DNS filtering issue

Ok, so all I am trying to do is to do a "black/white" Domain filtering so that, for example, I can block ALL traffic from devices behind the router but only allow, for example, yahoo.com. I know I can accomplish this by using dnsmasq.conf file by adding thiese two lines:

no-resolv
server=/yahoo.com/127.0.0.1

and that all device behind the router will no longer able to browse anywhere EXCEPT for yahoo.com.

But is there an GUI way of doing this? It seems I maybe able to use the DNS and DHCP page to do this, but I searched on youtube and google and I can not find a detail instruction and documentation as to how to use this GUI page. I did however find this page:

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration

image

but it didn't do anything, after trying the "whitelist" instruction with doing this in the command prompt (simply from a defaulted router)

uci add_list dhcp.@dnsmasq[0].server="/yahoo.com/#"
uci add_list dhcp.@dnsmasq[0].server="/#/"
uci commit dhcp
service dnsmasq restart

I was still able to ping to google.com yahoo.com, blah blah

So what am I doing wrong? The reason is that need to do this via GUI so is customer user friendly.

And no, I don't want to install adblock or any other package. Unless there is a small size package that I can use.

thank you!

The server config corresponds to the “DNS Forwards” option in the DHCP GUI, but you can also use the “Addresses” section to block everything as well.

Hello Dave,

So like this right? I tried many ways, almost like this page does not do anything. I put my computer behind this router and I was still able to ping to yahoo.com

I've also tried my message above where I thought that would block ALL except yahoo.com but everythng was still able to resolve when in ping yahoo.com or google.com, no matter what I do on this page.

Ok, so that was such a waste of time, I guess I was just impatient? It seems after I enter these values, it would take like few minutes before it takes affect?? Is that true? I even manually restart the dnsmasq service it it STILL DID NOT WORK UNTIL few minutes (like 3 to 5 minutes), why?

But then again, why doesn't wild card works? /#/

This time I waited like 10 minutes and also rebooted the router. Any idea?

image

Client side cache ?

Wildcards seems to use address=/#/0.0.0.0.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

2 Likes

Hello frollic,

Thank you for the link, I've read that link before too, I know about forward all DNS request to port 53, but my issue right now is why /#/0.0.0.0 not blocking all DNS request? I've tried

/#/
/#/0.0.0.0

the only time I was successfully do a white list was to directly manipulate the dnsmasq.conf file to add the nosolve to have to block all dns request.

Also, frollic, do you know how to use the "fs" command in the Luci javascript API? (if that is what it calls). I am trying to change/add feature to LUCI Web GUI by modifying the .js files under the "view" folder of each application folder.

The reason is this very problem I am facing. Because it seems I can only accomplish what I want to do by modifying the dnsmasq.conf directly. Thus I added a "tab" in the "Firewall" section and wanting to be able to maniplate the dnsmasq.conf file. I was able successfully do everything (e.g. create new uci configuration and add my own text box and checkbox), the only thing is how can I access external file from this .js file? It seems is only be able to be done via LUA, but I have no idea how to do so. Thus the only way I see is that I can use the "fs" API call.

So on button "save and apply" I would want to execute a bash script which would read the uci configuration file and then manipulate the dnsmasq.conf file. Wouldn't this fs.exec("test.sh") work? and obviously how can I "override" the default "save apply" action?

I know you can do

handleSaveApply: null,

in the .js file to override the existing saveapply event, but then how can I add my own logic to :slight_smile:

  1. save the current config
  2. execute external bash?

Thank you for any input.

@frank2023, are you determined to only have a DNS based approach for this, or are you simply looking for a way to have a whitelist-only type access for a router?

If the latter, then there is a ready-made solution with the BanIP package.
https://github.com/openwrt/packages/blob/master/net/banip/files/README.md

One of the listed features is:
" * Supports an 'allowlist only' mode, this option restricts internet access from/to a given number of secure websites/IPs"

are you sure your clients really use your DNS ?

See if you have a DNS leak.

hello frollic,

are you saying that the device behind the router is using router as dns? If that is your question, then yes. I am testing DNS pings (e.g. ping yahoo.com google.com blah blah) using my computer which is windows 11 and network configuration on the dns is pointed to this router.

As stated before, it seems using /yahoo.com/0.0.0.0 works. I would not able to ping yahoo.com once the rules takes in effect. But when I add /#/0.0.0.0 I was expecting not able to ping anywhere, but I was able to ping everywhere (other then yahoo.com)

I cannot speak for @frollic but I'm wondering if something in front of your router is allowing your DNS lookup to leak.

No matter, the answer is just a trip to link I provided.

Hello JustAnotherEndUser,

thank you for the suggestion. I just installed banIP (didn't think about it would do dns too as the name "banIP" haha). But it does "black list" just fine. How do you do white list? Meaning to block all except certain domain? And interestingly, typically this kind of system would need to to choose whether you want to do black or white list first and then decide what entry. Meaning what happen if I put yahoo.com in both black and white list? (I actually did that and it allow me to ping it). Anyway, this should work, but again, how can I block EVERYTHING except certaina domain?

Hello LilRedDog,

thank you for your input. I don't see how I can have another "leak" as on my computer , the ONLY interface that has internet is the test router (which has openwrt) in front of it. And my network interface is configured as below. Where 10.10.4.200 is the openwrt router.

image

I cannot reply to that civilly other than to say you did not look you presumed.

Do you have any idea how hard it is to help people that resist a click to check/eliminate a possible issue?

what application are you using ? web browser ? those have ToH enabled by default.

@frank2023 - from the GUI, you would go under the "Feed Selection" tab of BanIP, and simply check the option 'Allowlist only'

Alternatively, you could also edit the BanIP config file and change this from 0 to 1.

option ban_allowlistonly '1'

Then you would populate your list with the URLs / IPs you want to grant access.

hello Just AnotherEndUser,

Thank you, my bad, I didn't read your bottom sentence. Yes I tried this and it works. Google.com worked fined, but when I try yahoo.com, I wasn't able to get to yahoo.com. I can ping yahoo.com, but not browse yahoo.com but then I think maybe because yahoo website has other sub domain or url that it uses which I need to allow more entries in the banIP? Anyway, this seems maybe a good solution. I will play more.

Earlier you indicated you had put Yahoo in the blocklist. If it is still there, that is likely your issue.

Well for testing if DNS resolve, I simply use command prompt (dos prompt in windows) to ping "yahoo.com" or "google.com" etc. I didn't even go with the browser yet. So when I do "/#/0.0.0.0" I was expecting I am NOT ABLE to PING ANY blahblah.com (e.g. google.com yahoo.com)