I have found that since I’ve locked down port 53 in an attempt to force devices on my network to use my dns server, the only device not in compliance is the WD MyCloud. It seems to only use 9.9.9.9, 8.8.8.8 and 8.8.4.4.
Why does the MyCloud not fall back the DNS server that is listed in the DHCP response if the above 3 don’t work?
Are you using the old 1st generation WDMYCLOUD with OS3? I have mine set up on my local network for home use only with a reserved address. See example image below.
What specific My Cloud device do you have? Note the My Cloud Home is different than the My Cloud line of devices.
Make sure, if you haven’t done so already, to reserve a IP address for the My Cloud in the local network router/gateway’s DHCP server. Most routers allow for the reserving of client IP addresses, usually by the client MAC address. If one can specify the DNS servers in the router’s DHCP server settings then one can use either their own values (for example Pi-Hole) or use public DNS servers in those fields.
If one is using an OS3 My Cloud (v4.x firmware or v2.x firmware) they should consider blocking all broadband access to that OS3 My Cloud. Consumer routers typically have methods to blocking broadband access to a specific network client.
Some consumer routers (like Asus) have ways to block clients from using hard coded DNS servers. An example for Asus routers: https://12vpx.com/docs/block-google-dns/asus
Personally I block broadband access to a first gen v4.x firmware OS3 My Cloud along with block the Google DNS servers for the local network clients who have Google DNS servers hard coded.
Hi guys thanks for taking a look.
@cat0w and @Bennor, I believe I’m using a 2nd generation MyCloud. It’s white, round in the front and running OS5. Looking at the Devices Available and Supported for My Cloud OS 5 Firmware Upgrade page, it is the one with part number like WDBCTLxxxxxxx-10.
It has a static reservation set at the DHCP server. And, bingo, Pi-Hole is the DNS and DHCP server in my network. I used to have an Asus router as the default gateway and I had an iptables rule to re-write all TCP/53 and UDP/53 ports back to the internal DNS server but I’ve changed hardware lately and just have a default deny rule on those ports (unless it’s from the Pi-Hole of course)
It appears that there’s at least one feature using hard coded DNS servers which is the Lets Encrypt functions for the admin page to use HTTPS internally. The source of the issue seems to be hard coded but I can’t tell for sure. All I know is that it looks like some binary written in Go that is accessing those DNS servers according to /var/log/wdlog.1
2022-10-24Txxx di=xxx err restsdk[4471]: {"corid":"xxx","file":"monitor.go","fn":"Error","gitTime":xxx,"githash":"xxx",
"importPath":"github.com/xxx/goshared/stat","line":701,"msgid":"error","trace":[{"importPath":"github.com/xxx/goshared/cert","file":"manager.go","fn":
"(*DNSManager).getCert","line":350,"message":"timed out github.com/xxx/goshared/netutil/netutil.go:242 lookupSOA(), 8.8.8.8 _acme-challenge.xxx.remotewd.com.:
read udp xxx:11111-\u003e8.8.8.8:53: i/o timeout; github.com/xxx/goshared/netutil/netutil.go:242 lookupSOA(), 9.9.9.9 _acme-challenge.xxx.remotewd.com.:
read udp xxx:22222-\u003e9.9.9.9:53: i/o timeout; github.com/xxx/goshared/netutil/netutil.go:242 lookupSOA(), 8.8.4.4 _acme-challenge.xxx.remotewd.com.:
read udp xxx:33333-\u003e8.8.4.4:53: i/o timeout"},{"importPath":"github.com/xxx/goshared/cert","file":"manager.go","fn":"(*DNSManager).runner","line":451,"message":"pfwd xxx"}]}
As a follow up, I tried re-routing the 8.8.8.8/9.9.9.9/8.8.4.4 DNS packets on the MyCloud itself using iptables but it appears that a kernel option is either not compiled or available for loading.
root@WDMyCloud ~ # iptables -t nat -A OUTPUT -d 8.8.4.4 -j DNAT --to-destination <internal DNS>
iptables v1.8.2 (legacy): unknown option "--to-destination"
Try `iptables -h' or 'iptables --help' for more information.
If using an Asus router with Asus-Merlin firmware and running a Pi-Hole, one can use the DNSFilter option to force all DNS requests through the Pi-Hole.
In the LAN > DNSFilter section:
Set “Enable DNS-based Filtering” to On.
Set “Global Filter Mode” to Router.
Leave “Custom (user-defined) DNS 1” (and DNS 2/DNS 3) fields blank.
Input or select the Pi-Hole device MAC address in the “Client MAC address” and select “No Filtering” as the Filter Mode.
Then click the Plus icon to add the entry.
Click Apply when finished.
One may have to reboot the Asus router after setting up DNSFilter. Also Pi-Hole recomends putting the Pi-Hole’s IP address in the Asus LAN DHCP DNS server field entries and not in the WAN DNS field entries like Asus suggests.
https://docs.pi-hole.net/routers/asus/
https://www.reddit.com/r/pihole/comments/dfm5j4/guide_for_asuswrtmerlin_users_with_screenshots/
I do not have a default gateway with SSH access so my only hope is to make a change on the MyCloud device itself (or hopefully someone at WD will notice the hardcoded DNS servers in their go binaries!)
It’s true!. I algo have SingleBay Gen2 with OS5 and noted DNS is 8.8.8.8 instead of the one my ISP uses. I also have an ASUS router with its original firmware.-
As indicated above, if one has an Asus router, one can block specific DNS servers that have been hard coded by local network clients. The example from the link blocks Google DNS servers:
