Hardcoded Google DNS IPTABLES rule

[r000t]

hi,

I have GT-AXE16000 with Merlin's 3004.388.8_2 FW, and recently I figured out that Netflix app on my LG smart TV doesnt want to use my Adguard DNS and sends DNS requests directly to 8.8.8.8.
Somehow DNS Director works bad with my setup, so I blocked 8.8.8.8 using Network Services Filter. That didn't help because I have an unknown to me rule in my IPTABLES (iptables -S | grep 8.8.8.8):

-A FORWARD -s <LAN_NET> -d 8.8.8.8/32 -i br0 -o br0 -j ACCEPT

I have no idea how it got there. I don't use Google DNS on my router. "/jffs/scripts/firewall-start" is empty. This record survives reboot, so it must be somewhere in the configuration.

Please help me understand how it got there, and how I can clean it.

 

[eibgrad]

Not sure where it's coming from either, but it might be more helpful if we could see it in context.

iptables -vnL FORWARD --line-numbers

Also, that's allowing 8.8.8.8 as a destination within the scope of the local private network only (br0<->br0), similar to what you might see w/ NAT loopback. IOW, it does NOT allow access to 8.8.8.8 over the internet.

Are you using any AddOns (besides AdGuard)?

 

[r000t]

I am sorry, the Google IPTABLES rule was actually generated by the static route (i tried to route 8.8.8.8 traffic to router's LAN interface as a temporary measure).

But here is the problem:

/tmp/home/root# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 10.0.1.231-10.0.1.254 reject-with icmp-port-unreachable
2      163 18900 IPSEC_DROP_SUBNET_ICMP  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3      163 18900 IPSEC_STRONGSWAN  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4      132 16673 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5       31  2227 WGSF       all  --  *      *       0.0.0.0/0            0.0.0.0/0
6       31  2227 OVPNSF     all  --  *      *       0.0.0.0/0            0.0.0.0/0
7        0     0 DROP       all  --  !br0   eth6    0.0.0.0/0            0.0.0.0/0
8        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
9        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
10       0     0 DROP       udp  --  br0    eth6    0.0.0.0/0            77.88.8.0/24         udp dpt:53
11       0     0 DROP       udp  --  br0    eth6    0.0.0.0/0            1.1.1.1              udp dpt:53
12       0     0 DROP       udp  --  br0    eth6    0.0.0.0/0            8.8.8.8              udp dpt:53
13       0     0 DROP       udp  --  br0    eth6    0.0.0.0/0            8.8.8.8
14      24  1620 ACCEPT     all  --  br0    eth6    0.0.0.0/0            0.0.0.0/0
15       7   607 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
16       0     0 WGCF       all  --  *      *       0.0.0.0/0            0.0.0.0/0
17       0     0 OVPNCF     all  --  *      *       0.0.0.0/0            0.0.0.0/0
18       0     0 VPNCF      all  --  *      *       0.0.0.0/0            0.0.0.0/0
19       0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
20       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Traffic should be blocked, but Tshark sees Netflix DNS packets.

:/tmp/home/root# tshark -i eth6 dst port 53
Capturing on 'eth6'
 ** (tshark:17779) 17:36:35.077744 [Main MESSAGE] -- Capture started.
 ** (tshark:17779) 17:36:35.077942 [Main MESSAGE] -- File: "/tmp/wireshark_eth6OGJNU2.pcapng"
    1 0.000000000  192.168.1.2 → 8.8.8.8      DNS 77 Standard query 0xf8b9 A cdn-0.nflximg.com
   14 6.885349000  192.168.1.2 → 8.8.8.8      DNS 78 Standard query 0xedea A uiboot.netflix.com
   15 6.939970295  192.168.1.2 → 8.8.8.8      DNS 82 Standard query 0x713e A api-global.netflix.com
   16 6.993060961  192.168.1.2 → 8.8.8.8      DNS 81 Standard query 0xe1e2 A push.prod.netflix.com

I have ISP's router in front of GT-AXE16000, so 192.168.1.2 - that's WAN address.

 

[eibgrad]

Adding static routes does NOT generate firewall rules. It just adds routes to the routing table.

The Network Services Filter is probably NOT the right strategy anyway. It would probably be better to redirect 8.8.8.8 for the TV's MAC address back to AdGuard (or whatever you want using one of the User-Defined DNS servers) w/ the DNS Director. IOW, trick the TV into thinking it's accessing 8.8.8.8 when in fact it isn't.

Not sure why using the DNS Director causes issues for you. Maybe that should be investigated further.

 

[ColinTaylor]

You should also be blocking TCP, not just UDP (which is what DNS Director does in the nat chain).

 

[r000t]

Adding static routes does NOT generate firewall rules. It just adds routes to the routing table.

I just checked. This static route ...

generates this IPTABLES record:
9 0 0 ACCEPT all -- br0 br0 10.0.1.0/24 8.8.8.8

If I remove the static route, IPTABLES record also disappears. A bit unexpected.

The Network Services Filter is probably NOT the right strategy anyway. It would probably be better to redirect 8.8.8.8 for the TV's MAC address back to AdGuard (or whatever you want using one of the User-Defined DNS servers) w/ the DNS Director. IOW, trick the TV into thinking it's accessing 8.8.8.8 when in fact it isn't.

Not sure why using the DNS Director causes issues for you. Maybe that should be investigated further.

I'll probably spend more time here. Thank you!

 

[r000t]

You should also be blocking TCP, not just UDP (which is what DNS Director does in the nat chain).

That might have worked! Thank you!