to log the connections from my Amazon Fire HD 10 tablet (whose MAC is represented by '11:22:33:aa:bb:cc').
After some hundreds of lines, I get to this line and many others like it:
23:38:30.564161 IP FIRE10.lan.47632 > ec2-3-228-179-21.compute-1.amazonaws.com.443: Flags [.], ack 4445, win 377, options [nop,nop,TS val 105511 ecr 3011436181], length 0
which seems to say that a device identifiable as IP FIRE10.lan.47632 has made a connection to a subdomain of compute-1.amazonaws.com.
I am assuming that IP FIRE10.lan.47632 is my Fire 10 device. But even if I were wrong about that, it seems unambiguous that the destination was a subdomain of compute-1.amazonaws.com.
I don't really know how to read a tcpdump screen and may be misinterpreting.
What should be my next step?
The aim is to make compute-1.amazonaws.com and all its subdomains unreachable from my router and any device having Internet connection through it.
One random idea I have is that the device may have gone via a different domain to compute-1.amazonaws.com, whereupon compute-1.amazonaws.com made an inbound connection. Would there be a way to block both outbound and inbound connections? Does either a list server or list address entry already block both outbound and inbound connections? Or do they only block the outbound?
add option logqueries 1 to your dnsmasq config. instead of tcpdump you can view what happens DNS wise via logread (a bit friendlier)
check your tablet if it is really using your owrt DNS server. if not then you can use tcpdump to filter host and port 53 what is the real DNS server. if your tablet is not using basic DNS but secure one, or over HTTPS, over TLS, over Quic etc then it'll be harder to catch. some apps has built-in DNS server list ...
in theory list server or list address /domain.com/ filters out all subdomains as well, not just the top one.
adblock package is DNS filtering solution and it is using address=// format, and you can also add your own blacklist and can enforce all clients on the network to use owrt ... as last resort you may check too this app.
I believe you three are all making the same point about the use of DNS server.
Are we saying that a line in tcpdump such as
23:38:30.564161 IP FIRE10.lan.47632 > ec2-3-228-179-21.compute-1.amazonaws.com.443: Flags [.], ack 4445, win 377, options [nop,nop,TS val 105511 ecr 3011436181], length 0
could represent a connection out to different IP addresses depending on which DNS server is being used to map the amazonaws.com subdomain to an actual IP address?
pavelgl, thanks for the reference to "DNS hijacking". It gives me something concrete I can try. I will do that and come back to this page with the results.
we're saying it's ignoring your DNS, and uses it's own hardcoded DNS settings.
you have two options, change them (if possible, TLDR the thread), or as @pavelgl pointed out, make sure you intercept them in your firewall, and forward them back to your own DNS.
Sorry. I misspoke. I mean the other option, what you called "change them." If that means changing the tablet's own hardcoded DNS settings, that would not seem very promising and I am down to pavelgl's second link?
where the lines with only dots in them represent some intervening lines.
Again, I don't really know how to read a tcpdump output. But I am reading the above as follows.
The first line need not (necessarily) worry me. It might (or might not) just say that my FIRE10 device used my DNS map (i.e. list address '/.compute-1.amazonaws.com/0.0.0.0') and only reached 0.0.0.0.
But the second line says that a subdomain of compute-1.amazonaws.com initiated a connection with my FIRE10. It couldn't have done so unless my FIRE10 first contacted it.
Where should I go from here? I can think of two things.
Try the five or six "Extras" on the "DNS hijack" page. But they are way beyond my comprehension, and I'd be trying a slew of things I don't understand.
Upload my tcpdump output here so any kind soul might give more informed advice. But the output is huge.
Could it be an alternative strategy to use OpenWrt firewall to ban 8.8.8.8 (the Google DNS server used by an Amazon tablet, according to your link to xda-developers)?
As for the box starting with hostip=$(nslookup, I understood that they were two lines to be executed (i.e. entered into Terminal) separately. The first line simply returned me to prompt without any output. The second line (i.e. tcpdump etc.) gave me output in which, again, I found connection both going to and coming from subdomains of amazonaws.com.