Basic "Filtering traffic with IP sets by DNS" config not working

rpod · March 1, 2024, 2:13am

Creating a new thread from my original post here: Configuring new router behind existing router

I've started following this guide from the OpenWRT docs https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset. My basic goal right now is to just block youtube.com from one device as a test. Everything looks right to me, but I can definitely still access youtube.com from my PC (192.168.1.215).

Any suggestions?

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        list mac [redacted]
        option ip '192.168.1.215'
        option leasetime 'infinite'

config ipset
        list name 'youtube'
        list domain 'youtube.com'
        option table_family 'inet'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'block-youtube'
        option ipset 'youtube dest'
        list src_ip '192.168.1.215'
        option target 'REJECT'
        option src 'lan'
        option dest 'wan'
        list proto 'all'

config ipset 'youtube'
        option name 'youtube'
        option family 'ipv4'
        option match 'net'
        option loadfile '/var/ipset-youtube'

root@OpenWrt:~# cat /var/ipset-youtube
172.253.62.136
172.253.62.190
172.253.62.91
172.253.62.93
root@OpenWrt:~#

frollic · March 1, 2024, 7:42am

How are you verifying the blocked FQDN ?

Are you sure your devices actually use your DNS ?

Are you sure those IPs are the ones the clients are getting back, when they do the DNS lookup?

Are you sure blocking youtube.com is enough to block YT, if not accessed via a browser?

Have you tried pasting youtube.com 0.0.0.0 into the hosts file of the router, instead of using the ipset ?

rpod · March 1, 2024, 10:52pm

I am using a Chrome browser from 192.168.1.215 to go to youtube.com and it is loading.

Are you sure your devices actually use your DNS ?

My DNS setting in Chrome (on a Chromebook) is "OS default (when available)"
The OS setting is just the default 192.168.1.1. None of my devices, especially the one I am using to test with, have device-level DNS settings. They all use the default.

Are you sure those IPs are the ones the clients are getting back, when they do the DNS lookup?

The way I understand the guide I linked to is: dnsmasq itself resolves the hostname 'youtube.com' and then stores the IPs it gets back as an ipset (in /var/ipset-youtube). The firewall rule references that ipset to reject traffic to those IPs as a destination. I didn't create the ipset-youtube files, it's part of what the ipset setup command does. So by that logic, the devices should get the same IPs back. dnsmasq is the DNS for the devices too. It seems like that is the whole point of the guide.

Are you sure blocking youtube.com is enough to block YT, if not accessed via a browser?

I know there are other domains I need to include for a complete solution. I have youtube blocked successfully on my other router. I am using a browser to specifically go to youtube.com and it is not being blocked.

Have you tried pasting youtube.com 0.0.0.0 into the hosts file of the router, instead of using the ipset ?

I just played around with that a bit, with YouTube.com and another website, and I did get it to work, but it also involved some degree of clearing the cache on my machine's OS/Chrome. So, with some effort, that is an option.

The thing I don't get is this is supposed to work via firewall rule, which I would think means even if they can resolve YouTube.com to an IP address via DNS (or some cached IP), that it would still block because the router has also resolved that domain to an IP or set of IPs and created this firewall rule around it. Are there logs I can look at to see exactly what traffic the firewall thinks is coming through and when/why a rule applies or doesn't?

frollic · March 2, 2024, 7:41pm

Don't really have time to look through your config, but the ipset uses IPs (duh!), it doesn't care about FQDNs.

If the destination IP matches an entry on the list, it'll get rejected, assuming the rule's there, and set up correctly.

That's why I asked if your clients YouTube.com IPs matched the ones in your ipset.

If you only use the ipset, the FQDN will be resolvable, it's the attempt to reach it, that's blocked.

You can always look at the DNS traffic using tcpdump.

Btw, this looks wrong

rpod · March 2, 2024, 11:12pm

Which part? The ipset name in the rule config is supposed to have src or dest following the name https://openwrt.org/docs/guide-user/firewall/firewall_configuration#options3
Or if omitted, the default is src, this ipset is for the dest.