Which addon is best suited for manually blocking a handful of domains, and nothing else?

[domic]

Hello dear community, it's been a while. Hope you all are doing well and healthy.

In short, (I have no interest in blocking ads or malware in my router), I want to block these handful of domains:

crashd instructions

crashd instructions. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

I've tried to use Skynet in amtm but it doesn't block the domains in my tests, so I'm ready to try other addons now. (I also can't disable all the malware lists etc to free up RAM)

What addon should I use as a firewall instead?
The goal is to use a lightweight firewall that doesn't consume system resources and just does what it needs to.

 

[ColinTaylor]

The goal is to use a lightweight firewall that doesn't consume system resources and just does what it needs to.

The problem with those domains is that they resolve to IP addresses that may change over time. Although not an addon you could probably use a custom script and a combination of ipset and dnsmasq to block those domains. I believe that's what the old x3mRouting script did.

So you could do something like this:

ipset create myset-ip hash:ip
iptables -I FORWARD -m set --match-set myset-ip dst -j DROP

Then in dnsmasq.conf.add have this line:

ipset=/snu.lge.com/su.lge.com/su-ssl.lge.com/snu-ssl.lge.com/snu-dev.lge.com/su-dev.lge.com/nsu.lge.com/myset-ip

 

[dave14305]

I wouldn’t use any addons. Just create a custom configuration file for dnsmasq (/jffs/configs/dnsmasq.conf.add).

local=/snu.lge.com/
local=/su.lge.com/
local=/su-ssl.lge.com/
local=/snu-ssl.lge.com/
local=/snu-dev.lge.com/
local=/su-dev.lge.com/
local=/nsu.lge.com/

 

[SomeWhereOverTheRainBow]

@ColinTaylor and @dave14305 , what is the primary difference in blocking here. @dave14305 Your method seems to rely on not resolving the domain, however the IP address could still be accessed over existing CNAME's or other domains that use the same IP address, correct? whereas, @ColinTaylor method actually resolves the domain with IPset down to the IP and further blocks it by IP tables which would prevent any other domains that use the same IP, no?

 

[ColinTaylor]

@ColinTaylor and @dave14305 , what is the primary difference in blocking here. @dave14305 Your method seems to rely on not resolving the domain, however the IP address could still be accessed over existing CNAME's or other domains that use the same IP address, correct? whereas, @ColinTaylor method actually resolves the domain with IPset down to the IP and further blocks it by IP tables which would prevent any other domains that use the same IP, no?

That's pretty much it. As the requirement was only to block those specific domains rather than the IP addresses or any aliases I think Dave's solution is better. Both require that the client is using the router for DNS rather than a hard-coded external DNS. Given that requirement my ipset solution would seem unnecessarily complicated.

 

[SomeWhereOverTheRainBow]

That's pretty much it. As the requirement was only to block those specific domains rather than the IP addresses or any aliases I think Dave's solution is better. Both require that the client is using the router for DNS rather than a hard-coded external DNS. Given that requirement my ipset solution would seem unnecessarily complicated.

I like both of your solutions. The fact that you both shared a method here gives future users more tools to try to achieve their end goals.

 

[drinkingbird]

Hello dear community, it's been a while. Hope you all are doing well and healthy.

In short, (I have no interest in blocking ads or malware in my router), I want to block these handful of domains:

crashd instructions

crashd instructions. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

I've tried to use Skynet in amtm but it doesn't block the domains in my tests, so I'm ready to try other addons now. (I also can't disable all the malware lists etc to free up RAM)

What addon should I use as a firewall instead?
The goal is to use a lightweight firewall that doesn't consume system resources and just does what it needs to.

Just use URL filter under stock (merlin or Asus) firewall and add "lge.com". This will block DNS lookups as well as any other attempts to connect to those domains.

Just tested it by blocking "playboy.com" in mine -
Nslookup to either the router or an internet DNS (even without dns director enabled) to playboy.com, www.playboy.com, etc all fail
Attempting to connect via browser fails (obviously since DNS fails).

Of course if someone/something attempts to connect directly to an IP address associated with one of those domains it will work, but that is the case with any dns/url/host filtering. You'd need a firewall that is constantly looking up the IPs for those domains or reverse looking up every IP that you attempt to connect to in order to block that. Even if you find one for the asus it is likely to be a very heavy load on the router, and still wouldn't catch everything as the domain can have many IPs that change randomly at any time. Or a blacklist that includes IPs associated with those domains that is updated regularly.

These are the firewall rules (added to iptables FORWARD chain) that are added by URL filter, the DNS is hashed, the URL is plain text. As you can see in my case the DNS lookpus were dropped thus it never hit the URL rule.

8 536 DROP udp -- br0 any anywhere anywhere udp dpt:domain STRING match "|07706c6179626f7903636f6d|" ALGO name bm TO 65535 ICASE
0 0 REJECT tcp -- any any anywhere anywhere WEBSTR match url playboy.com reject-with tcp-reset

 

[domic]

I wouldn’t use any addons. Just create a custom configuration file for dnsmasq (/jffs/configs/dnsmasq.conf.add).

local=/snu.lge.com/
local=/su.lge.com/
local=/su-ssl.lge.com/
local=/snu-ssl.lge.com/
local=/snu-dev.lge.com/
local=/su-dev.lge.com/
local=/nsu.lge.com/

I used this solution and it's working like a charm. ❤

 

[drinkingbird]

I used this solution and it's working like a charm. ❤

I think URL filter would be easier but whichever you prefer. With the solution you're using, make sure you are using DNS filter to force all DNS queries to hit the router. With URL filter even if they attempt to use an external DNS it will block it.