Joined: 26 Sep 2009
|Posted: Sun Oct 17, 2021 11:20 Post subject: Local DNS server for WAN = instant ACK scans
|If I use my local DNS server (10.1.1.1) with DNS-over-HTTPS for WAN DNS, then my router and Android devices instantly show consistent packet drop for IPTables rule (which forces new connections to start with SYN):
|iptables -I INPUT # -p tcp ! --syn -m conntrack --ctstate NEW -j DROP |
I think it is called an ACK service scan. It happens as soon as I change public DNS server IP (22.214.171.124) to private DNS server IP (10.1.1.1).
The local DNS server (10.1.1.1) with the same rule does not show dropped packets for that rule. This happens only on router itself and rooted Android phones with custom IPTables that include the above-mentioned rule.
There are 2 ways to stop these ACK scans:
1. Change back to using public DNS server IP for WAN DNS.
2. Continue using local DNS server for WAN DNS, but drop destination UDP port 53 packets for router localhost interface and router WAN port interface INPUT, FORWARD, and OUTPUT, which works out because DNS-over-HTTPS uses TCP port 443.
Any idea why I get these ACK scans as soon as I start using local DNS server for WAN DNS?