DNS Filter Issue

[Pikey18]

Have found an issue if using the DNS filter as well as IPv6.

If the router is providing DNS the filter blocks v6 access to DNS on the device itself (on the input chain) where it should only be on the forward chain.

This can be seen by checking:

ip6tables -t mangle -L

It makes sense blocking FORWARD but should not be blocking INPUT when the router is the destination set in the filter settings.

Device is an ASUS RT-AC68U

My current fix is deleting the rules from the firewall using the firewall-start script but it should not be necessary.

 

[RMerlin]

That is correct. That code was originally based on Asus's YandexDNS support, which didn't have to deal with that particular scenario. I'll have the default rule become ACCEPT in the INPUT chain if DNSFilter's global mode is set to Router.

 

[Pikey18]

Thanks RMerlin

Seems there is traces of Yandex also being placed into /etc/dnsmasq.conf. Doesn't appear to be using it though so not really an issue.

Here is the file without my additions on the end (which are just to redirect some domains to a different DNS server [smart DNS for Netflix etc] and for booting WDS from my internal server):

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=<removed>
expand-hosts
dhcp-range=lan,172.30.1.100,172.30.1.250,255.255.255.0,2592000s
dhcp-option=lan,3,172.30.1.254
dhcp-option=lan,15,<removed>
dhcp-option=lan,252,"\n"
ra-param=br0,10,600
enable-ra
quiet-ra
dhcp-range=lan,::,constructor:br0,ra-stateless,64,600
dhcp-option=dnsf5,option6:23,[2a02:6b8::feed:bad],[2a02:6b8:0:1::feed:bad]
dhcp-option=dnsf6,option6:23,[2a02:6b8::feed:a11],[2a02:6b8:0:1::feed:a11]
dhcp-option=lan,option6:23,[::]
dhcp-option=lan,option6:24,,<removed>
dhcp-authoritative
read-ethers
addn-hosts=/etc/hosts.dnsmasq
interface=tun21