I see. Thanks mate.The router has a very limited amount of space to store it's configuration. Therefore lists like this have to be restricted to a certain size to prevent problems.
admin@lab-merlin1:/tmp/home/root# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
…
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|0378797a03636f6d|" ALGO name bm TO 65535 ICASE
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 WEBSTR match url xyz.com reject-with tcp-reset
…
address=/xyz.com/0.0.0.0
Wasn't from me, must be Asus if it really does that.Interestingly, Merlin extended the life of URL filtering a bit by adding logic to search DNS queries (udp port 53) for the same string, then dropping the request on a match.
URL filter actually works for https. But it will not work when VPN is used in the client, which makes sense because the packets are not encrypted by the router.Given the URL filter only works w/ http (i.e., unencrypted packets), and VERY little traffic these days is unencrypted, the URL filter isn't all that useful anymore anyway. Way back in the early part of the 2000's, the story was different. I'm surprised it's still maintained in the GUI.
Interestingly, Merlin extended the life of URL filtering a bit by adding logic to search DNS queries (udp port 53) for the same string, then dropping the request on a match.
Code:admin@lab-merlin1:/tmp/home/root# iptables -vnL FORWARD Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination … 0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|0378797a03636f6d|" ALGO name bm TO 65535 ICASE 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 WEBSTR match url xyz.com reject-with tcp-reset …
The rule for tcp is the normal URL filtering rule. The one for udp was added for DNS queries. Technically, the latter is NOT URL filtering. But as I said, he gave the feature some added life w/ that change. But if that's what you need, then you can simply block those same domain names directly in DNSMasq and NOT be limited to 64 entries.
Code:address=/xyz.com/0.0.0.0
There are users blocking tens of thousands of domain names this way, typically through configuration of ad blockers.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!