Knowledge base ZyXEL Router, Disabling Wan Side DNS
The ZyXEL Routers we've been using have not had their WAN side DNS server blocked or disabled. Here is how to block DNS lookups from the WAN on the ZyXEL 660R-61C and 660R-D1 routers:
660R-D1
This router has an option in the web interface:
Advanced - Remote MGMT - DNS - LAN Only
or from the CLI (telnet):
sys server load
sys server access dns 2
sys save
660R-61C
This is an older router, and it's a bit more tricky to disable WAN side DNS lookups. This will need a filter added, via the telnet interface.
Add two filters, one to block DNS to your WAN IP address, and the other to your LAN Address:
1 Y IP Pr=0, SA=0.0.0.0, DA=[YOUR WAN ADDRESS], DP=53 N D N
1 Y IP Pr=0, SA=0.0.0.0, DA=[YOUR LAN ADDRESS], DP=53 N D F
ie:
eg, create a new filter set with the following information:
Filter #: 6,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 0 IP Source Route= No
Destination: IP Addr= [YOUR WAN ADDRESS]
IP Mask= 255.255.255.255
Port #= 53
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= N/A
More= No Log= None
Action Matched= Drop
Action Not Matched= Check Next Rule
Add a second filter in the set that uses Destination: IP Addr as the LAN address of your router, and set the Action Not Matched to Forward.
Then add the filter number to the Remote Node (Menu 11, then edit filter set, AAISP Node, then go to Edit Filter Sets and change it to Yes. Pressing Enter will then take you to a screen where you can enter in the Filter rule number you created.)
The router will restart, but may need a powercycle.
Do contact Support if you have any questions or need some help in setting this up.