What's new

How to block 127.0.0.1 from spesific outgoing DNS query in Iptables?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Boji

Occasional Visitor
I'd like to block 127.0.0.1 from querying google.com with IP tables, anyone know how to do this?

I'm assuming dnsmasq can't.
 
I'd like to block 127.0.0.1 from querying google.com ...
Can you explain exactly what you mean by this (perhaps with an example) as it doesn't seem to make much sense.

Why address 127.0.0.1 and google.com specifically?
 
Because 127.0.0.1 is trying to connect to google.com

Apr 4 07:40:17 dnsmasq[11279]: 1 127.0.0.1/54960 query[AAAA] google.com from 127.0.0.1
Apr 4 07:40:17 dnsmasq[11279]: 1 127.0.0.1/54960 forwarded google.com to 127.0.1.1
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 query[A] google.com from 127.0.0.1
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 forwarded google.com to 127.0.1.1
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.102
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.113
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.138
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.139
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.101
Apr 4 07:40:17 dnsmasq[11279]: 2 127.0.0.1/41931 reply google.com is 172.253.117.100
 
Have you set "google.com" anywhere in the router's config? Perhaps under (Administration - System) NTP Server or Network Monitoring.
 
Last edited:
Tried with LAN/DNS-Filter set Enable DNS-based Filtering ON and Global Filter Mode= router?
 
127.0.0.1 is a loop back address used to pass packets between programs within the system. You need to look for what is sending pings to www.google.com. Maybe a network monitor or keep alive system?
Whatever it is you do not want to block the loop back address!
 
It's perfectly normal for DNSMasq to issues queries since it's acting as a DNS proxy on behalf of the rest of the network (at least by default). What's unusual is that (apparently) you have DNSMasq configured in debug mode, which verbosely dumps information about those queries to the syslog. That probably means YOU or some other addon has enabled one of the following DNSMasq directives.

Code:
log-queries

OR

Code:
log-queries=extra

A dump of the DNSMasq config file will confirm.

Code:
cat /tmp/etc/dnsmasq.conf
 
Have you set "google.com" anywhere in the router's config? Perhaps under (Administration - System) NTP Server or Network Monitoring.
Yep, you nailed it.
Seems more that it's embedded in the system as a connectivity check situation.
Yes, it is part of skynet, apparently its a ping or a dns query to detect internet connectivity.
Tried with LAN/DNS-Filter set Enable DNS-based Filtering ON and Global Filter Mode= router?
Already enabled
127.0.0.1 is a loop back address used to pass packets between programs within the system. You need to look for what is sending pings to www.google.com. Maybe a network monitor or keep alive system?
Whatever it is you do not want to block the loop back address!
I copied all the routers files to my computer, and searched inside them for "google.com" with notepad++, it is in the file "/scripts/firewall" (skynet).

Code:
}

Check_Connection() {
    livecheck="0"
    while [ "$livecheck" != "4" ]; do
        if ping -q -w3 -c1 google.com >/dev/null 2>&1; then
            break
        else
            if ping -q -w3 -c1 github.com >/dev/null 2>&1; then
                break
            else
                if ping -q -w3 -c1 snbforums.com >/dev/null 2>&1; then
                    break
                else
                    livecheck="$((livecheck + 1))"
                    if [ "$livecheck" != "4" ]; then
                        echo "[*] Internet Connectivity Error"
                        sleep 10
                    else
                        return "1"
                    fi
                fi
            fi
        fi
    done
}

It's perfectly normal for DNSMasq to issues queries since it's acting as a DNS proxy on behalf of the rest of the network (at least by default). What's unusual is that (apparently) you have DNSMasq configured in debug mode, which verbosely dumps information about those queries to the syslog. That probably means YOU or some other addon has enabled one of the following DNSMasq directives.

Code:
log-queries

OR

Code:
log-queries=extra

A dump of the DNSMasq config file will confirm.

Code:
cat /tmp/etc/dnsmasq.conf
log-queries=extra is enabled.

Just a ping, so its not a problem, but I have seen similar behavior before in other routers. I would still like to know the iptables command to block specific domain requests from 127.0.0.1. If anyone can provide that, I'd appreciate that. Thank you for all your help.
 
I would still like to know the iptables command to block specific domain requests from 127.0.0.1. If anyone can provide that, I'd appreciate that. Thank you for all your help.
Have a look at the rules that the router's URL filter creates. Those rules filter DNS traffic from the LAN though and would be much better done in dnsmasq (like Diversion does). The trouble with trying to block requests specifically (and only) from the router itself is that the traffic isn't routed at the source so it never hits iptables (EDIT: see posts 14 and 15). You can't block on the output side because you can't distinguish router traffic from LAN traffic.
 
Last edited:
Have a look at the rules that the router's URL filter creates. Those rules filter DNS traffic from the LAN though and would be much better done in dnsmasq (like Diversion does). The trouble with trying to block requests specifically (and only) from the router itself is that the traffic isn't routed at the source so it never hits iptables. You can't block on the output side because you can't distinguish router traffic from LAN traffic.
You mean the routers Lan-DNS filter? I'm not sure what too look for exactly. What are the commands to view those filters in particular? Interesting. Well, AdGuardHome does allow for blocking requests from the localhost, so does this mean it has its own inbuilt firewall of sorts, operating independently of iptables?
 
You mean the routers Lan-DNS filter?
No, I was referring to Firewall - URL Filter.

I'm not sure what too look for exactly. What are the commands to view those filters in particular?
iptables-save
It inserts rules similar to this:
Code:
-A INPUT -d 192.168.1.1/32 -i br0 -p udp -m udp --dport 53 -m string --hex-string "|047465737403636f6d|" --algo bm --to 65535 --icase -j DROP
But as I said above, this won't work for requests originating from the router.

Interesting. Well, AdGuardHome does allow for blocking requests from the localhost, so does this mean it has its own inbuilt firewall of sorts, operating independently of iptables?
I am not familiar with how AdGuardHome works.
 
Couldn't you do something like this?
Bash:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06676f6f676c6503636f6d|" --algo bm --to 65535 --icase -j DROP
It would just need to be inserted before the ACCEPT for lo.
 
Last edited:
Couldn't you do something like this?
Bash:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|047465737403636f6d|" --algo bm --to 65535 --icase -j DROP
It would just need to be inserted before the ACCEPT for lo.
Good idea, I hadn't considered that. That would probably work. (This is all assuming that the Wan: Use local caching DNS server as system resolver option has been changed to Yes.) It sounds like it would be a lot easier if AdGuardHome has some sort of filter engine though.
 
Last edited:
Couldn't you do something like this?
Bash:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06676f6f676c6503636f6d|" --algo bm --to 65535 --icase -j DROP
It would just need to be inserted before the ACCEPT for lo.
Thanks for the tip. I will archive that for future reference.
If I manually input googles IP into the hosts file 'google.com 74.125.195.102', the logcalhosts queries no longer go through dnsmasq, which cleans up the logs substantially, as the following repeats every 5 minutes. Google.com queries from users on the subnet though do go through dnsmasq.

Code:
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 query[A] google.com from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.139
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.100
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.102
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.138
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.101
Apr  7 00:39:10 dnsmasq[3499]: 9169 127.0.0.1/44719 cached google.com is 74.125.195.113
Apr  7 00:39:10 dnsmasq[3499]: 9170 127.0.0.1/51747 query[PTR] 139.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9170 127.0.0.1/51747 config 139.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9171 127.0.0.1/34139 query[PTR] 100.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9171 127.0.0.1/34139 config 100.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9172 127.0.0.1/50104 query[PTR] 102.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9172 127.0.0.1/50104 config 102.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9173 127.0.0.1/44371 query[PTR] 138.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9173 127.0.0.1/44371 config 138.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9174 127.0.0.1/37469 query[PTR] 101.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9174 127.0.0.1/37469 config 101.195.125.74.in-addr.arpa is NXDOMAIN
Apr  7 00:39:10 dnsmasq[3499]: 9175 127.0.0.1/34412 query[PTR] 113.195.125.74.in-addr.arpa from 127.0.0.1
Apr  7 00:39:10 dnsmasq[3499]: 9175 127.0.0.1/34412 config 113.195.125.74.in-addr.arpa is NXDOMAIN
 
Couldn't you do something like this?
Bash:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06676f6f676c6503636f6d|" --algo bm --to 65535 --icase -j DROP
It would just need to be inserted before the ACCEPT for lo.
PS how did you generate the hex exactly? I used an online hex to text converter and it the
Code:
.
comes back with some wild characters, is it still accurate?
 
PS how did you generate the hex exactly? I used an online hex to text converter and it the
Code:
.
comes back with some wild characters, is it still accurate?
I get "google.com"
 
PS how did you generate the hex exactly? I used an online hex to text converter and it the
Code:
.
comes back with some wild characters, is it still accurate?
The rule can be inserted as follows in a more human friendly format...
Code:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06|google|03|com|" --algo bm --to 65535 --icase -j DROP
or even better would be to visually tag it
Code:
iptables -I INPUT -i lo -p udp -m udp --dport 53 -m string --hex-string "|06|google|03|com|" --algo bm --to 65535 --icase -j DROP -m comment --comment google.com

So for the domain name, you don't use .dot notation, but specify the length of the word as a value before the actual word

e.g.
Code:
"|03|ibm|03|com|"
or
Code:
"|03|bbc|02|co|02|uk|"
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top