Menu
What's new
By:
Filters Better Search

Which addon is best suited for manually blocking a handful of domains, and nothing else?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

domic

Regular Contributor
Hello dear community, it's been a while. Hope you all are doing well and healthy.

In short, (I have no interest in blocking ads or malware in my router), I want to block these handful of domains:

gist.github.com

crashd instructions

crashd instructions. GitHub Gist: instantly share code, notes, and snippets.
gist.github.com gist.github.com

I've tried to use Skynet in amtm but it doesn't block the domains in my tests, so I'm ready to try other addons now. (I also can't disable all the malware lists etc to free up RAM)

What addon should I use as a firewall instead?
The goal is to use a lightweight firewall that doesn't consume system resources and just does what it needs to.
 
domic said:
The goal is to use a lightweight firewall that doesn't consume system resources and just does what it needs to.
Click to expand...
The problem with those domains is that they resolve to IP addresses that may change over time. Although not an addon you could probably use a custom script and a combination of ipset and dnsmasq to block those domains. I believe that's what the old x3mRouting script did.

So you could do something like this:
Code: 
ipset create myset-ip hash:ip
iptables -I FORWARD -m set --match-set myset-ip dst -j DROP

Then in dnsmasq.conf.add have this line:
Code: 
ipset=/snu.lge.com/su.lge.com/su-ssl.lge.com/snu-ssl.lge.com/snu-dev.lge.com/su-dev.lge.com/nsu.lge.com/myset-ip
 
I wouldn’t use any addons. Just create a custom configuration file for dnsmasq (/jffs/configs/dnsmasq.conf.add).
Code: 
local=/snu.lge.com/
local=/su.lge.com/
local=/su-ssl.lge.com/
local=/snu-ssl.lge.com/
local=/snu-dev.lge.com/
local=/su-dev.lge.com/
local=/nsu.lge.com/
 
@ColinTaylor and @dave14305 , what is the primary difference in blocking here. @dave14305 Your method seems to rely on not resolving the domain, however the IP address could still be accessed over existing CNAME's or other domains that use the same IP address, correct? whereas, @ColinTaylor method actually resolves the domain with IPset down to the IP and further blocks it by IP tables which would prevent any other domains that use the same IP, no?
 
SomeWhereOverTheRainBow said:
@ColinTaylor and @dave14305 , what is the primary difference in blocking here. @dave14305 Your method seems to rely on not resolving the domain, however the IP address could still be accessed over existing CNAME's or other domains that use the same IP address, correct? whereas, @ColinTaylor method actually resolves the domain with IPset down to the IP and further blocks it by IP tables which would prevent any other domains that use the same IP, no?
Click to expand...
That's pretty much it. As the requirement was only to block those specific domains rather than the IP addresses or any aliases I think Dave's solution is better. Both require that the client is using the router for DNS rather than a hard-coded external DNS. Given that requirement my ipset solution would seem unnecessarily complicated.
 
ColinTaylor said:
That's pretty much it. As the requirement was only to block those specific domains rather than the IP addresses or any aliases I think Dave's solution is better. Both require that the client is using the router for DNS rather than a hard-coded external DNS. Given that requirement my ipset solution would seem unnecessarily complicated.
Click to expand...

I like both of your solutions. The fact that you both shared a method here gives future users more tools to try to achieve their end goals.
 
domic said:
Hello dear community, it's been a while. Hope you all are doing well and healthy.

In short, (I have no interest in blocking ads or malware in my router), I want to block these handful of domains:

gist.github.com

crashd instructions

crashd instructions. GitHub Gist: instantly share code, notes, and snippets.
gist.github.com gist.github.com

I've tried to use Skynet in amtm but it doesn't block the domains in my tests, so I'm ready to try other addons now. (I also can't disable all the malware lists etc to free up RAM)

What addon should I use as a firewall instead?
The goal is to use a lightweight firewall that doesn't consume system resources and just does what it needs to.
Click to expand...

Just use URL filter under stock (merlin or Asus) firewall and add "lge.com". This will block DNS lookups as well as any other attempts to connect to those domains.

Just tested it by blocking "playboy.com" in mine -
Nslookup to either the router or an internet DNS (even without dns director enabled) to playboy.com, www.playboy.com, etc all fail
Attempting to connect via browser fails (obviously since DNS fails).

Of course if someone/something attempts to connect directly to an IP address associated with one of those domains it will work, but that is the case with any dns/url/host filtering. You'd need a firewall that is constantly looking up the IPs for those domains or reverse looking up every IP that you attempt to connect to in order to block that. Even if you find one for the asus it is likely to be a very heavy load on the router, and still wouldn't catch everything as the domain can have many IPs that change randomly at any time. Or a blacklist that includes IPs associated with those domains that is updated regularly.

These are the firewall rules (added to iptables FORWARD chain) that are added by URL filter, the DNS is hashed, the URL is plain text. As you can see in my case the DNS lookpus were dropped thus it never hit the URL rule.

8 536 DROP udp -- br0 any anywhere anywhere udp dpt:domain STRING match "|07706c6179626f7903636f6d|" ALGO name bm TO 65535 ICASE
0 0 REJECT tcp -- any any anywhere anywhere WEBSTR match url playboy.com reject-with tcp-reset
 
Last edited:
dave14305 said:
I wouldn’t use any addons. Just create a custom configuration file for dnsmasq (/jffs/configs/dnsmasq.conf.add).
Code: 
local=/snu.lge.com/
local=/su.lge.com/
local=/su-ssl.lge.com/
local=/snu-ssl.lge.com/
local=/snu-dev.lge.com/
local=/su-dev.lge.com/
local=/nsu.lge.com/
Click to expand...
I used this solution and it's working like a charm. ❤
 
domic said:
I used this solution and it's working like a charm. ❤
Click to expand...

I think URL filter would be easier but whichever you prefer. With the solution you're using, make sure you are using DNS filter to force all DNS queries to hit the router. With URL filter even if they attempt to use an external DNS it will block it.
 
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
A Addon tabs not propagating correctly in WebUI of GT-BE98_Pro on F/W v3006.102.1 Asuswrt-Merlin AddOns 2
J Tailscale as an Addon: Polite request for a Coder to implement Asuswrt-Merlin AddOns 14
JGrana New Addon - ChatAI - have a chat session with Googles Gemini AI Bot Asuswrt-Merlin AddOns 2
aru Skynet Practice displaying a world map on a webpage using an addon-api. Asuswrt-Merlin AddOns 33
B Put all addon tabs in addons menu Asuswrt-Merlin AddOns 7
M CAKEQOS/FLEXQOS Advise/Guidance/Best Practice Asuswrt-Merlin AddOns 34
D Skynet Best way to configure SkyNet on RX-AT82U Asuswrt-Merlin AddOns 7
keef Diversion Diversion install is getting the best of me Asuswrt-Merlin AddOns 10
V Best Practice When Importing CSV To YazDHCP? Asuswrt-Merlin AddOns 7
jetpack42 Best practices when using add-ons? Asuswrt-Merlin AddOns 21

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 542 (members: 22, guests: 520)
Top