Local DNS server for WAN = instant ACK scans

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Sun Oct 17, 2021 11:20    Post subject: Local DNS server for WAN = instant ACK scans Reply with quote
If I use my local DNS server (10.1.1.1) with DNS-over-HTTPS for WAN DNS, then my router and Android devices instantly show consistent packet drop for IPTables rule (which forces new connections to start with SYN):
Code:
iptables -I INPUT # -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

I think it is called an ACK service scan. It happens as soon as I change public DNS server IP (1.1.1.1) to private DNS server IP (10.1.1.1).

The local DNS server (10.1.1.1) with the same rule does not show dropped packets for that rule. This happens only on router itself and rooted Android phones with custom IPTables that include the above-mentioned rule.

There are 2 ways to stop these ACK scans:
1. Change back to using public DNS server IP for WAN DNS.
2. Continue using local DNS server for WAN DNS, but drop destination UDP port 53 packets for router localhost interface and router WAN port interface INPUT, FORWARD, and OUTPUT, which works out because DNS-over-HTTPS uses TCP port 443.

Any idea why I get these ACK scans as soon as I start using local DNS server for WAN DNS?
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum