I've got an OpenWRT router with 22.03 installed. I managed to configure a few firewall rules already using LuCI and also by manipulating /etc/config/firewall myself. Now what I'm trying currently is to drop certain DNS requests. I can drop all DNS requests like this:
But my requirement is to drop only some based on the domains queried. I found a guide on how to do it with IP tables: https://noc.org/help/blocking-dns-requests-via-iptables/ and it seems rather straightforward: just block based on hex-string content. However, I have not been able to find anything in the firewall configuration docs (https://openwrt.org/docs/guide-user/firewall/firewall_configuration) on how that would be possible. I have the feeling I might need to install another package, but I'm a bit overwhelmed by the number of packages I find when looking for "netfilter" in the LuCI package manager. Any ideas?
Thanks for that idea. I tried it and it is similar to other rules I already configured in the dhcp config file. Unfortunately, when I add that blacklist rule, the DNS server returns a NXDOMAIN for queries. I guess usually that should be enough. What I'm doing however is some research on how some client systems behave or misbehave depending on the DNS configuration of the router and while I already got the case covered where NXDOMAIN is returned for some domains, the question that I'm trying to answer at the moment is how the behave if some of their DNS queries are silently dropped.
Thanks frollic. I tried this too, but didn't manage to get it to do what I needed.
Anyway, since I had a tutorial available for iptables while iptables is not available on my router, I figured it might be simpler to just switch to a system that has it. So I configured my other laptop as a router and was able to figure out what I needed to using iptables.
Thanks for your answers still, very much appreciated.
root@barracuda:[~]#dig openwrt.org @10.0.2.4
;; communications error to 10.0.2.4#53: timed out
;; communications error to 10.0.2.4#53: timed out
;; communications error to 10.0.2.4#53: timed out
; <<>> DiG 9.18.7 <<>> openwrt.org @10.0.2.4
;; global options: +cmd
;; no servers could be reached
That's easy indeed. However in my research setup, I cannot chose the address the client uses. Background: I'm looking at Android devices that use connectivitycheck.gstatic.om and google.com to determine whether a Wifi connection is considered online/offline and am tampering with different situations to see how the Android device reacts.
The one I am using here doesn't seem to. At least it also uses the IP address of my router as nameserver. I can the lots of requests on the router's log. Also when blocking google.com on the router, the Android device thinks it's offline as in the Wifi has the little X-marker and the Wifi settings mention "No internet access" (although of course it has Internet access, it just cannot reach Google :))
In other words, are there other domains that you wish to block that aren't working, or perhaps I misunderstand what you're tying to solve, or the title doesnt quite describe?