DNS Based fw auth rule


Is there a way to setup a FW rule that will accept packets to & from a certain domain name (ie *.whatsapp.com).

I would like to authorize access to some domains, out of the time connection limits allowed for the kids devices.

I know I can create IP based auth rules (and have done that already), but for providers with a large IP base this seems quite a large work for something that will quickly break.

Thank you.

I posted this post last week (about blocking FB) - umlwind pointed me in the right direction. The piece that was missing was filling in the IP address ranges, which can be found like this (the ASN is for FaceBook - you'll have to get the whatsapp one)...

whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | sort | awk '{print $2}'

Just a warning - if you query this too often, you get temporarily blocked, so don't abuse their servers too much :slight_smile:

I am busy doing a scriptish version of it which I will post to the original thread once it's working

There was another topic, but author vanished. I don't know, whether it works, but idea is in filling ipset by dnsmasq on query: Mwan3 rules with ipset


Long story short. IPSet (available in lucy) seems the answer to my question combined with dnsmasq to fill the ipset list..
I found this post on githb explaining what to do and how to do it - https://github.com/jamesmacwhite/ipset-netgear-r7000-dd-wrt/wiki/Using-ipset-with-dnsmasq-and-iptables)but since it has sort of bricked my R6220 :frowning:

I will need help to recover use of my router (in another topic).