What's new

Firewall rules not working for one specific DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Instead of blocking in forward block it on output at the top of the chain.
The FORWARD chain is the correct place. The OUTPUT chain would have no affect on requests from the LAN.

@peiskos When you say "DNS filter enabled" are you referring the company and their DNS servers (https://www.dnsfilter.com/), or are you referring to the Asus router feature called DNSFilter? If it's the latter what do those rules look like?
 
Last edited:
When you say "DNS filter enabled" are you referring the company and their DNS servers (https://www.dnsfilter.com/), or are you referring to the Asus router feature called DNSFilter? If it's the latter what do those rules look like?
@ColinTaylor Both actually.

I have my router use the DNS servers of the DNS filter company to implement blocking of sites.
Screen Shot 2022-10-04 at 11.03.44 AM.png


And then I have the Asus router DNS filter enabled to prevent circumventing the router settings.
Screen Shot 2022-10-04 at 11.03.14 AM.png


Other settings that might be relevant
Screen Shot 2022-10-04 at 11.07.57 AM.png
 
Thanks for confirming that info.

I had to do a packet capture on my PC to see what Chrome is doing with DoH. This led me to a good explanation here: https://help.firewalla.com/hc/en-us...S-over-HTTPS-and-DNS-over-TLS-on-your-network

Basically, Chrome looks at the system DNS settings. If it recognises them as a DoH provider it resolves a related domain name (e.g. chrome.cloudflare-dns.com) to get a local DNS IP address. This local IP address in Clouflare's case is not 1.1.1.1 or 1.0.0.1. For me it resolves to 104.18.42.171 and 172.64.145.85. From that point on it uses these addresses for DNS. That's why your iptables rules don't block it, and why it's only happens in Chrome.
 
Last edited:
Thanks for figuring it out! This is helpful.

Would the solution then be to find out what Cloudflare's ip resolves to and add those addresses to my firewall-start blocking script? If so, how can I go about doing that?

Or is there a way to block DoH domains?
 
That is why you should consider using IPSET with cloudfare-dns.com to get all the Cloudfare DNS servers blocked
 
Thanks for figuring it out! This is helpful.

Would the solution then be to find out what Cloudflare's ip resolves to and add those addresses to my firewall-start blocking script? If so, how can I go about doing that?

Or is there a way to block DoH domains?
As the posts above said, if you're already running some sort of ad-blocker like Diversion or Pi-hole you could add chrome.cloudflare-dns.com to the blacklist.

These methods often return address 0.0.0.0 for the blocked domain. So it will have the desired affect in Chrome, but is not ideal because Chrome will be constantly retrying the query hoping to get a valid address.

The best solution would be for the DNS query to return NXDOMAIN for chrome.cloudflare-dns.com. If you have enabled custom scripts in Merlin's firmware you can achieve this by entering the following commands in SSH:
Code:
echo "address=/chrome.cloudflare-dns.com/" >> /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
 
Last edited:
As the posts above said, if you're already running some sort of ad-blocker like Diversion or Pi-hole you could add chrome.cloudflare-dns.com to the blacklist.

These methods typically return address 0.0.0.0 for the blocked domain. So it will have the desired affect in Chrome, but is not ideal because Chrome will be constantly retrying the query hoping to get a valid address.

The best solution would be for the DNS query to return NXDOMAIN for chrome.cloudflare-dns.com. If you have enabled custom scripts in Merlin's firmware you can achieve this by entering the following commands in SSH:
Code:
echo "address=/chrome.cloudflare-dns.com/" >> /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
Bingo you nailed it! If the OP is interested I can give them a list of domains to block that block all domains used to bypass the ordinary exchange of information. But @ColinTaylor is right DoH/DoT must be able to reach out over dns to resolve the server hostname in order to remotely connect to it. If it fails to do such then the browser will fall back to using the routers DNS.
 
Last edited:
Y'all are the best.

@ColinTaylor, adding the Chrome cloudlfare dns to /jffs/configs/dnsmasq.conf.add did the trick. Chrome no longer circumvents my router DNS settings. Thanks for all your help!

@SomeWhereOverTheRainBow - thanks! I think I'll add these addresses to /jffs/configs/dnsmasq.conf.add and that should take care of everything.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top