DNS filtering issue

Hello JustAnotherEndUser,

This banIP works good, the only thing I can see customer complain is that they would ask why when they put yahoo.com in whitelist, they are not able to browse the site... only if there is a simpler solution.... damn...

I believe you may need to revert the numerous changes you've made with dnsmasq (previous entries you made with Yahoo ) and focus on configuring BanIP. The remnants of your previous config may be your issue.

Also, not clear on the full scope of what you are trying to achieve for your client. If it is truly a "whitelist only" solution that is needed, then you are on the right track. If however your client is trying to do some type of content filtering ( family safe, etc. ) then there are multiple other options / solutions out there, including using external DNS filtering.

Hello JustAnotherEndUser,

First of all, thank you for all the information. I've default the router already, my dnsmasq.conf is it's default. Currently this is a project for my company and not for a "particular" client. Our router are all cellular based, meaning we have SIM card in there that uses AT&T or Verizon or what have you. So the usage will be as general as possible. We are trying to develop a OpenWRT firmware for our own router. ("Currently the router is using Advanced Tomato). Most of customer use our router as a "backup" unit to their ISP, so that when their ISP goes down, it will be using celluar network. And thus when that happens, most likely they want to "lock down" to access to only certain web site or url so to prevent high data usage (which could cost alot). I wouldn't think they care for "content" filtering (such as you say family safe or parental control) because these are mostly business location. So no content filtering needed. We just need some simply user friendly where user can enter just the web site they would like to either "block" or "white list". Meaning they can set our router into either

  1. Black list mode, where it will be wide open and they can enter the web site they like to block, such as youtube.com or netflix.com

  2. White List mode, where it will be initially EVERYTHING WILL BE BLOCKED and then the domain (web site) in the white list will be able to get out.

I've looked at other package such as adblock or squid, but those are just too fancy (and big, memory wise) for my need. Your banIP, which I've looked at before, just didn't look too "hard" as I didn't think it would do dns block (per name banIP, not banDNS haha). But it seems this package is small. Although origainlly, I was wanting to just build my own LUCI page and manipulate the dnsmasq.conf file. But then I ran into a wall as to how to write code to have the LUCI javascript API all (using the "fs" library) to call external bash file to manipulate the dnsmasq.conf file.... sadly... but either way I will most likely need to figure how to able to call bash script in the future for other uses.

Maybe another approach would be to try throttling the network using SQM. The idea being that if the user-experience of accessing sites / content that were bandwidth intensive was not favorable (degraded), the users would simply give up trying to access such sites from that network and stick to basic web browsing.
Here is another post that touches on the subject.
https://forum.openwrt.org/t/secondary-wi-fi-access-point-network-throttling/99752

ok, thank you, I will keep that in mind. I think I will play around with banIP for a bit. Although just really weird that documentation said that /#/0.0.0.0 would work to block all DNS lookup but yet is not doing it ....

This is most likely because it is a wireless ISP and they are hijacking your DNS lookups.

Which you would see if you would just click.

Manipulation by ISPs[edit]

A number of consumer ISPs such as AT&T,[4] Cablevision's Optimum Online,[5] CenturyLink,[6] Cox Communications, RCN,[7] Rogers,[8] Charter Communications (Spectrum), Plusnet,[9] Verizon,[10] Sprint,[11] T-Mobile US,[12] Virgin Media,[13][14] Frontier Communications, Bell Sympatico,[15] Deutsche Telekom AG,[16] Optus,[17] Mediacom,[18] ONO,[19] TalkTalk,[20] Bigpond (Telstra),[21][22][23][24] TTNET, Türksat, and all Indonesian customer ISPs use or used DNS hijacking for their own purposes, such as displaying advertisements[25] or collecting statistics.

Hello LilRedDog,

thank you for the information. But I did try to click on the link and this is what came back

so first of all, is this the correct setting in order to block ALL DNS LOOK UP on the Openwrt?

According to their documentation if I were to do "/#/" or "/#/0.0.0.0" it SHOULD block all DNS lookup , but it seems it does not.

If this is result of DNS leak of hijack, then how come IPBan was able to block?

Thus, it looks to me is either I still have some configuraiton issue with the DNS & DHCP section. Or that simply using the built in DHCP and DNS section can not block all DNS lookup like IPBan?

Wireless is insidious in the US.

The only way I know of to keep their creepy paws out of your internet is VPN.

Null inputs like #0.0.0.0 are just ignored by wireless. I do not know the mechanism they use but Wikipedia goes into detail about it once you get down to the ISP DNS hijacking.

Or, you could try to flat out blacklist those ip addresses.
I have no idea if this will work; just spitballing.

Perhaps consider using https-dns-proxy to force DNS locally. You can then use a DoH provider of your choice to circumvent ISP DNS. Or you could make your own local resolve file if you really wish to manipulate with manual entries.
https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy

You could then use that in conjunction with BanIP to also block any other DoH providers you wish not to be used from your network. ( Whitelist the ones you want.) This will help mitigate users bypassing your DNS preferences if that is part of your intentions.

Also, I would recommend to revert the changes to dnsmasq you detailed above.

What about forcing a thin-client type of network where the router connects a company server and is restricted to rules set at the server?

I think they are trying to restrict bandwidth and keep them within allotted limits.

So they should consider ad blocking too.

That is certainly a possibility. I was taking into consideration @frank2023 's earlier statement about this router only being used in a backup situation when the primary internet connection was down, and they were temporarily using cellular as a backup. He had made an indication that the (temporary) restrictive configuration was intended to limit user's use of bandwidth. That's why I suggested using SQM to throttle (the idea being making high bandwidth sites / content undesirable from the user perspective. ) Somehow the focus seems to have shifted back to DNS, and ISP DNS-jacking which is another matter entirely.

We know why this thread has been boxed into a certain train of thought. :expressionless: