Using firmware 8.5.0 build 5636 on a B One, having listed DNS in the Application Blocking section, I still get replies to plaintext UDP and TCP queries on the alternate ports documented at Services - Quad9 Documentation .
$ dig @9.9.9.9 -p 9953 www.peplink.com +time=1
; <<>> DiG 9.10.6 <<>> @9.9.9.9 -p 9953 www.peplink.com +time=1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65101
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.peplink.com. IN A
;; ANSWER SECTION:
www.peplink.com. 300 IN A 104.25.205.4
www.peplink.com. 300 IN A 172.67.65.72
www.peplink.com. 300 IN A 104.25.204.4
;; Query time: 55 msec
;; SERVER: 9.9.9.9#9953(9.9.9.9)
;; WHEN: Sat Aug 31 09:41:11 EDT 2024
;; MSG SIZE rcvd: 92
For the TLS/HTTPS (encrypted) , I will check on that and update again. Potential it can be related to the TLS1.3 which potentially will cause issue for the detection.
@Daniel_Eble ,
For the DNS in the Application Blocking, it will only detect/inspect UDP/TCP 53 traffics. Can you please help to verify on it and check whether it work for you ?
Custom port detection, potential this will be consider as feature improvement.
Seeing we are working to block known DNS servers, do you think Outbound Firewall Rules will best tools to block such traffics ?
@sitloongs, thank you for your reply, especially for the information that “DNS application blocking” is just blocking port 53. That is consistent with what I have seen.
To Peplink generally: The user-manual description of Application Blocking is short enough to quote in full:
Application Blocking
Choose applications to be blocked from LAN/PPTP/SpeedFusion VPN peer clients’ access, except for those on the Exempted User Groups or Exempted Subnets defined below.
A reasonable person can infer from that description (bolstered by its placement among “Content Blocking” settings) that the feature is something more than blocking port 53.
I spent a lot of time testing this DNS issue before starting this thread because I want to respect everyone’s time by reporting only problems that are likely to be a product issue. I wish Peplink had had enough respect for my time and my duty to the people and property on my network to include in the documentation what @sitloongs adequately described in less than ten words: “it will only detect/inspect UDP/TCP 53 traffics.”
If I had known that from the start, I would have gone straight to the outbound firewall rules instead, which are more flexible and have a better interface. In doing so, I would have achieved more with less effort.
I hope this feedback comes across as friendly and constructive. I’m working hard to try to keep it that way. Knowing that I’m not the first person to mention the state of your documentation is one of the things making that difficult. Please work on it. In its current form, it looks like promising more than you can deliver. The longer you leave it, the more it looks like you are content with (or even approving of) that.
