Firewall rules not working for one specific DNS

[Tech Junky]

That's exactly what he's doing and the entire point of this thread. See post #1.

Instead of blocking in forward block it on output at the top of the chain.

 

[ColinTaylor]

Instead of blocking in forward block it on output at the top of the chain.

The FORWARD chain is the correct place. The OUTPUT chain would have no affect on requests from the LAN.

@peiskos When you say "DNS filter enabled" are you referring the company and their DNS servers (https://www.dnsfilter.com/), or are you referring to the Asus router feature called DNSFilter? If it's the latter what do those rules look like?

 

[Tech Junky]

DNS to external servers would need OUTPUT to exit that LAN to do a lookup.

 

[ColinTaylor]

DNS to external servers would need OUTPUT to exit that LAN to do a lookup.

This is incorrect. I explained this to you before here.

Netfilter - Wikipedia

en.wikipedia.org

 

[Tech Junky]

I'm done arguing about it @ColinTaylor

 

[ColinTaylor]

I'm done arguing about it @ColinTaylor

What argument? It's quite easy to test. The forwarded traffic does not traverse the filter/OUTPUT chain.

 

[peiskos]

When you say "DNS filter enabled" are you referring the company and their DNS servers (https://www.dnsfilter.com/), or are you referring to the Asus router feature called DNSFilter? If it's the latter what do those rules look like?

@ColinTaylor Both actually.

I have my router use the DNS servers of the DNS filter company to implement blocking of sites.

And then I have the Asus router DNS filter enabled to prevent circumventing the router settings.

Other settings that might be relevant

 

[ColinTaylor]

Thanks for confirming that info.

I had to do a packet capture on my PC to see what Chrome is doing with DoH. This led me to a good explanation here: https://help.firewalla.com/hc/en-us...S-over-HTTPS-and-DNS-over-TLS-on-your-network

Basically, Chrome looks at the system DNS settings. If it recognises them as a DoH provider it resolves a related domain name (e.g. chrome.cloudflare-dns.com) to get a local DNS IP address. This local IP address in Clouflare's case is not 1.1.1.1 or 1.0.0.1. For me it resolves to 104.18.42.171 and 172.64.145.85. From that point on it uses these addresses for DNS. That's why your iptables rules don't block it, and why it's only happens in Chrome.

 

[peiskos]

Thanks for figuring it out! This is helpful.

Would the solution then be to find out what Cloudflare's ip resolves to and add those addresses to my firewall-start blocking script? If so, how can I go about doing that?

Or is there a way to block DoH domains?

 

[egc]

That is why you should consider using IPSET with cloudfare-dns.com to get all the Cloudfare DNS servers blocked

 

[Tech Junky]

Or is there a way to block DoH domains?

Use pihole or some other DNS based blocking to prevent injecting DNS IPs.

 

[ColinTaylor]

Thanks for figuring it out! This is helpful.

Would the solution then be to find out what Cloudflare's ip resolves to and add those addresses to my firewall-start blocking script? If so, how can I go about doing that?

Or is there a way to block DoH domains?

As the posts above said, if you're already running some sort of ad-blocker like Diversion or Pi-hole you could add chrome.cloudflare-dns.com to the blacklist.

These methods often return address 0.0.0.0 for the blocked domain. So it will have the desired affect in Chrome, but is not ideal because Chrome will be constantly retrying the query hoping to get a valid address.

The best solution would be for the DNS query to return NXDOMAIN for chrome.cloudflare-dns.com. If you have enabled custom scripts in Merlin's firmware you can achieve this by entering the following commands in SSH:

echo "address=/chrome.cloudflare-dns.com/" >> /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

 

[SomeWhereOverTheRainBow]

As the posts above said, if you're already running some sort of ad-blocker like Diversion or Pi-hole you could add chrome.cloudflare-dns.com to the blacklist.

These methods typically return address 0.0.0.0 for the blocked domain. So it will have the desired affect in Chrome, but is not ideal because Chrome will be constantly retrying the query hoping to get a valid address.

The best solution would be for the DNS query to return NXDOMAIN for chrome.cloudflare-dns.com. If you have enabled custom scripts in Merlin's firmware you can achieve this by entering the following commands in SSH:

echo "address=/chrome.cloudflare-dns.com/" >> /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

Bingo you nailed it! If the OP is interested I can give them a list of domains to block that block all domains used to bypass the ordinary exchange of information. But @ColinTaylor is right DoH/DoT must be able to reach out over dns to resolve the server hostname in order to remotely connect to it. If it fails to do such then the browser will fall back to using the routers DNS.

 

[SomeWhereOverTheRainBow]

As promised here is my precompiled no bypass list.

https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/NoBypass.list

It is completely usable in pihole, or diversion.

 

[peiskos]

Y'all are the best.

@ColinTaylor, adding the Chrome cloudlfare dns to /jffs/configs/dnsmasq.conf.add did the trick. Chrome no longer circumvents my router DNS settings. Thanks for all your help!

@SomeWhereOverTheRainBow - thanks! I think I'll add these addresses to /jffs/configs/dnsmasq.conf.add and that should take care of everything.