HELP: Combining Adblock+DNS-over-HTTPS with DNS Based Firewall

Hi everybody,

Here is the scenario, my OpenWRT is already running for few months with Adblock and DNS-over-HTTPS and I'm super happy with it.

But I need to add DNS and IP blocking for parental control to certain devices, and I was thinking of using the DNS-based firewall and IP sets.

I've tried the steps but my network stops working everytime I try them.

Is what I'm trying to achieve even possible?
Can somebody point me to the right direction?

By the way, i'm using the latest 19.07.5 release build.

Thanks in advance!

Hmmmm.. seems nobody can point me to the right direction..

But is this really possible or not??

Yep, those 3 features should be compatible.
It works on my testing VM on OpenWrt 19.07.5.

uci show network; uci show firewall; uci show dhcp

Hmmm.. when I try the DNS-based firewall, my internet stops working across all devices.. I might be doing something wrong, but i've followed the docs to the letter

I'll retry to configure later once network usage is low (or everybody's asleep ahahaha)

I'll send a before and after

I've followed the instructions here and I haven't done the extras (Preresolve domains, etc), but after a few test, the dnsmasq looped on looking up example.com, this still happens even after a full restart

Tue Jan 19 05:52:43 2021 daemon.info dnsmasq[8268]: 689 ::1/42297 query[AAAA] example.com from ::1
Tue Jan 19 05:52:44 2021 daemon.info dnsmasq[8268]: 689 ::1/42297 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:44 2021 daemon.info dnsmasq[8268]: 689 ::1/42297 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:44 2021 daemon.info dnsmasq[8268]: 690 127.0.0.1/45510 query[A] example.com from 127.0.0.1
Tue Jan 19 05:52:44 2021 daemon.info dnsmasq[8268]: 690 127.0.0.1/45510 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:44 2021 daemon.info dnsmasq[8268]: 690 127.0.0.1/45510 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:45 2021 daemon.info dnsmasq[8268]: 691 127.0.0.1/60099 query[A] example.com from 127.0.0.1
Tue Jan 19 05:52:45 2021 daemon.info dnsmasq[8268]: 691 127.0.0.1/60099 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:45 2021 daemon.info dnsmasq[8268]: 691 127.0.0.1/60099 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:46 2021 daemon.info dnsmasq[8268]: 692 127.0.0.1/50883 query[AAAA] example.com from 127.0.0.1
Tue Jan 19 05:52:46 2021 daemon.info dnsmasq[8268]: 692 127.0.0.1/50883 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:46 2021 daemon.info dnsmasq[8268]: 692 127.0.0.1/50883 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:46 2021 daemon.info dnsmasq[8268]: 693 ::1/42297 query[A] example.com from ::1
Tue Jan 19 05:52:46 2021 daemon.info dnsmasq[8268]: 693 ::1/42297 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:46 2021 daemon.info dnsmasq[8268]: 693 ::1/42297 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:46 2021 daemon.info dnsmasq[8268]: 694 ::1/42297 query[AAAA] example.com from ::1
Tue Jan 19 05:52:46 2021 daemon.info dnsmasq[8268]: 694 ::1/42297 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:46 2021 daemon.info dnsmasq[8268]: 694 ::1/42297 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:47 2021 daemon.info dnsmasq[8268]: 695 127.0.0.1/50213 query[AAAA] example.com from 127.0.0.1
Tue Jan 19 05:52:47 2021 daemon.info dnsmasq[8268]: 695 127.0.0.1/50213 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:47 2021 daemon.info dnsmasq[8268]: 695 127.0.0.1/50213 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:48 2021 daemon.info dnsmasq[8268]: 696 127.0.0.1/41578 query[AAAA] example.com from 127.0.0.1
Tue Jan 19 05:52:48 2021 daemon.info dnsmasq[8268]: 696 127.0.0.1/41578 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:48 2021 daemon.info dnsmasq[8268]: 696 127.0.0.1/41578 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:49 2021 daemon.info dnsmasq[8268]: 697 127.0.0.1/54473 query[AAAA] example.com from 127.0.0.1
Tue Jan 19 05:52:49 2021 daemon.info dnsmasq[8268]: 697 127.0.0.1/54473 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:49 2021 daemon.info dnsmasq[8268]: 697 127.0.0.1/54473 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:49 2021 daemon.info dnsmasq[8268]: 698 127.0.0.1/34122 query[A] example.com from 127.0.0.1
Tue Jan 19 05:52:50 2021 daemon.info dnsmasq[8268]: 698 127.0.0.1/34122 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:50 2021 daemon.info dnsmasq[8268]: 698 127.0.0.1/34122 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:50 2021 daemon.info dnsmasq[8268]: 699 127.0.0.1/34122 query[AAAA] example.com from 127.0.0.1
Tue Jan 19 05:52:50 2021 daemon.info dnsmasq[8268]: 699 127.0.0.1/34122 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:50 2021 daemon.info dnsmasq[8268]: 699 127.0.0.1/34122 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:50 2021 daemon.info dnsmasq[8268]: 700 127.0.0.1/46240 query[AAAA] example.com from 127.0.0.1
Tue Jan 19 05:52:50 2021 daemon.info dnsmasq[8268]: 700 127.0.0.1/46240 forwarded example.com to 127.0.0.1
Tue Jan 19 05:52:50 2021 daemon.info dnsmasq[8268]: 700 127.0.0.1/46240 forwarded example.com to 127.0.0.1

NOTE: I've enabled log queries in dnsmasq to see for potential errors during config

Hi @vgaetera
Can I request if you can do another test, but with the log queries in dnsmasq is enabled and see if the same thing is happening to you? It would be a great help trace my issue in my setup.

thanks in advance

Tue Jan 19 11:58:14 2021 daemon.info dnsmasq[8191]: 5 192.168.13.2/41156 query[AAAA] example.org from 192.168.13.2
Tue Jan 19 11:58:14 2021 daemon.info dnsmasq[8191]: 5 192.168.13.2/41156 forwarded example.org to 127.0.0.1
Tue Jan 19 11:58:14 2021 daemon.info dnsmasq[8191]: 5 192.168.13.2/41156 forwarded example.org to 127.0.0.1
Tue Jan 19 11:58:14 2021 daemon.info dnsmasq[8191]: 6 192.168.13.2/13277 query[A] example.org from 192.168.13.2
Tue Jan 19 11:58:14 2021 daemon.info dnsmasq[8191]: 6 192.168.13.2/13277 forwarded example.org to 127.0.0.1
Tue Jan 19 11:58:14 2021 daemon.info dnsmasq[8191]: 6 192.168.13.2/13277 forwarded example.org to 127.0.0.1
Tue Jan 19 11:58:14 2021 daemon.info dnsmasq[8191]: 5 192.168.13.2/41156 reply example.org is 2606:2800:220:1:248:1893:25c8:1946
Tue Jan 19 11:58:14 2021 daemon.info dnsmasq[8191]: 6 192.168.13.2/13277 reply example.org is 93.184.216.34

Super thanks @vgaetera

At least I know it wasn't just an issue on my setup. Does this mean there is a bug with ipset-dns?

I'm trying to setup a VM through VirtualBox but i'm getting this error when I tried to start it. I used the documentation from here.

Failed to open a session for the virtual machine OpenWRT-Test.

The virtual machine 'OpenWRT-Test' has terminated unexpectedly during startup with exit code 1 (0x1).

Result Code: NS_ERROR_FAILURE (0x80004005)
Component: MachineWrap
Interface: IMachine {85632c68-b5bb-4316-a900-5eb28d3413df}

Anyway, thanks for the help.

It would be easier to identify and solve the problem if you post the configs as mentioned above redacting the private parts.

Ok.. i'll send in a while

1 Like

Here's the breakdown @vgaetera

NETWORK

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='XXXX:XXXX:XXXX::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.1'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr='xx:xx:xx:xx:xx:xx'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.dns='127.0.0.1'
network.wan.peerdns='0'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='xx:xx:xx:xx:xx:xx'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.dns='0::1'
network.wan6.reqprefix='auto'
network.wan6.reqaddress='try'
network.wan6.peerdns='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'

FIREWALL

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].drop_invalid='1'
firewall.@defaults[0].forward='DROP'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.@rule[9]=rule
firewall.@rule[9].dest_port='53'
firewall.@rule[9].src='guest'
firewall.@rule[9].name='Allow-DNS-Guest'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='67-68'
firewall.@rule[10].src='guest'
firewall.@rule[10].name='Allow-DHCP-Guest'
firewall.@rule[10].target='ACCEPT'
firewall.adblock_dns_53=redirect
firewall.adblock_dns_53.name='Adblock DNS, port 53'
firewall.adblock_dns_53.src='lan'
firewall.adblock_dns_53.proto='tcp udp'
firewall.adblock_dns_53.target='DNAT'
firewall.adblock_dns_53.dest='lan'
firewall.adblock_dns_53.dest_port='53'
firewall.adblock_dns_53.src_dport='53'
firewall.adblock_dns_853=redirect
firewall.adblock_dns_853.name='Adblock DNS, port 853'
firewall.adblock_dns_853.src='lan'
firewall.adblock_dns_853.proto='tcp udp'
firewall.adblock_dns_853.src_dport='853'
firewall.adblock_dns_853.dest_port='853'
firewall.adblock_dns_853.target='DNAT'
firewall.adblock_dns_5353=redirect
firewall.adblock_dns_5353.name='Adblock DNS, port 5353'
firewall.adblock_dns_5353.src='lan'
firewall.adblock_dns_5353.proto='tcp udp'
firewall.adblock_dns_5353.src_dport='5353'
firewall.adblock_dns_5353.dest_port='5353'
firewall.adblock_dns_5353.target='DNAT'
firewall.filter=ipset
firewall.filter.name='filter'
firewall.filter.family='ipv4'
firewall.filter.storage='hash'
firewall.filter.match='ip'
firewall.filter6=ipset
firewall.filter6.name='filter6'
firewall.filter6.family='ipv6'
firewall.filter6.storage='hash'
firewall.filter6.match='ip'
firewall.filter_fwd=rule
firewall.filter_fwd.name='Filter-IPset-DNS-Forward'
firewall.filter_fwd.src='lan'
firewall.filter_fwd.dest='wan'
firewall.filter_fwd.ipset='filter dest'
firewall.filter_fwd.family='ipv4'
firewall.filter_fwd.target='REJECT'
firewall.filter_fwd.proto='all'
firewall.filter6_fwd=rule
firewall.filter6_fwd.name='Filter-IPset-DNS-Forward'
firewall.filter6_fwd.src='lan'
firewall.filter6_fwd.dest='wan'
firewall.filter6_fwd.ipset='filter6 dest'
firewall.filter6_fwd.family='ipv6'
firewall.filter6_fwd.target='REJECT'
firewall.filter6_fwd.proto='all'
firewall.ipsetdns=include
firewall.ipsetdns.path='/etc/firewall.ipsetdns'
firewall.ipsetdns.reload='1'

DHCP

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].cachesize='5000'
dhcp.@dnsmasq[0].dnsforwardmax='300'
dhcp.@dnsmasq[0].confdir='/tmp/adblock'
dhcp.@dnsmasq[0].rebind_protection='0'
dhcp.@dnsmasq[0].min_cache_ttl='600'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].doh_backup_noresolv='-1'
dhcp.@dnsmasq[0].doh_backup_server='127.0.0.1#5053'
dhcp.@dnsmasq[0].server='127.0.0.1#5053'
dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#53001"
dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#53001"
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.force='1'
dhcp.lan.ra_default='1'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
1 Like

Try this way:

uci -q delete network.wan.dns
uci -q delete network.wan.peerdns
uci -q delete network.wan6.dns
uci -q delete network.wan6.peerdns
uci commit network
/etc/init.d/network restart

Got it, i'll try that.. but I have to wait until everybody's asleep hahaha

Actually i'm in a online meeting right now hehe

@vgaetera it looks like openwrt fixed the issue with the latest dnsmasq and dnsmasq-full with the new added option settings

dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'

They also have updated the documentation here.

I don't see the looping of lookup for the test example.com and example.net

I didn't change the network settings anymore as you mentioned here.

1 Like

Thanks for all the assistance @vgaetera :smile:

1 Like

I thought above was my correct solution, but it only fixed a different issue because of the dnsmasq and dnsmasq-full with version 2.80-16.2 (this was fully discussed here)

Anyway, in my setup, I had to make sure that my wan and wan6 has a specified DNS servers that is outside my local network. Somehow, my settings keeps on defaulting to use 127.0.0.1.

Note: I used cloudflare dns for this as this is the fastest for my connection.

For WAN

For WAN6

1 Like

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.