Block a domain including all its subdomains

manywrt · March 6, 2022, 8:48am

Would this be the way to ban 8.8.8.8? In /etc/config/firewall:

config rule
	option name 'block-8888'
	option src 'lan'
	list proto 'all'
	option dest 'wan'
	list dest_ip '8.8.8.8'
	option target 'REJECT'

pavelgl · March 6, 2022, 9:07am

The DNS hijacking rule works as expected. Banning access to 8.8.8.8 will change nothing.

Check the dump for DNS queries like

4+ A? ec2-3-228-179-21.compute-1.amazonaws.com. (58)
4+ A? ec2-3-228-179-21.compute-1.amazonaws.com. (58)
5+ AAAA? ec2-3-228-179-21.compute-1.amazonaws.com. (58)
5+ AAAA? ec2-3-228-179-21.compute-1.amazonaws.com. (58)

If you don't see any, you may need to manually prohibit the access from lan to the corresponding IP addresses.

You can see domain names or IP addresses, but not both. Starting tcpdump with the -n option will make it almost impossible to find what you need.

EDIT:

In your case, the IP address is visible in the domain name.

ec2-34-231-31-253.compute-1.amazonaws.com # 34.231.31.253
ec2-44-197-43-221.compute-1.amazonaws.com # 44.197.43.221

pavelgl · March 6, 2022, 12:48pm

The approach is wrong. *.compute-1.amazonaws.com is a PTR record, result of the reverse lookup made by tcpdump. The A record that should be blocked may not contain compute-1 at all.

Try blocking all subdomains of amazonaws.com to see if that will make a difference, or gather some information about the DNS queries, made by the Fire 10.

hostip=$(nslookup FIRE10.lan | grep Address | grep -v \# | grep -v \:: | sed 's/^.*: //')
tcpdump -i any host $hostip and port 53

manywrt · March 7, 2022, 9:12am

Thank you.

Whiling trying to start afresh and log my activities better. I made this interesting discovery, to wit:

If block tabletcaptiveportal.com, i.e. use the following in /etc/config/dhcp

config dnsmasq
	list server '/tabletcaptiveportal.com/'

then the Amazon tablet on WiFi becomes "Connected, no internet."

Quick research tells me that tabletcaptiveportal dot com is an Amazon owned site.

If I were to think as follows (in broad conceptual terms), would I be right?

The tablet cannot have Internet unless it can phone home to an Amazon server.
Once it phones home and a connection is made, Amazon servers will find a way to send down the on-the-air update.
Thus, an attempt to blacklist update servers while retaining general Internet access will fail.
I should rather think in terms of whitelisting: denying the tablet Internet connection and allowing only whitelisted traffic (e.g. browser traffic) through a proxy in LAN.

An example of 4 would be establishing a SOCKS proxy in LAN and a dynamic (SSH) forwarding from the tablet to that proxy.

I realize that this means the apps on the tablet cannot go online unless they let you set a proxy server.

pavelgl · March 7, 2022, 9:53am

Better create an Amazon account and contact the manufacturer.

https://www.amazonforum.com/s/question/0D54P00008NQjLsSAL/my-fire-10-tablet-2021-model-continues-to-ping-fireoscaptiveportalcom-and-tabletcaptiveportalcom

manywrt · March 8, 2022, 4:14am

Thank you. I'll try.