[ricewithpig]

i have a clean browsing dns in my router cisco e900 but is too easy for mobile and pc changing the dns by the network config so, i wanna know how to prevent users from changing dns server from ther devices i was looking and i find this
https://support.opendns.com/hc/en-us/articles/227988027-How-to-prevent-users-from-circumventing-OpenDNS-using-firewall-rules

and this
https://community.spiceworks.com/topic/1845518-gpo-prevent-users-from-changing-dns
that said me block 53 port for every dns and allow port 53 for the open dns (i want clar browsing instead)

but i dont know how to do it in my router i wanna install dd wrt on my router but i dont know how to do it in dd wrt either i need help please

[egc]

Welcome to the forum

To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

If you have not already read the forum guidelines, please do !!

Begin with telling us not only your router model but also your DDWRT build number and used Kernel.

I will transfer this question to the appropriate Advanced Networking Forum

[eibgrad]

DD-WRT has an option on the Setup page called "Forced DNS Redirection" for these purposes.

Whether you rely on your ISP's DNS servers, or provide your own custom DNS servers (e.g., OpenDNS), these get added as public DNS servers to the router's own DNS server called DNSMasq (functioning as a local proxy). And by default, your clients are configured w/ its LAN ip (e.g., 192.168.1.1) as their DNS server. The "Forced DNS Redirection" option creates firewall rules to redirect any rogue DNS queries back to the router's DNS server.

But beware, we're only talking about traditional DNS here (i.e., udp/tcp port 53). We now have many apps (esp. browsers) that are implementing their own DNS configuration, typically using DoH solutions (i.e., non traditional DNS), and enabled by default. This has the effect of completely bypassing the router's DNS server, w/ no means to intercept it w/ firewall rules, since it looks like ordinary https (i.e., encrypted) traffic.

I'm not saying you shouldn't use the feature, but it may NOT be all that effective in many cases. The momentum in the industry is clearly moving towards more privacy, making this kind of administrative/parental control increasingly difficult, if not eventually impossible, and regardless which router firmware you use (oem or third-party).

[ricewithpig]

thanks so much for the answer the problem is so bad the parental control must be necesary