DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

LAN DNS forwarding

  • johnpa7
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
08 Mar 2023 10:34 #102288 by johnpa7
LAN DNS forwarding was created by johnpa7
I have a number of IOT things.

I setup a firewall rule

Direction Lan/RT/VPN -> Wan

Source IP 192.168.0.170~192.168.0.225 Filter Block immediately
In the syslog I then get multiple entries of devices continually attempting to connect to time.google.com. To such an extent the log rapidly fills up.

I then setup LAN DNS Resolution / Conditional DNS Forwarding

time.google.com redirect to 192.168.0.37 << Synology NAS with time service enabled
The number of entries trying to connect to time.google.com falls dramatically from 1 per second to once every 2 hours

If I ping time.google.com it resolves to 192.168.0.37

If enter w32tm /stripchart /computer:time.google.com /dataonly /samples:1
returns
Tracking time.google.com [192.168.0.37:123]. << My router redirecting
Collecting 1 samples.
The current time is 08/03/2023 10:22:34.
10:22:34, +00.0226190s


Yet in In the syslog I get

[192.168.0.183](https://192.168.0.183) DNS -> [8.8.8.8](https://8.8.8.8) inquire [time.google.com](https://time.google.com)

[192.168.0.181](https://192.168.0.181) DNS -> [208.67.222.222](https://208.67.222.222) inquire [time.google.com](https://time.google.com)

Somehow the device issue an https command that is not redirect


It would appear the device not being redirect to local time server.



I am at a loss how to proceed. Any help would be grateful

Router is Vigor 2962
Draytek Switch G2280X
Ap 903
AP 1000c
Ap 802

Please Log in or Create an account to join the conversation.

More
08 Mar 2023 12:23 #102290 by bookit
Replied by bookit on topic Re: LAN DNS forwarding
There is a response to your post on Reddit.

Please Log in or Create an account to join the conversation.

More
08 Mar 2023 12:47 #102291 by pharcyder
Replied by pharcyder on topic Re: LAN DNS forwarding
What is the desired outcome you are looking for as its not clear?

Please Log in or Create an account to join the conversation.

  • johnpa7
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
08 Mar 2023 13:30 #102292 by johnpa7
Replied by johnpa7 on topic Re: LAN DNS forwarding
The object is to prevent a range of addresses accessing the internet.
When I block the range 192.168.0.175 ~ 192.168.0.225

The devices in this range continually try to connect to time.google.com, almost every second. Resulting in thousands of requests.
I take this as proof the firewall block works

Therefore I set up DNS forwarding for time.google.com to redirect to 192.168.0.37 synology DSM22+ with NTP service running.

Yet when I check the log there is a DNS request
[192.168.0.183](https://192.168.0.183) DNS -> [8.8.8.8](https://8.8.8.8) inquire [time.google.com](https://time.google.com)

The devices now only poll the time sever every 2 hrs. I would prefer they obtained the time from the synology.

Thanks for responding

Please Log in or Create an account to join the conversation.

More
10 Mar 2023 17:34 #102301 by pharcyder
Replied by pharcyder on topic Re: LAN DNS forwarding
If it were me, I would either add something to the local hosts file on the devices you want to re-direct so that time.google.com resolves to your Synology IP or deploy a name server like a Pihole and resolve time.google.com to your Synology there.

Please Log in or Create an account to join the conversation.

  • johnpa7
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
14 Mar 2023 08:41 #102308 by johnpa7
Replied by johnpa7 on topic Re: LAN DNS forwarding
Hi thanks for the reply, the devices which are using time.google.com are part of IoT such as light switches, smart sockets. Therefore I don't have access to the host file.

I have setup in the Lan DNS/Dns forwarding on the 2962.
which forwards local requests to time.google.com to 192.168.0.37
When I ping time.google.com returns
ping time.google.com

Pinging time.google.com [192.168.0.37] with 32 bytes of data:
Reply from 192.168.0.37: bytes=32 time=1ms TTL=64
Reply from 192.168.0.37: bytes=32 time=114ms TTL=64

192.168.0.37 is the synology running NTP service. Unfortunately there is no log function, so I can't confirm the smart switches connect to the NTP service.

From draytek log

192.168.0.190 DNS -> 8.8.8.8 inquire time.google.com

The device appears to bypass the DNS settings, an early reply from another member. mentioned a type 65 DNS request maybe the cause. Something apple implemented. I am not clear what that actually is. Perhaps a PI hole could circumvent this.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami