How to block 127.0.0.1 from spesific outgoing DNS query in Iptables?

Boji

Occasional Visitor
I'd like to block 127.0.0.1 from querying google.com with IP tables, anyone know how to do this?

I'm assuming dnsmasq can't.
 

ColinTaylor

Part of the Furniture
I'd like to block 127.0.0.1 from querying google.com ...
Can you explain exactly what you mean by this (perhaps with an example) as it doesn't seem to make much sense.

Why address 127.0.0.1 and google.com specifically?
 

Boji

Occasional Visitor
Because 127.0.0.1 is trying to connect to google.com

Apr 4 07:40:17 dnsmasq[11279]: 1 127.0.0.1/54960 query[AAAA] google.com from 127.0.0.1
Apr 4 07:40:17 dnsmasq[11279]: 1 127.0.0.1/54960 forwarded google.com to 127.0.1.1
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 query[A] google.com from 127.0.0.1
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 forwarded google.com to 127.0.1.1
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.102
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.113
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.138
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.139
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.101
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.100
 

ColinTaylor

Part of the Furniture
Have you set "google.com" anywhere in the router's config? Perhaps under (Administration - System) NTP Server or Network Monitoring.
 
Last edited:

Zastoff

Very Senior Member
Tried with LAN/DNS-Filter set Enable DNS-based Filtering ON and Global Filter Mode= router?
 

bbunge

Part of the Furniture
127.0.0.1 is a loop back address used to pass packets between programs within the system. You need to look for what is sending pings to www.google.com. Maybe a network monitor or keep alive system?
Whatever it is you do not want to block the loop back address!
 

eibgrad

Part of the Furniture
It's perfectly normal for DNSMasq to issues queries since it's acting as a DNS proxy on behalf of the rest of the network (at least by default). What's unusual is that (apparently) you have DNSMasq configured in debug mode, which verbosely dumps information about those queries to the syslog. That probably means YOU or some other addon has enabled one of the following DNSMasq directives.

Code:
log-queries

OR

Code:
log-queries=extra

A dump of the DNSMasq config file will confirm.

Code:
cat /tmp/etc/dnsmasq.conf
 

Boji

Occasional Visitor
Have you set "google.com" anywhere in the router's config? Perhaps under (Administration - System) NTP Server or Network Monitoring.
Yep, you nailed it.
Seems more that it's embedded in the system as a connectivity check situation.
Yes, it is part of skynet, apparently its a ping or a dns query to detect internet connectivity.
Tried with LAN/DNS-Filter set Enable DNS-based Filtering ON and Global Filter Mode= router?
Already enabled
127.0.0.1 is a loop back address used to pass packets between programs within the system. You need to look for what is sending pings to www.google.com. Maybe a network monitor or keep alive system?
Whatever it is you do not want to block the loop back address!
I copied all the routers files to my computer, and searched inside them for "google.com" with notepad++, it is in the file "/scripts/firewall" (skynet).

Code:
}

Check_Connection() {
    livecheck="0"
    while [ "$livecheck" != "4" ]; do
        if ping -q -w3 -c1 google.com >/dev/null 2>&1; then
            break
        else
            if ping -q -w3 -c1 github.com >/dev/null 2>&1; then
                break
            else
                if ping -q -w3 -c1 snbforums.com >/dev/null 2>&1; then
                    break
                else
                    livecheck="$((livecheck + 1))"
                    if [ "$livecheck" != "4" ]; then
                        echo "[*] Internet Connectivity Error"
                        sleep 10
                    else
                        return "1"
                    fi
                fi
            fi
        fi
    done
}

It's perfectly normal for DNSMasq to issues queries since it's acting as a DNS proxy on behalf of the rest of the network (at least by default). What's unusual is that (apparently) you have DNSMasq configured in debug mode, which verbosely dumps information about those queries to the syslog. That probably means YOU or some other addon has enabled one of the following DNSMasq directives.

Code:
log-queries

OR

Code:
log-queries=extra

A dump of the DNSMasq config file will confirm.

Code:
cat /tmp/etc/dnsmasq.conf
log-queries=extra is enabled.

Just a ping, so its not a problem, but I have seen similar behavior before in other routers. I would still like to know the iptables command to block specific domain requests from 127.0.0.1. If anyone can provide that, I'd appreciate that. Thank you for all your help.
 

ColinTaylor

Part of the Furniture
I would still like to know the iptables command to block specific domain requests from 127.0.0.1. If anyone can provide that, I'd appreciate that. Thank you for all your help.
Have a look at the rules that the router's URL filter creates. Those rules filter DNS traffic from the LAN though and would be much better done in dnsmasq (like Diversion does). The trouble with trying to block requests specifically (and only) from the router itself is that the traffic isn't routed at the source so it never hits iptables (EDIT: see posts 14 and 15). You can't block on the output side because you can't distinguish router traffic from LAN traffic.
 
Last edited:

Boji

Occasional Visitor
Have a look at the rules that the router's URL filter creates. Those rules filter DNS traffic from the LAN though and would be much better done in dnsmasq (like Diversion does). The trouble with trying to block requests specifically (and only) from the router itself is that the traffic isn't routed at the source so it never hits iptables. You can't block on the output side because you can't distinguish router traffic from LAN traffic.
You mean the routers Lan-DNS filter? I'm not sure what too look for exactly. What are the commands to view those filters in particular? Interesting. Well, AdGuardHome does allow for blocking requests from the localhost, so does this mean it has its own inbuilt firewall of sorts, operating independently of iptables?
 

ColinTaylor

Part of the Furniture
You mean the routers Lan-DNS filter?
No, I was referring to Firewall - URL Filter.

I'm not sure what too look for exactly. What are the commands to view those filters in particular?
iptables-save
It inserts rules similar to this:
Code:
-A INPUT -d 192.168.1.1/32 -i br0 -p udp -m udp --dport 53 -m string --hex-string "|047465737403636f6d|" --algo bm --to 65535 --icase -j DROP
But as I said above, this won't work for requests originating from the router.

Interesting. Well, AdGuardHome does allow for blocking requests from the localhost, so does this mean it has its own inbuilt firewall of sorts, operating independently of iptables?
I am not familiar with how AdGuardHome works.
 

dave14305

Part of the Furniture
Couldn't you do something like this?
Bash:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06676f6f676c6503636f6d|" --algo bm --to 65535 --icase -j DROP
It would just need to be inserted before the ACCEPT for lo.
 
Last edited:

ColinTaylor

Part of the Furniture
Couldn't you do something like this?
Bash:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|047465737403636f6d|" --algo bm --to 65535 --icase -j DROP
It would just need to be inserted before the ACCEPT for lo.
Good idea, I hadn't considered that. That would probably work. (This is all assuming that the Wan: Use local caching DNS server as system resolver option has been changed to Yes.) It sounds like it would be a lot easier if AdGuardHome has some sort of filter engine though.
 
Last edited:

Boji

Occasional Visitor
Couldn't you do something like this?
Bash:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06676f6f676c6503636f6d|" --algo bm --to 65535 --icase -j DROP
It would just need to be inserted before the ACCEPT for lo.
Thanks for the tip. I will archive that for future reference.
If I manually input googles IP into the hosts file 'google.com 74.125.195.102', the logcalhosts queries no longer go through dnsmasq, which cleans up the logs substantially, as the following repeats every 5 minutes. Google.com queries from users on the subnet though do go through dnsmasq.

Code:
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 query[A] google.com from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.139
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.100
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.102
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.138
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.101
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.113
Apr  7 00:39:10 dnsmasq[3499]: 9170 127.0.0.1/51747 query[PTR] 139.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9170 127.0.0.1/51747 config 139.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9171 127.0.0.1/34139 query[PTR] 100.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9171 127.0.0.1/34139 config 100.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9172 127.0.0.1/50104 query[PTR] 102.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9172 127.0.0.1/50104 config 102.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9173 127.0.0.1/44371 query[PTR] 138.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9173 127.0.0.1/44371 config 138.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9174 127.0.0.1/37469 query[PTR] 101.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9174 127.0.0.1/37469 config 101.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9175 127.0.0.1/34412 query[PTR] 113.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9175 127.0.0.1/34412 config 113.195.125.74.in-addr.arpa is NXDOMAIN
 

Boji

Occasional Visitor
Couldn't you do something like this?
Bash:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06676f6f676c6503636f6d|" --algo bm --to 65535 --icase -j DROP
It would just need to be inserted before the ACCEPT for lo.
PS how did you generate the hex exactly? I used an online hex to text converter and it the
Code:
.
comes back with some wild characters, is it still accurate?
 

octopus

Part of the Furniture
PS how did you generate the hex exactly? I used an online hex to text converter and it the
Code:
.
comes back with some wild characters, is it still accurate?
I get "google.com"
 

Martineau

Part of the Furniture
PS how did you generate the hex exactly? I used an online hex to text converter and it the
Code:
.
comes back with some wild characters, is it still accurate?
The rule can be inserted as follows in a more human friendly format...
Code:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06|google|03|com|" --algo bm --to 65535 --icase -j DROP
or even better would be to visually tag it
Code:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06|google|03|com|" --algo bm --to 65535 --icase -j DROP -m comment --comment google.com

So for the domain name, you don't use .dot notation, but specify the length of the word as a value before the actual word

e.g.
Code:
"|03|ibm|03|com|"
or
Code:
"|03|bbc|02|co|02|uk|"
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top