Configuring firewall to drop some DNS queries

I've got an OpenWRT router with 22.03 installed. I managed to configure a few firewall rules already using LuCI and also by manipulating /etc/config/firewall myself. Now what I'm trying currently is to drop certain DNS requests. I can drop all DNS requests like this:

config rule               
        option name 'Drop DNS'
        option src 'lan'
        option proto 'udp'
        option dest_port '53'
        option target 'DROP'
        option enabled '1'

But my requirement is to drop only some based on the domains queried. I found a guide on how to do it with IP tables: and it seems rather straightforward: just block based on hex-string content. However, I have not been able to find anything in the firewall configuration docs ( on how that would be possible. I have the feeling I might need to install another package, but I'm a bit overwhelmed by the number of packages I find when looking for "netfilter" in the LuCI package manager. Any ideas?


use adblock, or dnsmasqs address= in the conf instead ?


dns filtering


Thanks for that idea. I tried it and it is similar to other rules I already configured in the dhcp config file. Unfortunately, when I add that blacklist rule, the DNS server returns a NXDOMAIN for queries. I guess usually that should be enough. What I'm doing however is some research on how some client systems behave or misbehave depending on the DNS configuration of the router and while I already got the case covered where NXDOMAIN is returned for some domains, the question that I'm trying to answer at the moment is how the behave if some of their DNS queries are silently dropped.

Thanks frollic. I tried this too, but didn't manage to get it to do what I needed.

Anyway, since I had a tutorial available for iptables while iptables is not available on my router, I figured it might be simpler to just switch to a system that has it. So I configured my other laptop as a router and was able to figure out what I needed to using iptables.

Thanks for your answers still, very much appreciated.

That's easy, make the client query some non existant address.

That wouldn't cause a silent drop though, would it?

@sebkur you can probably configure what kind of reply a blacklisted domain should generate.

Seems quite silent to me.

root@barracuda:[~]#dig @
;; communications error to timed out
;; communications error to timed out
;; communications error to timed out

; <<>> DiG 9.18.7 <<>> @
;; global options: +cmd
;; no servers could be reached
1 Like

That's easy indeed. However in my research setup, I cannot chose the address the client uses. Background: I'm looking at Android devices that use and to determine whether a Wifi connection is considered online/offline and am tampering with different situations to see how the Android device reacts.

misunderstood, thought you meant the DNS name would be non existent, not the DNS server.


Android devices use hardcoded GoogleDNS apart from the advertised nameservers.

there's also DoT on OS level, and DoH in the browser(s).


The one I am using here doesn't seem to. At least it also uses the IP address of my router as nameserver. I can the lots of requests on the router's log. Also when blocking on the router, the Android device thinks it's offline as in the Wifi has the little X-marker and the Wifi settings mention "No internet access" (although of course it has Internet access, it just cannot reach Google :))

Yes, so you must fix that, correct?

You were told why - in fact, you explained it.

Is this your only use case, because the Android issue is known and unrelated to OpenWrt.


In other words, are there other domains that you wish to block that aren't working, or perhaps I misunderstand what you're tying to solve, or the title doesnt quite describe?

You might want to look at dnsmasq’s native connmark-allowlist option to filter certain clients for certain domains.