
>>>
>>>
>>>
>>> Thanks.
>>>
>>> --
>>> Anurag Bhatia
>>> anuragbhatia.com
>>>
>>>
>
> --
> Anurag Bhatia
> anuragbhatia.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201028/98e0cbd0/attachment.html>