Block All DNS Except

[Therion87]

Is there a way to block all DNS on port 53 except for a specified device?

I looked at SkyNET and the Asus WebUI and didn't see anything that really fit the bill.

I could really just block 53 across the entire LAN since my DNS server uses 443 for DNS requests.

Thanks,

 

[ColinTaylor]

If you mean block traffic to port 53 on the internet then you can use Firewall > Network Services Filter.

 

[Zonkd]

If you mean block traffic to port 53 on the internet then you can use Firewall > Network Services Filter.

He wants to allow 1 device to reach port 53 though. Using NSF Blacklist would require creating an entry with source ip of every other device to be blocked? NSF Whitelist mode would be better method?

@Therion87

NSF Whitelist rules...
-, -, -, 1:65535 TCP
-, -, - 1:52 UDP
-, -, -, 54:65535 UDP
192.168.1.x, - , -, 53 UDP

Pity it’s not possible to use NSF blacklist and whitelist simultaneously.

 

[ColinTaylor]

But then he did say "I could really just block 53 across the entire LAN since my DNS server uses 443 for DNS requests.".

 

[Therion87]

@ColinTaylor I saw it seemed time based. I was hoping there was just something that would allow me to create a rule that was just active all the time. Not tied to a service timing.

@Zonkd That could work. I don't want to create explicit allows though.

I was just looking for a way to create a inbound and outbound denies for port 53. I have a bunch of devices that seem to like chat outside of my defined DNS server.

 

[Xentrk]

A lot of the examples I've seen use the INPUT Chain per the example below:

# Allow DNS (53) from <source IP>
iptables -A INPUT -p udp --dport 53 -s <source IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s <source IP> -j ACCEPT

# Deny all other DNS requests
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 53 -j DROP

On the Stubby installer, we use the nat table PREROUTING Chain to override LAN Client DNS settings and force all LAN clients to use the router DNS:

iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

This is done from the nat-start user script in /jffs/scripts. The command

iptables -nvL PREROUTING -t nat --line

will display the rules on a terminal session.

My guess is to try something like the example below. You will have to test it.

# Allow DNS (53) from <source IP>
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -s <source IP> -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -s <source IP> -j ACCEPT 2>/dev/null
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -s <source IP> -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -s <source IP> -j ACCEPT

# Deny all other DNS requests
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DROP 2>/dev/null
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DROP 2>/dev/null
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DROP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DROP

The order of the above is important. The ACCEPT should be run before the DROP.

If you want to specify ranges, use the syntax below.

-m iprange –src-range IP-IP -j ACTION
-m iprange –dst-range IP-IP -j ACTION

 

[ColinTaylor]

@ColinTaylor I saw it seemed time based. I was hoping there was just something that would allow me to create a rule that was just active all the time. Not tied to a service timing.

You can just ignore the time part. The default settings mean "all the time".

 

[Therion87]

A lot of the examples I've seen use the INPUT Chain per the example below:

# Allow DNS (53) from <source IP>
iptables -A INPUT -p udp --dport 53 -s <source IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s <source IP> -j ACCEPT

# Deny all other DNS requests
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 53 -j DROP

On the Stubby installer, we use the nat table PREROUTING Chain to override LAN Client DNS settings and force all LAN clients to use the router DNS:

iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

This is done from the nat-start user script in /jffs/scripts. The command

iptables -nvL PREROUTING -t nat --line

will display the rules on a terminal session.

My guess is to try something like the example below. You will have to test it.

# Allow DNS (53) from <source IP>
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -s <source IP> -j ACCEPT
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -s <source IP> -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -s <source IP> -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -s <source IP> -j ACCEPT

# Deny all other DNS requests
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DROP
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DROP
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DROP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DROP

Thanks. I will give this a shot.

 

[steelskinz]

Let use know. It could be useful to only allow dns request to go by the PiHole (as i can see your sign and as i have the same build). Thanks.

 

[Therion87]

@Xentrk Would I just create a file in the /jffs/scripts folder called nat-start and add the following:

#Block All DNS Except from Router

iptables -nvL PREROUTING -t nat --line

# Allow DNS (53) from <source IP>
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -s 192.168.1.1 -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -s 192.168.1.1 -j ACCEPT 2>/dev/null
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -s 192.168.1.1 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -s 192.168.1.1 -j ACCEPT

# Deny all other DNS requests
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DROP 2>/dev/null
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DROP 2>/dev/null
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DROP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DROP

The router would read that file once created and automatically use it?

 

[ColinTaylor]

@Xentrk Would I just create a file in the /jffs/scripts folder called nat-start and add the following:

Those commands make no sense because you have specified the router's own address (192.168.1.1) as the source address. The first iptables command shouldn't be there as it is only used interactively as explained in the Xentrk's post.

What addresses exactly are you trying to block and allow?

 

[Therion87]

Those commands make no sense because you have specified the router's own address (192.168.1.1) as the source address. The first iptables command shouldn't be there as it is only used interactively as explained in the Xentrk's post.

What addresses exactly are you trying to block and allow?

I'm trying to block all DNS queries on port 53 for any device on the LAN. Most clients get DNS from a PiHole that uses 443 for DoH.

I used the router as the source to allow it to do DNS resolution for internal processes using the WAN defined DNS of 1.1.1.1 and 1.0.0.1

Basically, I want all the devices that get DHCP to use the PiHole (which most do), if you are the router you can use what I tell you (Cloudflare), any other DNS requests are blocked. I have IoT and other devices that seem to ignore my DNS settings and use hardcoded DNS.

 

[ColinTaylor]

Then just use the Network Services Filter to block port 53 TCP and UDP. NSF only effects LAN to WAN traffic so it won't effect the router's own DNS requests. It's basically generating the same iptables commands.

 

[Xentrk]

I'm trying to block all DNS queries on port 53 for any device on the LAN. Most clients get DNS from a PiHole that uses 443 for DoH.

I used the router as the source to allow it to do DNS resolution for internal processes using the WAN defined DNS of 1.1.1.1 and 1.0.0.1

Basically, I want all the devices that get DHCP to use the PiHole (which most do), if you are the router you can use what I tell you (Cloudflare), any other DNS requests are blocked. I have IoT and other devices that seem to ignore my DNS settings and use hardcoded DNS.

The method we use on the Stubby installer may do what you want.

If you replace the “$(nvram get lan_ipaddr)” with the IP address of the pi-hole, all clients will get their DNS from the pi-hole even if they have specified another DNS.

iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

Best practice is to place the commands in a script, e.g. mydns_rules.sh. Place a she-band in the first line e.g #!/bin/sh

Make executable, e.g chmod mydns_rules.sh 755

Call the script from nat start e.g. sh /jffs/scripts/mydns_rules.sh

You also need to add the she-bang to nat-start and make it executable. nat-start will run at boot. But we had an issue where nat-start can run concurrently under certain conditions. We had to place a lock on the file to prevent this. If you want to persue this method, let me know and I can post the lock file code.

The Network Services recommendation by @ColinTaylor sounds easier to implement. Try that first.

 

[Therion87]

The method we use on the Stubby installer may do what you want.

If you replace the “$(nvram get lan_ipaddr)” with the IP address of the pi-hole, all clients will get their DNS from the pi-hole even if they have specified another DNS.

iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

Best practice is to place the commands in a script, e.g. mydns_rules.sh. Place a she-band in the first line e.g #!/bin/sh

Make executable, e.g chmod mydns_rules.sh 755

Call the script from nat start e.g. sh /jffs/scripts/mydns_rules.sh

You also need to add the she-bang to nat-start and make it executable. nat-start will run at boot. But we had an issue where nat-start can run concurrently under certain conditions. We had to place a lock on the file to prevent this. If you want to persue this method, let me know and I can post the lock file code.

The Network Services recommendation by @ColinTaylor sounds easier to implement. Try that first.

I've implemented the NSF for now to see how it works. I was just worried about the timing portion of its integration. If it works reliably I will just use that.

Thanks for the help.

 

[ColinTaylor]

The method we use on the Stubby installer may do what you want.

If you replace the “$(nvram get lan_ipaddr)” with the IP address of the pi-hole, all clients will get their DNS from the pi-hole even if they have specified another DNS.

This is exactly the same as the DNSFilter so he wouldn't need to use script.

 

[Vexira]

This is exactly the same as the DNSFilter so he wouldn't need to use script.

I was thinking that also, wouldn't he be better off just using DNS filter wouldn't that make more sense, I use it with pi hole and it works.

 

[Rashed4004]

guys

sorry to post in an old thread but i am exactly in the same boat.

I got a Asus RT-AC68u router and Pi-Hole running on raspberry pi. I am using Cloudfare on pi hole for dns filtering and ad blocking.

Now, I want to block usage of VPN for trying to bypass the dns filtering.

what can i do about it?

any help is appreciated.

thanks

 

[ColinTaylor]

Where is the VPN client running, on the router or on a LAN device? If you're talking about something like a VPN client running on a PC then there's nothing you can do about that.

 

[Rashed4004]

Where is the VPN client running, on the router or on a LAN device? If you're talking about something like a VPN client running on a PC then there's nothing you can do about that.

VPN client running on PC or it can be proxy website.

Isnt there any way to block the required ports in the router?

thanks