Block a domain including all its subdomains

Hello,

I have been using lines such as follow, in /etc/config/dhcp, so as to block access to the domains as listed:

config dnsmasq
        list server '/googleadservices.com/' # google
        list server '/googlesyndication.com/' # adaway.org

Question. Supposing I wanted to block all subdomains of compute-1.amazonaws.com including but not limited to

ec2-44-197-43-221.compute-1.amazonaws.com
ec2-34-206-43-187.compute-1.amazonaws.com

how could I do that?

It seems the following does not do the trick:

config dnsmasq
        list server '/compute-1.amazonaws.com/'

BACKGROUND

This post is further to these earlier post:

on how to use tcpdump to discover the domains of the on-the-air update servers for a tablet device

on how to block particular domains.

try using 0.0.0.0 instead of 192. ....

1 Like

Thank you. In my case, would it go like this:

config dnsmasq
        list server '/.compute-1.amazonaws.com/0.0.0.0'

Or do I have to use instead:

config dnsmasq
        list address '/.compute-1.amazonaws.com/0.0.0.0'

It works just fine.

root@OpenWrt:~# nslookup ec2-44-197-43-221.compute-1.amazonaws.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      ec2-44-197-43-221.compute-1.amazonaws.com
Address 1: 44.197.43.221
*** Can't find ec2-44-197-43-221.compute-1.amazonaws.com: No answer
root@OpenWrt:~#
root@OpenWrt:~# uci add_list dhcp.@dnsmasq[0].server='/compute-1.amazonaws.com/'
root@OpenWrt:~# /etc/init.d/dnsmasq reload
root@OpenWrt:~#
root@OpenWrt:~# nslookup ec2-44-197-43-221.compute-1.amazonaws.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find ec2-44-197-43-221.compute-1.amazonaws.com: NXDOMAIN
** server can't find ec2-44-197-43-221.compute-1.amazonaws.com: NXDOMAIN
root@OpenWrt:~#
root@OpenWrt:~# nslookup subdomain.compute-1.amazonaws.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find subdomain.compute-1.amazonaws.com: NXDOMAIN
** server can't find subdomain.compute-1.amazonaws.com: NXDOMAIN
root@OpenWrt:~#
root@OpenWrt:~# nslookup othersubdomain.ec2-44-197-43-221.compute-1.amazonaws.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find othersubdomain.ec2-44-197-43-221.compute-1.amazonaws.com: NXDOMAIN
** server can't find othersubdomain.ec2-44-197-43-221.compute-1.amazonaws.com: NXDOMAIN
root@OpenWrt:~#

2 Likes

Thank you.

I have tried both

  • list server '/compute-1.amazonaws.com/'
  • list address '/.compute-1.amazonaws.com/0.0.0.0'

but neither seems to work.

I am using this line:

sudo tcpdump -i br-lan ether host 11:22:33:aa:bb:cc

to log the connections from my Amazon Fire HD 10 tablet (whose MAC is represented by '11:22:33:aa:bb:cc').

After some hundreds of lines, I get to this line and many others like it:

23:38:30.564161 IP FIRE10.lan.47632 > ec2-3-228-179-21.compute-1.amazonaws.com.443: Flags [.], ack 4445, win 377, options [nop,nop,TS val 105511 ecr 3011436181], length 0

which seems to say that a device identifiable as IP FIRE10.lan.47632 has made a connection to a subdomain of compute-1.amazonaws.com.

I am assuming that IP FIRE10.lan.47632 is my Fire 10 device. But even if I were wrong about that, it seems unambiguous that the destination was a subdomain of compute-1.amazonaws.com.

I don't really know how to read a tcpdump screen and may be misinterpreting.

What should be my next step?

The aim is to make compute-1.amazonaws.com and all its subdomains unreachable from my router and any device having Internet connection through it.

One random idea I have is that the device may have gone via a different domain to compute-1.amazonaws.com, whereupon compute-1.amazonaws.com made an inbound connection. Would there be a way to block both outbound and inbound connections? Does either a list server or list address entry already block both outbound and inbound connections? Or do they only block the outbound?

are you sure your table's using your DNS ?

tried from a host where DNS settings can be trusted/will be honored ?

1 Like

hi,

  1. add option logqueries 1 to your dnsmasq config. instead of tcpdump you can view what happens DNS wise via logread (a bit friendlier)
  2. check your tablet if it is really using your owrt DNS server. if not then you can use tcpdump to filter host and port 53 what is the real DNS server. if your tablet is not using basic DNS but secure one, or over HTTPS, over TLS, over Quic etc then it'll be harder to catch. some apps has built-in DNS server list ...
  3. in theory list server or list address /domain.com/ filters out all subdomains as well, not just the top one.
  4. adblock package is DNS filtering solution and it is using address=// format, and you can also add your own blacklist and can enforce all clients on the network to use owrt ... as last resort you may check too this app.
1 Like

https://forum.xda-developers.com/t/kindle-fire-hd-10-9th-gen-is-adding-a-dns-server-on-its-own.4008907/

According to this thread, the device has a hidden option to add 8.8.8.8 as an additional DNS server. Try configuring DNS hijacking.

1 Like

I believe you three are all making the same point about the use of DNS server.

Are we saying that a line in tcpdump such as

23:38:30.564161 IP FIRE10.lan.47632 > ec2-3-228-179-21.compute-1.amazonaws.com.443: Flags [.], ack 4445, win 377, options [nop,nop,TS val 105511 ecr 3011436181], length 0

could represent a connection out to different IP addresses depending on which DNS server is being used to map the amazonaws.com subdomain to an actual IP address?

pavelgl, thanks for the reference to "DNS hijacking". It gives me something concrete I can try. I will do that and come back to this page with the results.

we're saying it's ignoring your DNS, and uses it's own hardcoded DNS settings.

you have two options, change them (if possible, TLDR the thread), or as @pavelgl pointed out, make sure you intercept them in your firewall, and forward them back to your own DNS.

1 Like

Could you expand on that please? In terms of code or LUCI setting, or a reference to some preexisting documentation?

that'd be the 2nd link in @pavelgl post.

1 Like

Sorry. I misspoke. I mean the other option, what you called "change them." If that means changing the tablet's own hardcoded DNS settings, that would not seem very promising and I am down to pavelgl's second link?

yeah, if there's a way of doing it.

he wrote "has a hidden option", so I assumed it was changeable, you just need to figure out how ...

might be wrong though :wink:

1 Like

I have tried the first item in the "DNS hijacking" page, which resulted in the following block of code in /etc/config/firewall:

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option target 'DNAT'

But that does not seem to have done the trick. On running the tcpdump command, I get lines such as these in the output:

13:17:55.692095 IP FIRE10.lan.38826 > ec2-34-231-31-253.compute-1.amazonaws.com.80: Flags [S], seq 2538995498, win 65535, options [mss 1460,sackOK,TS val 505258 ecr 0,nop,wscale 8], length 0
.
.
13:17:56.152725 IP ec2-34-231-31-253.compute-1.amazonaws.com.80 > FIRE10.lan.38826: Flags [.], ack 178, win 110, options [nop,nop,TS val 1894835894 ecr 505316], length 0

where the lines with only dots in them represent some intervening lines.

Again, I don't really know how to read a tcpdump output. But I am reading the above as follows.

  • The first line need not (necessarily) worry me. It might (or might not) just say that my FIRE10 device used my DNS map (i.e. list address '/.compute-1.amazonaws.com/0.0.0.0') and only reached 0.0.0.0.
  • But the second line says that a subdomain of compute-1.amazonaws.com initiated a connection with my FIRE10. It couldn't have done so unless my FIRE10 first contacted it.

Where should I go from here? I can think of two things.

  • Try the five or six "Extras" on the "DNS hijack" page. But they are way beyond my comprehension, and I'd be trying a slew of things I don't understand.
  • Upload my tcpdump output here so any kind soul might give more informed advice. But the output is huge.
  1. Restart the device to clear its DNS cache.
  2. Start a tcpdump session using a filter.
hostip=$(nslookup FIRE10.lan | grep Address | grep -v \# | grep -v \:: | sed 's/^.*: //')
tcpdump -i any host $hostip and port not 22 | grep amazon

Also post the result of

iptables-save -t nat -c | grep Intercept
2 Likes

Thank you. I will do it.

But a side question:

Could it be an alternative strategy to use OpenWrt firewall to ban 8.8.8.8 (the Google DNS server used by an Amazon tablet, according to your link to xda-developers)?

I use OpenDNS and can live without 8.8.8.8.

Sure,

assuming the device would then switch over to your DNSes.

1 Like

The result of running iptables-save -t nat -c | grep Intercept is as follows:

[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
[3832:281386] -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53

As for the box starting with hostip=$(nslookup, I understood that they were two lines to be executed (i.e. entered into Terminal) separately. The first line simply returned me to prompt without any output. The second line (i.e. tcpdump etc.) gave me output in which, again, I found connection both going to and coming from subdomains of amazonaws.com.

In regard to a line such as follows in the tcpdump output

17:28:05.400023 IP FIRE10.lan.49372 > ec2-3-210-238-28.compute-1.amazonaws.com.80: Flags [.], ack 222, win 343, options [nop,nop,TS val 44718 ecr 1663943420], length 0

how could I find out what ec2-3-210-238-28.compute-1.amazonaws.com.80 actually represents?

As far as I know, it could mean either an Amazon server or 0.0.0.0 per my DNS mapping.

In other words, is there is a way to get tcpdump output that appends the I.P. address to each reference to a domain?