How to prevent certain hosts (tagged by IP/mac/dns) from being unable to phone home to certain groups of hostnames and IPs


I run old computers and other old devices and my problem is that the operating system on these devices will do things without my permission.

They talk to their manufacturer against my wishes and the only tool I have to stop them, is to never let them talk to the internet at all.

I suspect there can be found a list of "all microsoft telemetry and updates servers" and probably the same for google and Apple.

I want to create a setup where I can say, this IP, this MAC or this internal hostname, I don't want them talking to microsoft at all.

I know this isn't 100% fool proof because microsoft can add extra backdoors, they might have hidden backdoors that download a list of bypass server to get around the blocking.

But I would be happy with just block all the addresses we know of and ONLY for the specific devices that I want to block (I don't want to cut off all known google addresses from all the hosts on my network, only some of them)

When researching this question, I am often told to run Pi Hole instead, but I think it's possible on openwrt ? But I don't really know the "clean" of doing this.

Hopefully an easy to setup and reliable way that will continune working after updating the openwrt firmware and that any openwrt user can benefit from ?

It's surely possible on OpenWrt. But to achieve this you would need to know how you define "microsoft" in your below example.

And that is where PiHole (and also solutions like Ad-Block on Openwrt) make part of your life easier.

You could block those domains in your routers DNSmasq, and by dhcp point the affected hosts to it (this is the default in openwrt), while the default DNS would be a different IP/external for the non blocked devices...

You can just set the gateway on the device to so it can't go online but it will still be active on the LAN for printing, file sharing, etc

1 Like


So by microsoft I would guess everything on this list

So I need my router to
download and keep that list updated and make it a named list "enemy server list"

Next I need to maintain a second list of the hosts on my network I want to prevent talking to anything on the "enemy server list", I think I'll call that list "enemy spy list"

Ok, so first, the DNS responses to queries from any hosts on the "enemy spy list" for records on the "enemy server list" should return same as a record that doesn't exist

Next, every host on the "enemy server list" should have their IP looked up and also stored in the list. Now firewall should block by IP address any packets between anything on the "enemy server list" and "enemy spy list"

It should be easy to maintain multiple such lists

"microsoft server list" "microsoft spy list"
"google server list" "google spy list"
"apple server list" "apple spy list"

There should be a script that can populate the server lists from online curated sources (possibly multiple). This script should routinely update the sources. There should be an easy way to add any custom host to any of those lists.

The spy list should allow the openwrt user to specify any internal hosts by hostname,IP and mac address (in my case, I spawn new windows 10 instances on virtual machiens and then delete them just as quick so anything with a hostname that starts with "WIN" should be maintained on the list)

And all of that should be manageable from luci

That's a tall order for one user to setup !

Is there any software in the openwrt repository that does this already (or maybe parts of it, @faser you mentionned "adblock on openwrt")

This section has the command for nulling DNS records but for everyone on the network, (not just the hosts on the "spy list"

It seems there is no way to tell dnsmasq give one answer for a record to one host, but then a different answer to a different host. So probably the only way is going to run multiple dns servers and use dhcp to assign different dns servers to hosts on the spy list....

I'm not sure two dns servers can exist on the same router !? Apparently yes, the solution is creating a network device alias

multiple dns servers

multiple IP on same network interface

I don't see any script that can, take a text file full of hosts and stuff that into dnsmasq using uci, that part will have to be custom made (

Next is blocking the IP addresses of every host A and AAAA record in the "enemy server list"

Again, I don't see any script that can take a text file full of hostnames, look them all up and spit out another text file of each IP address found, (

And next another script that will take that txt ip list and add them all to the firewall block list using uci ( That script should read the firewall rules, remove stale entries and add any missing entries. There might be something about parental controls or productivity people to do this. Like blocking facebook automatically. Maybe that can be repurposed.

This blocks the whole internet for one internal host
Too crude for what I'm doing but it can probably be refined to block only the IP from the enemy server list to/from only the IP from the spy list

# Configure firewall
uci add firewall rule
uci set firewall.@rule[-1].name="Filter-Parental-Controls"
uci set firewall.@rule[-1].src="lan"
uci set firewall.@rule[-1].src_mac="00:11:22:33:44:55"
uci set firewall.@rule[-1].dest="wan"
uci set firewall.@rule[-1].start_time="21:30:00"
uci set firewall.@rule[-1].stop_time="07:00:00"
uci set firewall.@rule[-1].weekdays="Mon Tue Wed Thu Fri"
uci set firewall.@rule[-1].target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Ok, I think that's a plan that could work. No idea what adding thousands of firewall rules is going to do to my archer c7 and 300mbps fiber, I'm guessing it's going to just melt..... Maybe an occasion for an upgrade.

1 Like