Blocking hardcoded dns to specific dns address

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Swistheater

Very Senior Member
Okay, so I know how dnsfilter works, but I simply want to only block outbound dns for a specific device. It uses 1.1.1.1 for dns connections. I am attempting to prevent the device from dialing home. What are some user suggestions?
 

dave14305

Part of the Furniture
Block it instead of redirect it? How about dnsfilter to a bad IP? :)
 

Swistheater

Very Senior Member

Swistheater

Very Senior Member

Swistheater

Very Senior Member
Are you still talking about DNS servers or something else?
DNS blocking techniques on merlin

This is my first thought:
iptables -A INPUT -s Device-ip -p tcp –destination-port 53 -j DROP
iptables -A INPUT -s device-ip -p udp –destination-port 53 -j DROP
 

Swistheater

Very Senior Member
I haven't ventured to look at network service filter as an option, but can it be used to do the same thing?
 

ColinTaylor

Part of the Furniture
Why not just block all internet access for the device in question rather than creating some convoluted DNS blocking. I still don't know what your IPv6 comment was regarding.
 

Swistheater

Very Senior Member
Why not just block all internet access for the device in question rather than creating some convoluted DNS blocking. I still don't know what your IPv6 comment was regarding.
Really my goal is just to prevent the device from making phoning home. Would you use network service filter for this? And it wasn't convoluted. It was merely asking if I did as dave suggested and used dns filter to redirect the traffic to a dummy ip, how would I do the same for ipv6 since the dnsfilter only incompass ipv4 traffic.
 

Treadler

Very Senior Member
Really my goal is just to prevent the device from making phoning home. Would you use network service filter for this? And it wasn't convoluted. It was merely asking if I did as dave suggested and used dns filter to redirect the traffic to a dummy ip, how would I do the same for ipv6 since the dnsfilter only incompass ipv4 traffic.
Maybe use Skynet IoT blocking?
 

Swistheater

Very Senior Member

ColinTaylor

Part of the Furniture
Do you have an IPv6 internet service? If not then just block it using the option in the Client Status list.
 

ColinTaylor

Part of the Furniture
..if I did as dave suggested and used dns filter to redirect the traffic to a dummy ip, how would I do the same for ipv6 since the dnsfilter only incompass ipv4 traffic.
IIRC enabling the DNS filter creates a firewall rule that blocks IPv6 DNS requests forcing the client to fall back to IPv4.
 

sbsnb

Senior Member
Another alternative I've used for devices that need access to the Internet, but that I still want to prevent phoning home, is to see where they connect when phoning home and then block the entire IP block for that device. For example, if I want to block my Roku from phoning home I just enter something like:

Code:
iptables -A OUTPUT -s 192.168.1.2 -d 34.192.0.0/10 -j DROP
 

ColinTaylor

Part of the Furniture
Another alternative I've used for devices that need access to the Internet, but that I still want to prevent phoning home, is to see where they connect when phoning home and then block the entire IP block for that device. For example, if I want to block my Roku from phoning home I just enter something like:

Code:
iptables -A OUTPUT -s 192.168.1.2 -d 34.192.0.0/10 -j DROP
I believe you would have to use the FORWARD chain not the OUTPUT chain. It would also have to be inserted (-I) rather than appended (-A).
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top