Help blocking IPs with DNSMasq

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi Lede,

I have just installed LEDE (LEDE Reboot 17.01.4).

I came from using OpenWrt. I am trying to block two specific external IP address.

On OpenWRT I used to do this:

uci add_list dhcp.@dnsmasq[0].address='/IP1/127.0.0.1'
uci add_list dhcp.@dnsmasq[0].address='/IP2/127.0.0.1'
uci commit dhcp
/etc/init.d/dnsmasq restart

When I did that on LEDE this happened:

root@LEDE:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.25.1
udhcpc: sending discover
udhcpc: no lease, failing

It didn't work. this IPs are still pingable. What I am doing wrong?

Please, let me know,. This is the only thing left to configure.

2

I can't really imagine that this would have worked under OpenWrt either.

dnsmasq is a caching DNS resolver (and DHCPd), which means it is queried for domain- and hostnames, but never if you already know the IP address and try to access it directly (e.g. ping 203.0.113.47). Redirecting a hostname to 127.0.0.1 (local loopback) would furthermore not disallow pinging, at least not router-side, if you get a ping response only depends on your local client's firewall settings (and that should allow ping on 127.0.0.0/8).

If you'd be fine to redirect the DNS lookup to another IP (which might very well be 127.0.0.1, if you don't expect it to time out for ICMP ping responses), you could either add a redirect via luci (network/hostnames) or use luci-app-adblock for larger blocklists (or course you can also configure dnsmasq directly).

In case you really need to block access to IP addresses, you'll have to configure your (the router's) firewall instead of dnsmasq.

3

Hi,
Are you sure this worked before?
Why you dont use iptables to block/drop connections to certain ip addresses?
For larger lists you can also use ipset.

//edit
too slow

4

Thanks, shm0 and slh for replying it.

Yes, I am sure was working.

I forget to mention that I was using OpenWrt 12.09 (Attitude Adjustment) prior to LEDE.

I have been using this rule to prevent my firetv boxes from being updated for instance.

I was using dnsmasq because AFAIK on the OpenWrt 12.09 there wasn't any content filtering.

It also would be ideal if I was able instead of blocking this address to all devices running on this router, to only block some specific IPs inside my LAN from accessing it.

5

You can accomplish this easily with the help of the luci gui.
Go To Network -> Firewall -> Traffic Rules -> New forward rule

They are many ways to do it.
You can either block by destination address or by source address.
You can even specify ports to block certain services like http/https.

But the key is that you set "Action" to either Drop or Reject.
The difference between the two is that drop will discard packets silently.
While reject will notify the client that the packets got discarded.
Drop may create some lag on devices when packets are dropped silently. (waiting for timeouts.)

I use this rule (/etc/config/firewall) to preventing my LG Smart TV to going online:

config rule
	option name 'Deny-LG-TV-WAN'
	option target 'REJECT'
	option src 'lan'
	option dest 'wan'
	option family 'ipv4'
	option src_ip '192.168.x.x'

If you want to block access with dnsmasq you have to remap a domain.
So you have to know which domain the firetvs are using for updating. (something like update.fire.tv)
Adblock has a custom blacklist feature. Configurable through luci.
Maybe you want to check this out also.