How To Block Top-Level Domains?

[AlleyCat]

Greetings!

A quick question: Is it possible to block top-level domains, like *.ru; *.cn; etc? I’ve looked at the Firewall URL Filter page (RT-AX88U), but I’m unsure of the proper syntax to use for blocking an entire TLD, assuming it can be done. I realize that client devices can simply use a VPN to bypass the TLD block, but that’s fine. If the block cannot be implemented via the GUI, how about from the command-line? Thanks!

 

[Tech Junky]

In pihole you can do it with a regex like

.(ru|cn|ro|ml|ga|gq|cf|tk|pw|ua|ug|ve)$

There other options but, that's the simplest expression to cover things.

 

[eibgrad]

If you were using third-party firmware like Merlin, you could reconfigure DNSMasq to add the following directive.

address=/ru/cn/ro/ml/0.0.0.0

 

[AlleyCat]

Thank you @Tech Junky and @eibgrad. I don’t use Pi-hole, yet, although I plan to get a SBC and setup Pi-hole in the future.

eibgrad, where should I enter that directive to reconfigure DNSMasq?

 

[eibgrad]

If you're using Merlin, you need to enable "JFFS custom scripts and configs" under Administration > System, then connect to the router over SSH and copy/paste the following into the SSH window (it will automatically create the necessary file).

CONFIGS_DIR='/jffs/configs'
CONFIG="$CONFIGS_DIR/dnsmasq.conf.add"

mkdir -p $CONFIGS_DIR

create_config() {
cat << 'EOF' > $CONFIG
address=/ru/cn/ro/ml/0.0.0.0
EOF
}

if [ -f $CONFIG ]; then
    echo "error: $CONFIG already exists; requires manual installation"
else
    create_config
    echo 'Done.'
fi
:

 

[AlleyCat]

If you're using Merlin, you need to enable "JFFS custom scripts and configs" under Administration > System, then connect to the router over SSH and copy/paste the following into the SSH window (it will automatically create the necessary file).

CONFIGS_DIR='/jffs/configs'
CONFIG="$CONFIGS_DIR/dnsmasq.conf.add"

mkdir -p $CONFIGS_DIR

create_config() {
cat << 'EOF' > $CONFIG
address=/ru/cn/ro/ml/0.0.0.0
EOF
}

if [ -f $CONFIG ]; then
    echo "error: $CONFIG already exists; requires manual installation"
else
    create_config
    echo 'Done.'
fi
:

Thanks eibgrad, I’ll try out your script later tonight. I’ll use the BitVise client to SSH into the router. I also use WinSCP for file transfers.

If I understand correctly, the script:

1. first creates /configs directory on the /jffs partition, if it doesn’t exist already

2. creates a file called ‘dnsmasq.conf.add’ in /configs directory, then appends: address=/ru/cn/ro/ml/0.0.0.0 to the end of the file

3. check if ‘dnsmasq.conf.add’ exists and, if not, create it (again?)

I definitely need to learn more about scripting

 

[Thirteen]

Thanks eibgrad, I’ll try out your script later tonight. I’ll use the BitVise client to SSH into the router. I also use WinSCP for file transfers.

If I understand correctly, the script:

1. first creates /configs directory on the /jffs partition, if it doesn’t exist already

2. creates a file called ‘dnsmasq.conf.add’ in /configs directory, then appends: address=/ru/cn/ro/ml/0.0.0.0 to the end of the file

3. check if ‘dnsmasq.conf.add’ exists and, if not, create it (again?)

Close. If dnsmasq.conf.add exists, it'll print that error message telling you that you'll have to install it manually.
If it doesn't exist (else), it runs the create_config function to create it.
create_config doesn't run until it's (possibly) called at the end of the if/else statement. The first mention is just it being defined for later use.

 

[AlleyCat]

Close. If dnsmasq.conf.add exists, it'll print that error message telling you that you'll have to install it manually.
If it doesn't exist (else), it runs the create_config function to create it.
create_config doesn't run until it's (possibly) called at the end of the if/else statement. The first mention is just it being defined for later use.

@eibgrad I entered your script into a terminal window; then service restart_dnsmasq. So far so good, the specified TLDs are now being sinkholed. Thanks!

I also added a few more TLDs to the DNSMasq directive:
address=/ga/cf/club/cn/gq/icu/ml/pw/ro/ru/store/tk/top/xyz/0.0.0.0

 

[XxTWMLxX]

sorry to bump an old thread.
but i was looking to block TLD's since google is dumb and has just created .zip and .mov domains.

want them blocked in my router.
i have asus-merlin ax-86u.
enabled jffs custom scripts in administration, system.
ran the script with the domains i wanted to block only changing line.

address=/ru/cn/ro/ml/0.0.0.0

to

address=/zip/mov/0.0.0.0

not working though the file is created in /jffs/configs/ as dnsmasq.conf.add with the contents.
i did run: service restart_dnsmasq.

as well as rebooted the router when that didnt make it work. still not working. jffs is enabled and file exists. did something change?

 

[ColinTaylor]

Are you using IPv6? That option only blocks IPv4 addresses. If you want to block both IPv4 and IPv6 addresses you need to use "#" instead of "0.0.0.0".

address=/zip/mov/#

 

[XxTWMLxX]

Are you using IPv6? That option only blocks IPv4 addresses. If you want to block both IPv4 and IPv6 addresses you need to use "#" instead of "0.0.0.0".

address=/zip/mov/#

only ipv4.

 

[ColinTaylor]

Check that the line is being successfully appended to /etc/dnsmasq.conf.

 

[XxTWMLxX]

Check that the line is being successfully appended to /etc/dnsmasq.conf.

it is at the end of the file yes...

im currently on firmware version 386.2_4

i tend to stay on a stable one for my service until i need to change.

my IPTV service from my isp tends to not work on some firmware versions.

 

[ColinTaylor]

How are you testing this, nslookup?

Can you give some example .zip and .mov domains that I can test it with?

 

[XxTWMLxX]

How are you testing this, nslookup?

Can you give some example .zip and .mov domains that I can test it with?

i am using a .io domain to test i didnt think it would hurt line in the file is /zip/mov/io/ while im testing. site is cardgames.io

google just recently created zip and mov domains
and as common file extensions i can see these being used as scams to download malware. so blocking the whole TLD now.

example: where does this go to? https:⁄⁄facebook.com⁄somerandom⁄path⁄@attachment.zip at first glance it looks like a facebook link but the / is a unicode ⁄ and the @ tells the browser anything before it is a "username" for old ftp ect and to basically ignore it. that "link" will actually go to attachment.zip website.... That website is only a redirect to a YouTube video but it could be used to download malware or anything, see how the malware risk is high?

 

[XxTWMLxX]

i think i may see my issue...



i have dns servers configured in my lan dhcp tab. as my isp dns servers seem to be trash frequently taking a long time to find domains.



nslookup was reporting 1.1.1.1 as the dns server. removing the dns servers from dhcp config fixed it.



after removing dns server 1&2 i get

Server: RT-AC86U-B9F0

Address: 192.168.2.1



Name: cardgames.io

Address: 0.0.0.0

thanks for the help.

 

[Wallace_n_Gromit]

i think i may see my issue...



i have dns servers configured in my lan dhcp tab. as my isp dns servers seem to be trash frequently taking a long time to find domains.



nslookup was reporting 1.1.1.1 as the dns server. removing the dns servers from dhcp config fixed it.



after removing dns server 1&2 i get

Server: RT-AC86U-B9F0

Address: 192.168.2.1



Name: cardgames.io

Address: 0.0.0.0

thanks for the help.

Great thread. Also had heard about Google adding several TLD's including .zip and .mov. Tried the methods shown above. After confirming I had access to cardgames.io

added [address=/zip/mov/io/#]
to [nano] /jffs/configs/dnsmasq.conf.add, rebooted and tried cardgames.io again... no connection!

edited the dnsmasq.conf.add to [address=/zip/mov/#] rebooted and tried cardgames.io again... connected!

these older threads still provide good stuff if you know how to search for it.

Only thing is I didn't confirm if the changes stuck from one reboot to another. Thanks!

 

[XxTWMLxX]

Great thread. Also had heard about Google adding several TLD's including .zip and .mov. Tried the methods shown above. After confirming I had access to cardgames.io

added [address=/zip/mov/io/#]
to [nano] /jffs/configs/dnsmasq.conf.add, rebooted and tried cardgames.io again... no connection!

edited the dnsmasq.conf.add to [address=/zip/mov/#] rebooted and tried cardgames.io again... connected!

these older threads still provide good stuff if you know how to search for it.

Only thing is I didn't confirm if the changes stuck from one reboot to another. Thanks!

Will persist on reboot thats what jffs is, a form of nvram so it doesn't lose its data on reboot.

Files in jffs MAY even persist on a firmware update but it's best to backup the jffs before doing an update. Factory reset will clear jffs.


Indeed older forum posts are very useful even years later. Google made a stupid move creating zip domains

 

[Wallace_n_Gromit]

Will persist on reboot thats what jffs is, a form of nvram so it doesn't lose its data on reboot.

Files in jffs MAY even persist on a firmware update but it's best to backup the jffs before doing an update. Factory reset will clear jffs.


Indeed older forum posts are very useful even years later. Google made a stupid move creating zip domains

Yeah, Steve Gibson on his Security Now podcast agrees with you.

my list now shows: address=/zip/mov/foo/nexus/dad/phd/prof/esq/boo/rsvp/page/new/app/day/dev/club/icu/store/top/xyz/#

INSERT: @ColinTaylor added that omitting the "#" would result in lookups returning an NXDOMAIN rather than "0.0.0.0" or "::" (which I imagine would be a better/tidier outcome from a coders perspective... so done).

my list now shows: address=/zip/mov/foo/nexus/dad/phd/prof/esq/boo/rsvp/page/new/app/day/dev/club/icu/store/top/xyz/

I'm gonna keep adding TLD's until i'm COMPLETELY protected! nothing gets in, nothing get out!

...Then I go to the library and start reading books, newspapers, magazines again. Hope my library card still works (since my internet is now kaput).

 

[js28194]

Asus Merlin 388.1, GT-AX11000 - Block in dnsmasq works.

Small observation though, prevent client auto DoH is set to Auto. The tool tip states that it will block DoH if DNS Director is enabled. In my case it is enabled. My firefox browser was set to DoH and after blocking in DNSMasq I will still able to connect using Firefox, but Chrome blocked it. I turned off DoH in firefox and blocking kicked in immediately.