R2000
January 7, 2022, 3:41am
1
So ive been trying to stop anything on my internal Network contacting or recieving anything from a specific IP that is on the net, and all my implimentations have failed, it still gets contacted and my Network recieves responses.
Some rules ive made using the below have worked, but one IP just still slips through.
So what is the specific Firewall Rule to block a single WAN/Public IP from ever being contacted, or even recieve a response from my internal Network?
Current Rule that does not work:
Source Zone: Lan
Now when i run checks from an internal host, this certain IP still gets contacted and responds, this should be blocked from any contact.
Where am i going wrong?
As i have a list of IP`s which i need to basically Blacklist from any contact on my network, can i specify a list/file instead of creating separate rules for every IP?
Any help on this would be much appreciated.
Current OS:
LuCI openwrt-21.02 branch (git-21.357.58218-b3cd473)](https://github.com/openwrt/luci ) / OpenWrt 21.02.1 r16325-88151b8303
Try making protocol any.
If that doesn't work,
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/firewall
1 Like
R2000
January 7, 2022, 4:08am
3
Ok thats kind of worked.
The reason i ask is due to creating a DNS Blacklist. I want this specific DNS Server to be totally ignored or known.
Im using GRC DNS Benchmark, pretty good piece of Software:
http://www.GRC.com/dns/dns.htm
Basically im curing my DNS, and one DNS still keeps responding.
1 Like
R2000:
Ok thats kind of worked.
Kind of worked? I would think it either does or does not work, but maybe you can elaborate on what is happening.
1 Like
R2000
January 7, 2022, 4:13am
5
Its kind of worked: Yes.
The Blocking is working though the IP is still recognised as alive, ping probably. I dont even want that response.
As for out put of what you asked for:
BusyBox v1.33.2 (2022-01-03 21:09:45 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 21.02.1, r16325-88151b8303
-----------------------------------------------------
root@The_Net:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun+'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '80'
option src 'wan'
option name 'HTTP'
option src_dport '80'
option target 'DNAT'
option dest 'lan'
option dest_ip '192.168.1.51'
config redirect
option dest_port '443'
option src 'wan'
option name 'HTTPS'
option src_dport '443'
option target 'DNAT'
option dest 'lan'
option dest_ip '192.168.1.51'
config rule
option name 'Forward'
option src 'lan'
option dest 'wan'
list dest_ip '212.159.13.49'
option target 'REJECT'
config rule
option name 'Forward2'
option src 'lan'
option dest 'wan'
option target 'REJECT'
list dest_ip '212.159.13.50'
config rule
option name 'Forward3'
option src 'lan'
option dest 'wan'
list dest_ip '212.159.6.10'
option target 'REJECT'
config rule
option name 'Forward4'
option src 'lan'
option dest 'wan'
list dest_ip '212.159.6.9'
option target 'REJECT'
config rule
option name 'Forward5 BT1'
option dest 'wan'
list dest_ip '62.6.40.162'
option target 'REJECT'
option src 'lan'
config rule
option name 'Forward6 BT2'
option src 'lan'
option dest 'wan'
list dest_ip '62.6.40.178'
option target 'REJECT'
config rule
option name 'RDNS Reject'
option src 'lan'
option dest 'wan'
list dest_ip '216.146.35.35'
option target 'REJECT'
config rule
option name 'GBLX Reject'
option src 'lan'
option dest 'wan'
list dest_ip '206.165.6.11'
option target 'REJECT'
config rule
option name 'BT Refuse1'
option src 'lan'
option dest 'wan'
list dest_ip '194.72.0.98'
option target 'REJECT'
config rule
option name 'BT Refuse2'
option src 'lan'
option dest 'wan'
list dest_ip '194.72.0.144'
option target 'REJECT'
config rule
option name 'BT Refuse3'
option src 'lan'
option dest 'wan'
option target 'REJECT'
list dest_ip '194.72.6.51'
config rule
option name 'BT Refuse4'
option src 'lan'
option dest 'wan'
list dest_ip '62.6.40.162'
option target 'REJECT'
config rule
option name 'BT Refuse5'
option src 'lan'
option dest 'wan'
list dest_ip '62.6.40.178'
option target 'REJECT'
config rule
option name 'Hurricane Block'
option src 'lan'
option dest 'wan'
list dest_ip '74.82.42.42'
option target 'REJECT'
config rule
option name 'BT Refuse6'
option src 'lan'
option dest 'wan'
list dest_ip '194.72.9.38'
option target 'REJECT'
config rule
option name 'Equinix Block'
list dest_ip '85.90.229.188'
option target 'REJECT'
option src 'lan'
option dest 'wan'
config rule
option name 'Voda Block'
option src 'lan'
option dest 'wan'
list dest_ip '141.1.27.249'
option target 'REJECT'
config rule
option name 'Voda Block 2'
option src 'lan'
option dest 'wan'
list dest_ip '195.27.1.1'
option target 'REJECT'
config rule
option name 'Cache UU'
option src 'lan'
option dest 'wan'
list dest_ip '185.43.192.1'
option target 'REJECT'
config rule
option name 'BT Refuse7'
option src 'lan'
option dest 'wan'
list dest_ip '194.72.0.98'
option target 'REJECT'
config rule
option name 'BT Refuse8'
option src 'lan'
option dest 'wan'
list dest_ip '62.6.40.162'
option target 'REJECT'
config rule
option name 'BT Refuse9'
option src 'lan'
option dest 'wan'
list dest_ip '62.6.40.178'
option target 'REJECT'
config rule
option name 'BT Refuse10'
option src 'lan'
option dest 'wan'
list dest_ip '62.6.40.162'
option target 'REJECT'
config rule
option name 'BT Refuse11'
option src 'lan'
option dest 'wan'
list dest_ip '62.6.40.178'
option target 'REJECT'
config rule
option name 'HE Ban'
option dest 'wan'
list dest_ip '74.82.42.42'
option target 'REJECT'
option src 'lan'
config rule
option name 'BAD DNS 1'
option src 'lan'
option dest 'wan'
list dest_ip '67.17.215.132'
option target 'REJECT'
config rule
option name 'BAD DNS 2'
option src 'lan'
option dest 'wan'
list dest_ip '4.2.2.1'
option target 'REJECT'
config rule
option name 'BAD DNS 3'
option src 'lan'
option dest 'wan'
list dest_ip '4.2.2.6'
option target 'REJECT'
config rule
option name 'BAD DNS 3'
option src 'lan'
option dest 'wan'
list dest_ip '209.244.0.4'
option target 'REJECT'
config rule
option name 'Quad 9 BAN'
option src 'lan'
option dest 'wan'
list dest_ip '9.9.9.9'
option target 'REJECT'
config rule
option name 'NTT Comms US1'
option src 'lan'
option dest 'wan'
list dest_ip '129.250.35.250'
option target 'REJECT'
config rule
option name 'NTT Comms US2'
option src 'lan'
option dest 'wan'
option target 'REJECT'
list dest_ip '129.250.35.251'
config rule
option name 'Google1'
option src 'lan'
option dest 'wan'
list dest_ip '8.8.8.8'
option target 'REJECT'
config rule
option name 'Google2'
option src 'lan'
option dest 'wan'
list dest_ip '8.8.4.4'
option target 'REJECT'
config rule
option name 'BAD DNS 4'
option src 'lan'
option dest 'wan'
list dest_ip '4.2.2.5'
option target 'REJECT'
config rule
option name 'BAD DNS 5'
option src 'lan'
option dest 'wan'
list dest_ip '4.2.2.4'
option target 'REJECT'
config rule
option name 'BAD DNS 6'
option src 'lan'
option dest 'wan'
list dest_ip '4.2.2.3'
option target 'REJECT'
config rule
option name 'BAD DNS 7'
option src 'lan'
option dest 'wan'
list dest_ip '4.2.2.2'
option target 'REJECT'
config rule
option name 'Choopa Block'
option src 'lan'
option dest 'wan'
list dest_ip '209.250.230.218'
option target 'REJECT'
config rule
option name 'Choopa Block2'
option src 'lan'
option dest 'wan'
list dest_ip '45.32.177.161'
option target 'REJECT'
config rule
option name 'RIPE Block'
option src 'lan'
option dest 'wan'
list dest_ip '209.250.230.218'
option target 'REJECT'
config rule
option name 'Block ION1'
option src 'lan'
option dest 'wan'
list dest_ip '64.215.98.148'
option target 'REJECT'
config rule
option name 'Other1'
option src 'lan'
option dest 'wan'
list dest_ip '24.113.32.29'
option target 'REJECT'
config rule
option name 'Other2'
option src 'lan'
option dest 'wan'
list dest_ip '24.113.32.30'
option target 'REJECT'
config rule
option name 'Other3'
option src 'lan'
option dest 'wan'
list dest_ip '87.117.196.200'
option target 'REJECT'
config rule
option name 'Other4'
option src 'lan'
option dest 'wan'
list dest_ip '154.32.105.18'
option target 'REJECT'
config rule
option name 'BT'
option src 'lan'
option dest 'wan'
list dest_ip '194.72.0.114'
option target 'REJECT'
config rule
option src 'lan'
option dest 'wan'
list dest_ip '64.212.106.84'
option target 'REJECT'
option name 'Other5'
config rule
option name 'SOTAConnect'
option src 'lan'
option dest 'wan'
list dest_ip '83.137.225.121'
option target 'REJECT'
config rule
option name 'Interconnect'
option src 'lan'
option dest 'wan'
list dest_ip '193.58.204.159'
option target 'REJECT'
config rule
option name 'BT AS1'
option src 'lan'
option dest 'wan'
list dest_ip '194.72.6.57'
option target 'REJECT'
config rule
option name 'BT AS2'
option src 'lan'
option dest 'wan'
list dest_ip '194.72.9.34'
option target 'REJECT'
config rule
option name 'BT AS3'
option src 'lan'
option dest 'wan'
list dest_ip '194.73.82.242'
option target 'REJECT'
config rule
option name 'BT AS3'
option src 'lan'
option dest 'wan'
list dest_ip '194.74.65.68'
option target 'REJECT'
config rule
option name 'BT AS4'
option src 'lan'
option dest 'wan'
list dest_ip '194.74.65.69'
option target 'REJECT'
config rule
option name 'Voda2'
option src 'lan'
option dest 'wan'
list dest_ip '141.1.1.1'
option target 'REJECT'
config rule
option name 'LVLT2'
option src 'lan'
option dest 'wan'
list dest_ip '206.165.6.12'
option target 'REJECT'
config rule
option name 'LVLT3'
option src 'lan'
option dest 'wan'
list dest_ip '209.244.0.3'
option target 'REJECT'
config rule
option name 'LVLT4'
option src 'lan'
option dest 'wan'
list dest_ip '209.130.139.2'
option target 'REJECT'
config rule
option name 'LVLT5'
option src 'lan'
option dest 'wan'
list dest_ip '206.165.4.12'
option target 'REJECT'
config rule
option name 'LVLT6'
option src 'lan'
option dest 'wan'
list dest_ip '209.244.0.3'
option target 'REJECT'
config rule
option name 'LVLT7'
option src 'lan'
option dest 'wan'
list dest_ip '64.212.106.84'
option target 'REJECT'
config rule
option name 'SOTAConnect2'
option src 'lan'
option dest 'wan'
list dest_ip '83.137.225.121'
option target 'REJECT'
config rule
option name 'LVLT8'
option src 'lan'
option dest 'wan'
list dest_ip '209.244.0.3'
option target 'REJECT'
config rule
option name 'LVLT9'
option src 'lan'
option dest 'wan'
list dest_ip '206.165.6.12'
option target 'REJECT'
config rule
option name 'LVLT10'
option src 'lan'
option dest 'wan'
list dest_ip '206.165.6.12'
option target 'REJECT'
config rule
option name 'LVLT11'
option src 'lan'
option dest 'wan'
list dest_ip '209.244.0.3'
option target 'REJECT'
config rule
option name 'Voda3'
option src 'lan'
option dest 'wan'
list dest_ip '141.1.1.1'
option target 'REJECT'
config rule
option name 'LVLT12'
list dest_ip '206.165.6.12'
option target 'REJECT'
option src 'wan'
option dest 'lan'
config rule
option name 'BTOther5'
option src 'lan'
option dest 'wan'
list dest_ip '195.99.66.220'
option target 'REJECT'
config rule
option name 'Gradwell'
option src 'lan'
option dest 'wan'
list dest_ip '193.111.200.191'
option target 'REJECT'
config rule
option name 'H3G'
option src 'lan'
option dest 'wan'
list dest_ip '62.40.32.33'
option target 'REJECT'
config rule
option name 'DYNDNS1'
option src 'lan'
option dest 'wan'
list dest_ip '216.146.36.36'
option target 'REJECT'
config rule
option name 'NoOfficial1'
option src 'lan'
option dest 'wan'
list dest_ip '156.154.70.22'
option target 'REJECT'
config rule
option name 'NoOfficial2'
option src 'lan'
option dest 'wan'
list dest_ip '156.154.70.25'
option target 'REJECT'
config rule
option name 'NoOfficial3'
option src 'lan'
option dest 'wan'
list dest_ip '156.154.71.22'
option target 'REJECT'
config rule
option name 'NoOfficial4'
option src 'lan'
option dest 'wan'
list dest_ip '156.154.71.25'
option target 'REJECT'
config rule
option name 'NoOfficial5'
option src 'lan'
option dest 'wan'
list dest_ip '198.153.192.1'
option target 'REJECT'
config rule
option name 'NoOfficial6'
option src 'lan'
option dest 'wan'
list dest_ip '198.153.194.1'
option target 'REJECT'
config rule
option name 'Swisp1'
option src 'lan'
option dest 'wan'
list dest_ip '81.17.66.13'
option target 'REJECT'
config rule
option name 'Chec1'
option src 'lan'
option dest 'wan'
list dest_ip '195.186.4.107'
option target 'REJECT'
config rule
option name 'Chec2'
option src 'lan'
option dest 'wan'
list dest_ip '195.186.4.108'
option target 'REJECT'
config rule
option name 'Gradwell10'
option src 'lan'
option dest 'wan'
list dest_ip '193.111.200.191'
option target 'REJECT'
config rule
option name 'Unknown 5'
option src 'lan'
option dest 'wan'
list dest_ip '204.194.232.200'
option target 'REJECT'
config rule
option name 'Unknown 6'
option src 'lan'
option dest 'wan'
list dest_ip '204.194.234.200'
option target 'REJECT'
config rule
option name 'Sprint2'
option src 'lan'
option dest 'wan'
list dest_ip '204.117.214.10'
option target 'REJECT'
config rule
option name 'Sprint3'
option src 'lan'
option dest 'wan'
list dest_ip '199.2.252.10'
option target 'REJECT'
config rule
option name 'Sprint4'
option src 'lan'
option dest 'wan'
list dest_ip '204.97.212.10'
option target 'REJECT'
config rule
option name 'BT44'
option src 'lan'
option dest 'wan'
list dest_ip '62.134.11.4'
option target 'REJECT'
config rule
option name 'COGENT'
option src 'lan'
option dest 'wan'
list dest_ip '66.28.0.45'
option target 'REJECT'
config rule
option name 'HP NET1'
option src 'lan'
option dest 'wan'
list dest_ip '170.56.58.53'
option target 'REJECT'
config rule
option src 'lan'
option dest 'wan'
list dest_ip '158.43.128.1'
option target 'REJECT'
option name 'UUNET1'
config rule
option name 'UUNET2'
option src 'lan'
option dest 'wan'
list dest_ip '158.43.128.72'
option target 'REJECT'
config rule
option name 'UUNET3'
option src 'lan'
option dest 'wan'
list dest_ip '158.43.192.1'
option target 'REJECT'
config rule
option name 'EQiNIX1'
option src 'lan'
option dest 'wan'
list dest_ip '213.52.192.198'
option target 'REJECT'
config rule
option name 'EQiNIX2'
option src 'lan'
option dest 'wan'
list dest_ip '212.111.32.7'
option target 'REJECT'
config rule
option name 'Swiss1'
option src 'lan'
option dest 'wan'
list dest_ip '195.186.1.107'
option target 'REJECT'
config rule
option name 'Swiss2'
option src 'lan'
option dest 'wan'
list dest_ip '195.186.1.109'
option target 'REJECT'
option enabled '0'
config rule
option name 'Swiss3'
option src 'lan'
option dest 'wan'
list dest_ip '195.108.1.108'
option target 'REJECT'
option enabled '0'
config rule
option name 'Swiss4'
option src 'lan'
option dest 'wan'
list dest_ip '195.186.1.110'
option target 'REJECT'
option enabled '0'
config rule
option name 'France-Telecom1'
option src 'lan'
option dest 'wan'
list dest_ip '194.2.0.50'
option target 'REJECT'
option enabled '0'
config rule
option name 'INAP-LON1'
option src 'lan'
option dest 'wan'
list dest_ip '212.118.241.1'
option target 'REJECT'
config rule
option name 'INAP-LON2'
option src 'lan'
option dest 'wan'
list dest_ip '212.118.241.33'
option target 'REJECT'
config rule
option name 'FR-1'
option src 'lan'
option dest 'wan'
list dest_ip '213.251.133.164'
option target 'REJECT'
config rule
option name 'Ultra1-Unsecure1'
option src 'lan'
option dest 'wan'
list dest_ip '156.154.70.1'
option target 'REJECT'
config rule
option name 'Interconnect1'
option src 'lan'
option dest 'wan'
list dest_ip '193.58.204.59'
option target 'REJECT'
config rule
option name 'Ultra1-Unsecure1'
option src 'lan'
option dest 'wan'
option target 'REJECT'
list dest_ip '156.154.71.1'
config rule
option name 'BT-Another'
list dest_ip '195.182.110.132'
option target 'REJECT'
option src 'lan'
option dest 'wan'
config rule
option name 'Research DNS'
option src 'lan'
option dest 'wan'
list dest_ip '193.2.64.45'
option target 'REJECT'
config rule
option name 'DE Unsecure1'
option src 'lan'
option dest 'wan'
list dest_ip '195.238.40.45'
option target 'REJECT'
config rule
option name 'SARENET1'
option src 'lan'
option dest 'wan'
list dest_ip '193.30.0.1'
option target 'REJECT'
config rule
option name 'ThreatTrack1'
option src 'lan'
option dest 'wan'
list dest_ip '74.118.212.1'
option target 'REJECT'
config rule
option name 'ThreatTrack2'
option src 'lan'
option dest 'wan'
list dest_ip '74.118.212.2'
option target 'REJECT'
config rule
option name 'Quad9'
option src 'lan'
option dest 'wan'
list dest_ip '9.9.9.9'
option target 'REJECT'
config rule
option name 'MegaPath1'
option src 'lan'
option dest 'wan'
list dest_ip '64.81.111.2'
option target 'REJECT'
config rule
option name 'AS Wave1'
option src 'lan'
option dest 'wan'
list dest_ip '24.113.32.29'
option target 'REJECT'
config rule
option name 'AS Wave2'
option src 'lan'
option dest 'wan'
list dest_ip '24.113.32.30'
option target 'REJECT'
config rule
option name 'UUNet 1'
option src 'lan'
option dest 'wan'
list dest_ip '158.43.240.3'
option target 'REJECT'
config rule
option name 'UUNet 2'
option src 'lan'
option dest 'wan'
list dest_ip '158.43.240.4'
option target 'REJECT'
config rule
option name 'UUNet 3'
option src 'lan'
option dest 'wan'
list dest_ip '192.76.144.66'
option target 'REJECT'
config rule
option name 'gtnduss1.dpn.de'
option src 'lan'
option dest 'wan'
list dest_ip '194.150.168.168'
option target 'REJECT'
option enabled '0'
config rule
option name 'resolv-f.dtag.de'
option src 'lan'
option dest 'wan'
list dest_ip '194.25.0.68'
option target 'REJECT'
option enabled '0'
config rule
option name 'H3G IE'
option src 'lan'
option dest 'wan'
list dest_ip '62.40.32.34'
option target 'REJECT'
config rule
option name 'Zugernet CH'
option src 'lan'
option dest 'wan'
list dest_ip '212.94.32.32'
option target 'REJECT'
config rule
option name 'UUNET-Unsecure1'
option src 'lan'
option dest 'wan'
list dest_ip '193.67.79.39'
option target 'REJECT'
config rule
option name 'Swiss-Unsecure1'
option src 'lan'
option dest 'wan'
list dest_ip '195.186.4.109'
option target 'REJECT'
config rule
option name 'SareNet'
option src 'lan'
option dest 'wan'
list dest_ip '194.30.0.1'
option target 'REJECT'
config rule
option name 'ASNCloudItalia1'
option src 'lan'
option dest 'wan'
list dest_ip '62.94.0.42'
option target 'REJECT'
config rule
option name 'ASNCloudItalia2'
option src 'lan'
option dest 'wan'
list dest_ip '62.94.0.41'
option target 'REJECT'
config rule
option name 'Europe1'
list proto 'all'
option src 'lan'
option dest 'wan'
list dest_ip '217.14.128.50'
option target 'REJECT'
Are these all DNS servers?
You might be best off simply rejecting all outgoing port 53 requests from LAN to WAN. Then, have your LAN devices use the router itself as the DNS server (or a pihole or other such DNS server) and set your preferred DNS upstream accordingly. This will make it possible to collapse all those DNS server block rules into a single one. You will still be able to ping them, but they will not be available for DNS.
Keep in mind that a port 53 block won't block DoH and DoT, but will block all standard DNS.
EDIT: another thing you can do for standard DNS is to setup DNS hijacking... this will redirect all DNS requests from your LAN to the DNS resolver of your choice. This can be useful if you need to accommodate devices that have hardcoded DNS servers which will fail to function if DNS is not accessible due to a port 53 block. This is not an option for DoH and DoT, though.
EDIT 2: worth mentioning that you can also create a single rule that has many addresses. This will make one rule kind of big, but that single rule can filter a whole list of addresses. The only reason to use separate firewall rules is if you want to individually name each specific IP block and/or if you want to be able to easily enable/disable individual address blocks.
1 Like
I'm not sure what your trying to do m8, but I think you can utilize banip package. You can also put everything in a ipset rule.
1 Like
R2000
January 7, 2022, 4:33am
8
What would be the rule you would specify to impliment:
You might be best off simply rejecting all outgoing port 53 requests from LAN to WAN. Then, have your LAN devices use the router itself as the DNS server (or a pihole or other such DNS server) and set your preferred DNS upstream accordingly. This will make it possible to collapse all those DNS server block rules into a single one. You will still be able to ping them, but they will not be available for DNS.
Keep in mind that a port 53 block won't block DoH and DoT, but will block all standard DNS.
Basically the same rule as you have, but the destination port would be 53 (instead of empty/any), and you can remove the destination address.
R2000
January 7, 2022, 4:35am
10
Way beyond that mate, i dont use packages to make my rules, and i dont use ancient but effective IPTables.
R2000
January 7, 2022, 4:39am
11
So what port would DNS be routed through, if not 53? and i also require this port to accept DNS Requests due to Services on my end (an internal dns server pointing to various web servers)
DNS over HTTPS (DoH) is over port 443. Block that and the whole web breaks.
DNS over TLS (DoT) runs over port 853.
The rule I am proposing would only block outgoing DNS requests from your LAN. You can setup a rule to allow specific servers, if you so choose. Or setup your router as the DNS server for the LAN and specify the desired DNS upstream resolvers yourself so that you know where the DNS requests are going.
1 Like
R2000
January 7, 2022, 4:46am
13
Ive already done that using the help of GRC Benchmark, and DNS Leak Test.
All my outgoing DNS point to a specific few DNS Servers with DNSSEC. Strict Rules
Everything on my LAN uses those specific outgoing DNS Servers, and overriding the ISP. Just got one DNS Server i cannot irradicate.
R2000
January 7, 2022, 4:47am
14
That blummin IP is: 217.14.128.50
R2000
January 7, 2022, 4:48am
15
It just seems to reply no matter what.
As you can see from my last rule, ive done what you said.
What about after putting in a port 53 block?
config rule
option name 'test1'
option direction 'out'
option device 'eth0.2 <- should be your wan'
list proto 'all'
option src '*'
option dest 'wan'
list dest_ip '217.14.128.50'
option target 'DROP'
1 Like
R2000
January 8, 2022, 3:00am
18
This is my result from optimising DNS Queries, to specific Secure DN-Servers (ONLY):
Run a curious query yourself and check your routes. Use the DNS Tool to rule out which DNS to avoid, which is in your path, and if they support DNSSEC, or Leaking queries.
https://www.grc.com/dns/dns.htm
R2000
January 8, 2022, 3:08am
19
If you follow GRC (Gibbs) information properly, you can secure your DNS Queries to the best you can.
R2000
January 8, 2022, 3:15am
20
I bet everyone that tries this has more than one Total on first run, and a lot of bad DNS Servers that Leak.
