3

I have an OpenWRT router. I have added few entries to the /etc/hosts file on the router, to block the users from accessing some of the websites. Recently, I have upgraded a computer to Windows 10, and I found that I can access the blocked websites on that computer after the upgrade.

I tried to nslookup the domain name, it is found that the actual IP address is returned on the Win10 computer, while the IP address defined in /etc/hosts is returned on other device (Capture1).

So I used Wireshark to capture the DNS query, to see what is actually happening when Windows 10 is doing DNS query. It is found that the router DID replied the DNS query with the IP address defined in the hosts file (Capture 2), but the nslookup result is still the actual IP address.

To confirm that the problem is not from the router itself, I have added a non-existing domain entry to the hosts file and do nslookup again. This time the defined IP address is returned.

I have confirmed that I have disabled other network interfaces (which are the virtual machine bridge interfaces), the primary network interface is also set to use the DNS server from DHCP only, and no secondary DNS server is defined. Also, before doing nslookup, I have ipconfig /flushdns to prevent any domain record from caching on the system.

It seems that Windows 10 is just ignoring the DNS query replied from my router, and is querying another DNS servers for the actual IP address of a domain name. Is it possible to disable such behavior? Or if there is another problem that cause such behavior?

---Edited---

Here's the ipconfig /all output

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Sunny-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 60-A4-4C-2E-4D-8C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 28 January 2017 02:03:40
   Lease Expires . . . . . . . . . . : 28 January 2017 14:03:40
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{606D8EC0-C791-4C68-BC6D-B051FFF5FD50}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:4cc:142e:2598:228a(Preferred)
   Link-local IPv6 Address . . . . . : fe80::4cc:142e:2598:228a%22(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 167772160
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-12-38-C3-60-A4-4C-2E-4D-8C
   NetBIOS over Tcpip. . . . . . . . : Disabled
Improve this question
5
  • 1
    Can you provide us the output to ipconfig /all by chance on the device that isn't working?
    – Ramhound
    Commented Jan 27, 2017 at 19:52
  • @Ramhound The question is edited to also include the ipconfig /all output, thanks.
    – user1556811
    Commented Jan 27, 2017 at 20:00
  • Have you tried simply rebooting the router?
    – Ramhound
    Commented Jan 27, 2017 at 20:01
  • Changing DNS to block web sites really isn't very effective, anyway. There are real methods to accomplish that.
    – Ron Maupin
    Commented Jan 27, 2017 at 20:02
  • Try to disable IP helper service, it will disable tunneling over teredo that can still be used for name resolution
    – Alex
    Commented Jan 27, 2017 at 20:47

1 Answer 1

Reset to default
3

OK, thanks to the "Secure DNS" feature of Avast! Antivirus, I have wasted 2 days to troubleshoot the problem.

I found that when my computer send a DNS query to my router, a query to a strange IP address will also be sent. I tried to check the query content, but the packet is encrypted. So I whois-ed the IP address, and found that the IP address belongs to Avast.

After disabled the "Secure DNS" feature (Avast Setting -> Components), the DNS resolve process back to normal now.

Improve this answer
1
  • It's called "RealSite" in the latest versions of Avast. Thanks for posting the solution. Really helped me.
    – Jeremias Märki
    Commented Apr 9, 2019 at 13:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .