Glad you were able to get it all sorted! 
Odd.
You may need to restart the firewall after saving.
Destination is WAN Zone, the IP or both. This assumes assume you're Internet connection on OpenWrt is still default and configured in the WAN zone.
If you're receiving unsolicited inbound connections from this Google server - then you've unsafely altered your default firewall.
1 Like
Keep in mind, this may not be 'advertising to Google' as you're thinking. Instead, it might be checking for updates to the browser itself or other synchronization/checks that the browser does with a cloud service. While I cannot speak to specifically what the browser is doing with that connection, it is not necessarily nefarious or "stupid". For that, you'll have to dig into those behaviors -- maybe the browsers support channels have a discussion about it.
3 Likes
I don't understand why the connection shows up in openwrt, but not in my firewall portmaster. Portmaster has a filterlist to entirely block google which always used to work, anyway the connection doesn't show up neither as established nor blocked.
Mozillapushservices and lencr show up, the first being signed to AS ORG - google llc.
I was now able to find the connection in simplewall as established.
Well, the connection is being routed via OpenWrt, so it makes sense that it shows up here. However, why it doesn't show up in your host-level firewall -- that's an issue (and question) for how your system is configured. Host-level firewalls are out of scope for this forum.
1 Like
Hey if you need to block them on openWRT you can try this
Create the host file /etc/config/extrahosts and add 0.0.0.0 googleusercontent.com
Network->DHCP-DNS->Resolv & Host -> Additional hosts files > /etc/config/extrahost
or use Network->DNS Records to add the hostname and set the ip to 127.0.0.1.
Restart dnsmasq after to apply
That assumes the host uses OpenWrt for DNS queries.
Googletagmanager is used on zillions of websites for profiling and tracking people. You probably just visited one of them, so the site appeared in your log.
Googleusercontent is sometimes useful.
I control my computer’s access to these sites through uBlock Origin in my browser and an outgoing firewall (Little Snitch on Macintosh). It is easier to control in these tools than in the router, especially if I want temporary access to something.
Of course, then I have to manage these things on every device as opposed to one central location (the router), and there are fewer tools that can be used on an iPhone.
Another option is to put a hosts file on the router. I would like to do that but have not found the right syntax for the copy (scp) command.
That is an option, sure, but what if a host on your network decides to use an alternate DNS configuration other than dnsmasq from your OpenWrt box? If you still want you-name-it.tld blocked, the only sure way to do it is blocking via the firewall. That would take you back to needing to set up firewall rules, and potentially IPsets, as the proper solution.
You probably know more than I do, but I'd like to understand better. Do you mean a client on the network, not a host? What does it take for a device on the network to bypass the DNS resolver set in the router? What if I want to block hundreds of thousands of domains? Can that be done practically in the firewall? If so, how?
They're actually synonymous in the context in which we're speaking.
There are several ways, but the most common ways would be to:
- Simply change the DNS server setting on your network interface. This would be as simple as going into the NIC settings in Windows or MacOS, for example, and changing the primary DNS IP to something like 8.8.8.8 or 1.1.1.1.
- Run a DoH/DoT/DNSCrypt/etc program (binary) on your client machine or device (phone/tablet/etc) that forwards your DNS requests to an alternate DNS provider over TLS (would appear as port 443 or 853 traffic).
This is often mitigated by either blocking external DNS traffic (i.e. blocking port 53 outbound traffic from your LAN) or redirecting port 53 traffic from your LAN back to your OpenWrt DNS. The redirection avenue really only works for port 53 (unencrypted, UDP) traffic.
Many "IoT" type devices (smart thermostats, smart power switches, Roku streamers, TVs, etc.) come from the factory with a DNS IP "hardcoded" to point to one of the major public DNS services (whether Google, Cloudflare, or one of several dozen others). A lot of these types of devices don't respect DHCP option 6, even if you set it as part of your DHCP advertisement.
More details and examples for DNS interception here.
Option for DoH blocking here.
I would point you back to the post I made earlier in this thread:
There are several routes one can go to achieve that goal. The most beginner/novice friendly would be the banIP option.
More comfortable/advanced users may choose to go the IPset route and block based on large CIDR ranges and/or ASNs.
If you already have a list of hundreds of thousands of domains, that could easily be put into an IPset and then referenced in a single (or multiple, if desired) firewall rule.
Thank you, _FailSafe!
Many of those devices have NTP servers hardcoded too and they don't respect DHCP options because of embedded IP stacks like lwIP or the one from FreeRTOS. In general everyone privacy concerned has to study its own devices with Wireshark or tcpdump to see what's going on.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.