How to block dns response with iptables?

hi i want to block a dns response for a client
i run tcpdump -i wlan0 port 53 in my openwrt
1

6:23:54.504883 IP android-87d96661de850.lan.38014 > OpenWrt.lan.53: 16069+ A? example.com. (47)
16:23:54.793475 IP OpenWrt.lan.53 > android-87d96661de850.lan.38014: 16069 1/0/0 A 11.22.33.44 (63)

i tried

 iptables -A OUTPUT -p udp -s 11.22.33.44 -d 192.168.1.218 --dport 53 -j DROP

client ip :192.168.1.218 | website i try block its dns response: example.com | example.com's ip :11.22.33.44

what is the right way to block the dns response for example.com using iptables

With iptables you can block all the dns responses for the client.
With dnsmasq or adblock you can block the replies for example.com
I am not aware of an all-in-one solution, however running a separate instance of dnsmasq and redirecting the queries of the host in question to the secondary instance, which blackholes the domain could be a solution.

2 Likes

is it possible to run two dnsmasq on diffirent ports (53 and 5053 ) and one of them (on port 53 ) reddirect all trafic to a welcoming page the other (on port 5053) resolve the real websites ips
and switch users between them with iptables port forwarding ...?

Seems possible.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.