Block domain with iptables

Hello Forum,

I want to block a specific domain that my smartphone is contacting from time to time. I found help in the internet: Help 1 Help 2

For testing, I'm trying to block one of my own domains. But it doesnt work:

iptables -I INPUT 1 -i wlan0 -p udp --dport 53 -m string --hex-string "|06|pfarge|02|de|0000ff|" --algo bm -j DROP
iptables -I INPUT 1 -i wlan0 -p tcp --dport 53 -m string --hex-string "|06|pfarge|02|de|0000ff|" --algo bm -j DROP

If I remove the wlan0 parameter the domain should also be block from my copper cable network. But after flushing the DNS cache of my laptop, I still can ping the domain name.

I know that in tiny linux systems is every tool stripped and slim. Can you give me a hint what could be the problem? The iptables command gives no error messages. I'm using OpenWrt 18.06.0 r7188-b0b5c64c22.



Edit: For iptables string, you need to install install iptables-mod-filter

opkg update
opkg install iptables-mod-filter
opkg install kmod-ipt-filter

There is a much more simple way.

1 Like

I only want to block the domain for wlan devices. I still want to access it with my laptop.

Are the wired and wlan interfaces separate or bridged?

I separated them manually.

Currently the dropping of matching DNS packets does not happen at all. If I remove "-i wlan0" from the iptables command it shouldnt matter from where this packets are coming. With tcpdump -qA port 53 at the router shell I still can see the request.

You will always see the query, as the tcpdump is capturing before the firewall. You should enable verbose logging in dnsmasq and check on the logs instead.

I added log-queries to dnsmasq.conf and restarted the daemon. I can still see the request and answers in logread: dnsmasq[3574]: query[A] from xxxx dnsmasq[3574]: forwarded to yyyy dnsmasq[3574]: reply is dnsmasq[3574]: reply is

With the following rule I can drop all wlan dns requests:
iptables -I INPUT 1 -i wlan0 -p udp --dport 53 -j DROP
If I put the IP manually in the browser I can access the internet. I think its a problem with iptables-mod-filter. Its stripped and a lot of functions are removed, right?

It is possible, although I have not tried it myself.
Since you have separate interfaces, you could run multiple dnsmasq instances and block that domain only to the desired instance.


Ok, thanks for the hint.
I will try some things and if I find a solution, I will post it.

Its a problem of understanding ANY requests in the help links in the first posting from my side. It means a specific DNS request for a bunch of values and not all kind of DNS requests. With the QTYPE field removed, all DNS request for this domain are dropped... and maybe some more, where is a subdomain. But in my case this is not a problem. And you also have to add icase because the DNS query contains the request case sensitive.

iptables -I INPUT 1 -i wlan0 -p udp --dport 53 -m string --hex-string "|06|pfarge|02|de|" --algo bm --icase -j DROP
iptables -I INPUT 1 -i wlan0 -p tcp --dport 53 -m string --hex-string "|06|pfarge|02|de|" --algo bm --icase -j DROP

I also had to detour the DNS packets. For unknown reason my android smartphone didnt take the dns server advertised from my router:

iptables -t nat -I PREROUTING -i wlan0 -p tcp --dport 53 --jump DNAT --to-destination
iptables -t nat -I PREROUTING -i wlan0 -p udp --dport 53 --jump DNAT --to-destination
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.