How to block 127.0.0.1 from spesific outgoing DNS query in Iptables?
- Thread starter Boji
- Start date
Tech Junky
Part of the Furniture
If you block yourself then nothing works w/o IP only.
127.0.0.1 – What Are its Uses and Why is it Important? - Tech-FAQ
127.0.0.1 is the loopback Internet protocol (IP) address also referred to as the “localhost.” The address is used to establish an IP connection to the same machine or computer being used by the end-user. The same convention is defined for computer’s that support IPv6 addressing using the...
www.tech-faq.com
ColinTaylor
Part of the Furniture
Can you explain exactly what you mean by this (perhaps with an example) as it doesn't seem to make much sense.
Why address 127.0.0.1 and google.com specifically?
ColinTaylor
Part of the Furniture
Have you set "google.com" anywhere in the router's config? Perhaps under (Administration - System) NTP Server or Network Monitoring.
Last edited:
Tech Junky
Part of the Furniture
Seems more that it's embedded in the system as a connectivity check situation.
bbunge
Part of the Furniture
127.0.0.1 is a loop back address used to pass packets between programs within the system. You need to look for what is sending pings to www.google.com. Maybe a network monitor or keep alive system?
Whatever it is you do not want to block the loop back address!
Whatever it is you do not want to block the loop back address!
eibgrad
Part of the Furniture
It's perfectly normal for DNSMasq to issues queries since it's acting as a DNS proxy on behalf of the rest of the network (at least by default). What's unusual is that (apparently) you have DNSMasq configured in debug mode, which verbosely dumps information about those queries to the syslog. That probably means YOU or some other addon has enabled one of the following DNSMasq directives.
OR
A dump of the DNSMasq config file will confirm.
Code:
log-queriesOR
Code:
log-queries=extraA dump of the DNSMasq config file will confirm.
Code:
cat /tmp/etc/dnsmasq.confYep, you nailed it.
Yes, it is part of skynet, apparently its a ping or a dns query to detect internet connectivity.
Already enabled
I copied all the routers files to my computer, and searched inside them for "google.com" with notepad++, it is in the file "/scripts/firewall" (skynet).
Code:
}
Check_Connection() {
livecheck="0"
while [ "$livecheck" != "4" ]; do
if ping -q -w3 -c1 google.com >/dev/null 2>&1; then
break
else
if ping -q -w3 -c1 github.com >/dev/null 2>&1; then
break
else
if ping -q -w3 -c1 snbforums.com >/dev/null 2>&1; then
break
else
livecheck="$((livecheck + 1))"
if [ "$livecheck" != "4" ]; then
echo "[*] Internet Connectivity Error"
sleep 10
else
return "1"
fi
fi
fi
fi
done
}log-queries=extra is enabled.
Just a ping, so its not a problem, but I have seen similar behavior before in other routers. I would still like to know the iptables command to block specific domain requests from 127.0.0.1. If anyone can provide that, I'd appreciate that. Thank you for all your help.
ColinTaylor
Part of the Furniture
Have a look at the rules that the router's URL filter creates. Those rules filter DNS traffic from the LAN though and would be much better done in dnsmasq (like Diversion does). The trouble with trying to block requests specifically (and only) from the router itself is that the traffic isn't routed at the source so it never hits iptables (EDIT: see posts 14 and 15). You can't block on the output side because you can't distinguish router traffic from LAN traffic.
Last edited:
You mean the routers Lan-DNS filter? I'm not sure what too look for exactly. What are the commands to view those filters in particular? Interesting. Well, AdGuardHome does allow for blocking requests from the localhost, so does this mean it has its own inbuilt firewall of sorts, operating independently of iptables?
ColinTaylor
Part of the Furniture
No, I was referring to Firewall - URL Filter.
iptables-saveIt inserts rules similar to this:
Code:
-A INPUT -d 192.168.1.1/32 -i br0 -p udp -m udp --dport 53 -m string --hex-string "|047465737403636f6d|" --algo bm --to 65535 --icase -j DROPI am not familiar with how AdGuardHome works.
ColinTaylor
Part of the Furniture
Good idea, I hadn't considered that. That would probably work. (This is all assuming that the
Wan: Use local caching DNS server as system resolver option has been changed to Yes.) It sounds like it would be a lot easier if AdGuardHome has some sort of filter engine though.
Last edited:
Thanks for the tip. I will archive that for future reference.
If I manually input googles IP into the hosts file 'google.com 74.125.195.102', the logcalhosts queries no longer go through dnsmasq, which cleans up the logs substantially, as the following repeats every 5 minutes. Google.com queries from users on the subnet though do go through dnsmasq.
Code:
Apr 7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 query[A] google.com from 127.0.0.1
Apr 7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.139
Apr 7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.100
Apr 7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.102
Apr 7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.138
Apr 7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.101
Apr 7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.113
Apr 7 00:39:10 dnsmasq[3499]: 9170 127.0.0.1/51747 query[PTR] 139.195.125.74.in-addr.arpa from 127.0.0.1
Apr 7 00:39:10 dnsmasq[3499]: 9170 127.0.0.1/51747 config 139.195.125.74.in-addr.arpa is NXDOMAIN
Apr 7 00:39:10 dnsmasq[3499]: 9171 127.0.0.1/34139 query[PTR] 100.195.125.74.in-addr.arpa from 127.0.0.1
Apr 7 00:39:10 dnsmasq[3499]: 9171 127.0.0.1/34139 config 100.195.125.74.in-addr.arpa is NXDOMAIN
Apr 7 00:39:10 dnsmasq[3499]: 9172 127.0.0.1/50104 query[PTR] 102.195.125.74.in-addr.arpa from 127.0.0.1
Apr 7 00:39:10 dnsmasq[3499]: 9172 127.0.0.1/50104 config 102.195.125.74.in-addr.arpa is NXDOMAIN
Apr 7 00:39:10 dnsmasq[3499]: 9173 127.0.0.1/44371 query[PTR] 138.195.125.74.in-addr.arpa from 127.0.0.1
Apr 7 00:39:10 dnsmasq[3499]: 9173 127.0.0.1/44371 config 138.195.125.74.in-addr.arpa is NXDOMAIN
Apr 7 00:39:10 dnsmasq[3499]: 9174 127.0.0.1/37469 query[PTR] 101.195.125.74.in-addr.arpa from 127.0.0.1
Apr 7 00:39:10 dnsmasq[3499]: 9174 127.0.0.1/37469 config 101.195.125.74.in-addr.arpa is NXDOMAIN
Apr 7 00:39:10 dnsmasq[3499]: 9175 127.0.0.1/34412 query[PTR] 113.195.125.74.in-addr.arpa from 127.0.0.1
Apr 7 00:39:10 dnsmasq[3499]: 9175 127.0.0.1/34412 config 113.195.125.74.in-addr.arpa is NXDOMAINPS how did you generate the hex exactly? I used an online hex to text converter and it the
Code:
.
octopus
Part of the Furniture
I get "google.com"
Martineau
Part of the Furniture
The rule can be inserted as follows in a more human friendly format...
Code:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06|google|03|com|" --algo bm --to 65535 --icase -j DROP
Code:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06|google|03|com|" --algo bm --to 65535 --icase -j DROP -m comment --comment google.comSo for the domain name, you don't use .dot notation, but specify the length of the word as a value before the actual word
e.g.
Code:
"|03|ibm|03|com|"
Code:
"|03|bbc|02|co|02|uk|"
Last edited:
Similar threads
Similar threads
Similar threads
-
-
-
How to block LAN access for a wired device on ASUS Merlin (Firmware 3004.388.8_2)?
- Started by kuposcar
- Replies: 12
-
-
-
-
"Block internet access" toggle in Client Status GUI doesn't stick
- Started by Luboknok
- Replies: 3
-
Is there any easy solution in Merlin for a VPN server that is hard to block/detect?
- Started by Catalinus
- Replies: 13
-
isp block dns over tls and poison any unencrypted dns resolution
- Started by chris13
- Replies: 14
-
Asus merlin: How to block communication between two device on the network?
- Started by sudodavi
- Replies: 14