Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

I have to say that skynet is really going overboard in it's bans over the course of its current revisions. I repeatedly blocks my DNS servers, even though I have them whitelisted because I am using the all-servers flag

Skynet automatically whitelists all DNS servers configured on the router.

admin@RT-AC86U-2EE8:/tmp/home/root# ipset -L Skynet-Whitelist | grep dns
1.0.0.1 comment "nvram: wan_dns2_x"
1.1.1.1 comment "nvram: wan_dns1_x"

then today it decided to block the ENTIRE european union domain range

Can you give me any examples? European sites are working fine here.

Is it possible to not have the program black an ip address if it's whitelisted

That is currently the case. Anything whitelisted overrides the blacklist.

It has done this now with Apple repeatedly, even though it was whitelisted and it continues to do it.

Again I need examples, thousands of other people including myself have no issues.

 

[johnathonm]

I had to uninstall the significant other was furious. I will let it happen again.
-JM

 

[johnathonm]

/tmp/home/root# ipset -L Skynet-Whiteli
st | grep dns
-sh: /tmp/home/root#: not found

 

[johnathonm]

My resolv file is not being read which is located on /jffs/, which contains more than just two entries.

 

[agilani]

Hey Adamm,
A few questions

1) AiProtection takes effect before skynet rules?
2) Do skynet rules take effect over vpn?
3) with option turned on to have aiprotection ip's being added to skynet blacklist, is there any way to verify or see the additional ip addresses being added by aiprotection?

as always, many thanks!

 

[johnathonm]

Dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
resolv-file=/jffs/resolv.conf
servers-file=/jffs/resolv.dnsmasq
neg-ttl=3600
cache-size=4096
min-port=4096
bogus-priv
dhcp-range=lan,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
no-dhcp-interface=pptp*
no-dhcp-interface=tun21
no-dhcp-interface=tun22
no-dhcp-interface=tun
except-interface=tun21
except-interface=tun22
except-interface=tun
except-interface=pptp*
all-servers
max-cache-ttl=14400
local-service
localise-queries
filterwin2k
dns-loop-detect
stop-dns-rebind

resolv.dnsmasq
server=75.75.75.75
server=1.1.1.1
server=204.117.214.10
server=129.250.35.250
server=9.9.9.9
server=74.82.42.42
server=204.97.212.10
server=8.8.4.4
server=149.112.112.112
server=129.250.35.251
server=209.191.129.65
server=1.0.0.1

resolv.conf
nameserver 75.75.75.75
nameserver 1.1.1.1
nameserver 204.117.214.10
nameserver 129.250.35.250
nameserver 9.9.9.9
nameserver 74.82.42.42
nameserver 204.97.212.10
nameserver 8.8.4.4
nameserver 149.112.112.112
nameserver 129.250.35.251
nameserver 209.191.129.65
nameserver 1.0.0.1

 

[skeal]

Dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
resolv-file=/jffs/resolv.conf
servers-file=/jffs/resolv.dnsmasq
neg-ttl=3600
cache-size=4096
min-port=4096
bogus-priv
dhcp-range=lan,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
no-dhcp-interface=pptp*
no-dhcp-interface=tun21
no-dhcp-interface=tun22
no-dhcp-interface=tun
except-interface=tun21
except-interface=tun22
except-interface=tun
except-interface=pptp*
all-servers
max-cache-ttl=14400
local-service
localise-queries
filterwin2k
dns-loop-detect
stop-dns-rebind

resolv.dnsmasq
server=75.75.75.75
server=1.1.1.1
server=204.117.214.10
server=129.250.35.250
server=9.9.9.9
server=74.82.42.42
server=204.97.212.10
server=8.8.4.4
server=149.112.112.112
server=129.250.35.251
server=209.191.129.65
server=1.0.0.1

resolv.conf
nameserver 75.75.75.75
nameserver 1.1.1.1
nameserver 204.117.214.10
nameserver 129.250.35.250
nameserver 9.9.9.9
nameserver 74.82.42.42
nameserver 204.97.212.10
nameserver 8.8.4.4
nameserver 149.112.112.112
nameserver 129.250.35.251
nameserver 209.191.129.65
nameserver 1.0.0.1

This may be off topic but why on earth would you have so many dns servers configured? Most systems have a hard time using 2.

 

[johnathonm]

This may be off topic but why on earth would you have so many dns servers configured? Most systems have a hard time using 2.

I figured more was better in that by using the all-servers variable dnsmasq would send the request out to all of them. The quickest to respond would issue the request. I can and will gladly reduce the number. I just thought it would be more better ;-)

 

[skeal]

I figured more was better in that by using the all-servers variable dnsmasq would send the request out to all of them. The quickest to respond would issue the request. I can and will gladly reduce the number. I just thought it would be more better ;-)

A DNS request on this system goes to the first set system DNS server, if that server does not respond ie. is down, then it sends the request to the next server. It is not going to send the request to the next system DNS set just because it failed to resolve. The server would have to indicate something wrong before failing over to the next listed system DNS. This is my understanding of the basic DNS we have. I may be wrong. To have more than one DNS server messed up just would be rare in my opinion. This again may vary in other areas of the world.

 

[johnathonm]

That only occurs if you issue the strict-order command, as I understand it from the manual. All-services hits all of them at once and then takes the response from the quickest. I could be misinterpreting it but that's how I understand it.

 

[skeal]

That only occurs if you issue the strict-order command, as I understand it from the manual. All-services hits all of them at once and then takes the response from the quickest. I could be misinterpreting it but that's how I understand it.

Are you sure that is not thing exclusive to DNSCrypt?

 

[johnathonm]

Here let me show you:

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html


strict-order
By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

all-servers
By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requester.

 

[Tekneek]

The fork of dnsmasq (called FTLDNS) that the pi-hole team has created really manages this well, but dnsmasq itself does not seem to be particularly good about it.

 

[john9527]

Without either of the above options, dnsmasq has algorithms that measure response and make it use the 'fastest' server first. So in most cases, the all-servers option is just generating unnecessary dns traffic.

 

[skeal]

Without either of the above options, dnsmasq has algorithms that measure response and make it use the 'fastest' server first. So in most cases, the all-servers option is just generating unnecessary dns traffic.

Once again @john9527 your wisdom is appreciated!

 

[Tekneek]

Without either of the above options, dnsmasq has algorithms that measure response and make it use the 'fastest' server first. So in most cases, the all-servers option is just generating unnecessary dns traffic.

Ah, I had been under the impression it was not doing that particularly well.

 

[john9527]

Ah, I had been under the impression it was not doing that particularly well.

On my fork, I have two dnscrypt servers defined through dnsmasq. Based on the dnsmasq stats, it routes about 85% of the queries to the faster of the two.
(As an aside, it's tough to find good dnscrypt servers in the US).

 

[Adamm]

AiProtection takes effect before skynet rules?

Yes, AiProtect kicks in before IPTables gets a chance.

Do skynet rules take effect over vpn?

Client? No. As per the nature of VPN clients we only make a direct connection with the VPN host.

with option turned on to have aiprotection ip's being added to skynet blacklist, is there any way to verify or see the additional ip addresses being added by aiprotection?

These will be updated every time banmalware is run, or Skynet is restarted. You can view the list of banned IPs via this method using;

admin@RT-AC86U-2EE8:/tmp/home/root# ipset -L Skynet-Blacklist | grep AiProtect
178.128.189.64 comment "BanAiProtect"
185.12.179.76 comment "BanAiProtect"
185.244.25.208 comment "BanAiProtect"
207.154.228.42 comment "BanAiProtect"
178.128.196.251 comment "BanAiProtect"
206.189.75.8 comment "BanAiProtect"
206.81.6.196 comment "BanAiProtect"
217.61.96.203 comment "BanAiProtect"
185.246.153.115 comment "BanAiProtect"
94.177.245.187 comment "BanAiProtect"
174.138.58.18 comment "BanAiProtect"
138.68.46.67 comment "BanAiProtect"
206.189.29.19 comment "BanAiProtect"
174.138.3.128 comment "BanAiProtect"
206.189.19.46 comment "BanAiProtect"
178.128.176.221 comment "BanAiProtect"

resolv.dnsmasq

Well that explains why your DNS servers aren't automatically whitelisted. If you manually specify something you would need to do the same in Skynet.

 

[skeal]

@Adamm I use a vpn all the time. This morning, I woke to see Skynet had stopped 45,500 outbound connections to the same IP, in China. Because I have a China country block in Skynet I can only surmise that your firewall stopped it. The device inside my network is a media box. I rebooted the device and there was no more blocked outgoing traffic. So it would seem that the outgoing traffic from the media box which is strictly routed through the vpn only (or the connection is terminated) was blocked successfully. Can you please educate me on this? My WAN interface is vlan3000 and the traffic I think was listed as br0.

 

[agilani]

Yes, AiProtect kicks in before IPTables gets a chance.



Client? No. As per the nature of VPN clients we only make a direct connection with the VPN host.



These will be updated every time banmalware is run, or Skynet is restarted. You can view the list of banned IPs via this method using;

admin@RT-AC86U-2EE8:/tmp/home/root# ipset -L Skynet-Blacklist | grep AiProtect
178.128.189.64 comment "BanAiProtect"
185.12.179.76 comment "BanAiProtect"
185.244.25.208 comment "BanAiProtect"
207.154.228.42 comment "BanAiProtect"
178.128.196.251 comment "BanAiProtect"
206.189.75.8 comment "BanAiProtect"
206.81.6.196 comment "BanAiProtect"
217.61.96.203 comment "BanAiProtect"
185.246.153.115 comment "BanAiProtect"
94.177.245.187 comment "BanAiProtect"
174.138.58.18 comment "BanAiProtect"
138.68.46.67 comment "BanAiProtect"
206.189.29.19 comment "BanAiProtect"
174.138.3.128 comment "BanAiProtect"
206.189.19.46 comment "BanAiProtect"
178.128.176.221 comment "BanAiProtect"

Well that explains why your DNS servers aren't automatically whitelisted. If you manually specify something you would need to do the same in Skynet.

Many thanks!