What's new

How To Block Top-Level Domains?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

AlleyCat

Occasional Visitor
Greetings!

A quick question: Is it possible to block top-level domains, like *.ru; *.cn; etc? I’ve looked at the Firewall URL Filter page (RT-AX88U), but I’m unsure of the proper syntax to use for blocking an entire TLD, assuming it can be done. I realize that client devices can simply use a VPN to bypass the TLD block, but that’s fine. If the block cannot be implemented via the GUI, how about from the command-line? Thanks!
 
In pihole you can do it with a regex like

Code:
.(ru|cn|ro|ml|ga|gq|cf|tk|pw|ua|ug|ve)$

There other options but, that's the simplest expression to cover things.
 
If you were using third-party firmware like Merlin, you could reconfigure DNSMasq to add the following directive.

Code:
address=/ru/cn/ro/ml/0.0.0.0
 
Thank you @Tech Junky and @eibgrad. I don’t use Pi-hole, yet, although I plan to get a SBC and setup Pi-hole in the future.

eibgrad, where should I enter that directive to reconfigure DNSMasq?
 
If you're using Merlin, you need to enable "JFFS custom scripts and configs" under Administration > System, then connect to the router over SSH and copy/paste the following into the SSH window (it will automatically create the necessary file).

Code:
CONFIGS_DIR='/jffs/configs'
CONFIG="$CONFIGS_DIR/dnsmasq.conf.add"

mkdir -p $CONFIGS_DIR

create_config() {
cat << 'EOF' > $CONFIG
address=/ru/cn/ro/ml/0.0.0.0
EOF
}

if [ -f $CONFIG ]; then
    echo "error: $CONFIG already exists; requires manual installation"
else
    create_config
    echo 'Done.'
fi
:
 
If you're using Merlin, you need to enable "JFFS custom scripts and configs" under Administration > System, then connect to the router over SSH and copy/paste the following into the SSH window (it will automatically create the necessary file).

Code:
CONFIGS_DIR='/jffs/configs'
CONFIG="$CONFIGS_DIR/dnsmasq.conf.add"

mkdir -p $CONFIGS_DIR

create_config() {
cat << 'EOF' > $CONFIG
address=/ru/cn/ro/ml/0.0.0.0
EOF
}

if [ -f $CONFIG ]; then
    echo "error: $CONFIG already exists; requires manual installation"
else
    create_config
    echo 'Done.'
fi
:
Thanks eibgrad, I’ll try out your script later tonight. I’ll use the BitVise client to SSH into the router. I also use WinSCP for file transfers.

If I understand correctly, the script:

1. first creates /configs directory on the /jffs partition, if it doesn’t exist already

2. creates a file called ‘dnsmasq.conf.add’ in /configs directory, then appends: address=/ru/cn/ro/ml/0.0.0.0 to the end of the file

3. check if ‘dnsmasq.conf.add’ exists and, if not, create it (again?)

I definitely need to learn more about scripting ;)
 
Last edited:
Thanks eibgrad, I’ll try out your script later tonight. I’ll use the BitVise client to SSH into the router. I also use WinSCP for file transfers.

If I understand correctly, the script:

1. first creates /configs directory on the /jffs partition, if it doesn’t exist already

2. creates a file called ‘dnsmasq.conf.add’ in /configs directory, then appends: address=/ru/cn/ro/ml/0.0.0.0 to the end of the file

3. check if ‘dnsmasq.conf.add’ exists and, if not, create it (again?)
Close. If dnsmasq.conf.add exists, it'll print that error message telling you that you'll have to install it manually.
If it doesn't exist (else), it runs the create_config function to create it.
create_config doesn't run until it's (possibly) called at the end of the if/else statement. The first mention is just it being defined for later use.
 
Close. If dnsmasq.conf.add exists, it'll print that error message telling you that you'll have to install it manually.
If it doesn't exist (else), it runs the create_config function to create it.
create_config doesn't run until it's (possibly) called at the end of the if/else statement. The first mention is just it being defined for later use.
@eibgrad I entered your script into a terminal window; then service restart_dnsmasq. So far so good, the specified TLDs are now being sinkholed. Thanks!

I also added a few more TLDs to the DNSMasq directive:
address=/ga/cf/club/cn/gq/icu/ml/pw/ro/ru/store/tk/top/xyz/0.0.0.0
 
Last edited:
sorry to bump an old thread.
but i was looking to block TLD's since google is dumb and has just created .zip and .mov domains.

want them blocked in my router.
i have asus-merlin ax-86u.
enabled jffs custom scripts in administration, system.
ran the script with the domains i wanted to block only changing line.

Code:
address=/ru/cn/ro/ml/0.0.0.0
to
Code:
address=/zip/mov/0.0.0.0

not working though the file is created in /jffs/configs/ as dnsmasq.conf.add with the contents.
i did run: service restart_dnsmasq.

as well as rebooted the router when that didnt make it work. still not working. jffs is enabled and file exists. did something change?
 
Are you using IPv6? That option only blocks IPv4 addresses. If you want to block both IPv4 and IPv6 addresses you need to use "#" instead of "0.0.0.0".
Code:
address=/zip/mov/#
 
Check that the line is being successfully appended to /etc/dnsmasq.conf.
it is at the end of the file yes...

im currently on firmware version 386.2_4

i tend to stay on a stable one for my service until i need to change.

my IPTV service from my isp tends to not work on some firmware versions.
 
Last edited:
How are you testing this, nslookup?

Can you give some example .zip and .mov domains that I can test it with?
 
How are you testing this, nslookup?

Can you give some example .zip and .mov domains that I can test it with?

i am using a .io domain to test i didnt think it would hurt line in the file is /zip/mov/io/ while im testing. site is cardgames.io

google just recently created zip and mov domains
and as common file extensions i can see these being used as scams to download malware. so blocking the whole TLD now.

example: where does this go to? https:⁄⁄facebook.com⁄somerandom⁄path⁄@attachment.zip at first glance it looks like a facebook link but the / is a unicode ⁄ and the @ tells the browser anything before it is a "username" for old ftp ect and to basically ignore it. that "link" will actually go to attachment.zip website.... That website is only a redirect to a YouTube video but it could be used to download malware or anything, see how the malware risk is high?
 
Last edited:
i think i may see my issue...



i have dns servers configured in my lan dhcp tab. as my isp dns servers seem to be trash frequently taking a long time to find domains.



nslookup was reporting 1.1.1.1 as the dns server. removing the dns servers from dhcp config fixed it.



after removing dns server 1&2 i get



Code:
Server: RT-AC86U-B9F0

Address: 192.168.2.1



Name: cardgames.io

Address: 0.0.0.0



thanks for the help.
 
i think i may see my issue...



i have dns servers configured in my lan dhcp tab. as my isp dns servers seem to be trash frequently taking a long time to find domains.



nslookup was reporting 1.1.1.1 as the dns server. removing the dns servers from dhcp config fixed it.



after removing dns server 1&2 i get



Code:
Server: RT-AC86U-B9F0

Address: 192.168.2.1



Name: cardgames.io

Address: 0.0.0.0



thanks for the help.
Great thread. Also had heard about Google adding several TLD's including .zip and .mov. Tried the methods shown above. After confirming I had access to cardgames.io

added [address=/zip/mov/io/#]
to [nano] /jffs/configs/dnsmasq.conf.add, rebooted and tried cardgames.io again... no connection!

edited the dnsmasq.conf.add to [address=/zip/mov/#] rebooted and tried cardgames.io again... connected!

these older threads still provide good stuff if you know how to search for it.

Only thing is I didn't confirm if the changes stuck from one reboot to another. Thanks!


 
Great thread. Also had heard about Google adding several TLD's including .zip and .mov. Tried the methods shown above. After confirming I had access to cardgames.io

added [address=/zip/mov/io/#]
to [nano] /jffs/configs/dnsmasq.conf.add, rebooted and tried cardgames.io again... no connection!

edited the dnsmasq.conf.add to [address=/zip/mov/#] rebooted and tried cardgames.io again... connected!

these older threads still provide good stuff if you know how to search for it.

Only thing is I didn't confirm if the changes stuck from one reboot to another. Thanks!
Will persist on reboot thats what jffs is, a form of nvram so it doesn't lose its data on reboot.

Files in jffs MAY even persist on a firmware update but it's best to backup the jffs before doing an update. Factory reset will clear jffs.


Indeed older forum posts are very useful even years later. Google made a stupid move creating zip domains
 
Will persist on reboot thats what jffs is, a form of nvram so it doesn't lose its data on reboot.

Files in jffs MAY even persist on a firmware update but it's best to backup the jffs before doing an update. Factory reset will clear jffs.


Indeed older forum posts are very useful even years later. Google made a stupid move creating zip domains

Yeah, Steve Gibson on his Security Now podcast agrees with you.

my list now shows: address=/zip/mov/foo/nexus/dad/phd/prof/esq/boo/rsvp/page/new/app/day/dev/club/icu/store/top/xyz/#

INSERT:
@ColinTaylor added that omitting the "#" would result in lookups returning an NXDOMAIN rather than "0.0.0.0" or "::" (which I imagine would be a better/tidier outcome from a coders perspective... so done).

my list now shows: address=/zip/mov/foo/nexus/dad/phd/prof/esq/boo/rsvp/page/new/app/day/dev/club/icu/store/top/xyz/

I'm gonna keep adding TLD's until i'm COMPLETELY protected! nothing gets in, nothing get out! 🤪

...Then I go to the library and start reading books, newspapers, magazines again. Hope my library card still works (since my internet is now kaput). ;)
 
Last edited:
Asus Merlin 388.1, GT-AX11000 - Block in dnsmasq works.

Small observation though, prevent client auto DoH is set to Auto. The tool tip states that it will block DoH if DNS Director is enabled. In my case it is enabled. My firefox browser was set to DoH and after blocking in DNSMasq I will still able to connect using Firefox, but Chrome blocked it. I turned off DoH in firefox and blocking kicked in immediately.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top