These seem fine, but I had questions:
Do they need to be the first rule?
Is the -m tcp needed with the protocol already specified as TCP?
Wildlion wrote:
INPUT -- is for connections TO the router
FORWARD -- is for connections THROUGH the router
OUTPUT -- is for connections FROM the router
What I need to do is narrow the scope of DNS from commercial-size overdo, down to what is appropriate for home use--DNS without TCP, is the correct scope for home use. So, which command(s) should be used for that?
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Mon Mar 16, 2020 0:33 Post subject:
danielwritesback wrote:
What I need to do is narrow the scope of DNS from commercial-size overdo, down to what is appropriate for home use--DNS without TCP, is the correct scope for home use. So, which command(s) should be used for that?
for normal DNS operation both ports must be used although port 53 UDP is not widely supported...if you want to increase DNS security use either stubby or dnscrypt, if your router supports it...
stubby works on everything that has USB check my signature...you dont have to add those iptables rules to increase DNS security.....
for normal DNSmasq use, add those lines to advanced Dnsmasq rules
no-resolv
server=xxx.xxx.xxx.xxx
replace xxx with your dns server preferred _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Mar 16, 2020 16:14 Post subject:
Per Yngve Berg wrote:
iptables -I OUTPUT -p tcp -port 53 -j REJECT
Blocks a DNS server running on the router.
There was a minor typo there... I'm sure Per meant this:
iptables -I OUTPUT -p tcp -dport 53 -j REJECT
But I agree with Alozaros that if this is about security, DNSCrypt is simpler and more secure, particularly if you are on a build that offers Encrypt DNS as an option on the GUI>Services>Services page. If that option is absent or if you want to use a DNSCrypt DNS provider not in the menu, see my post at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318094&start=6.
Do note that many DNSCrypt providers have moved on to a newer DNSCrypt protocol that the dd-wrt built-in dnscrypt-proxy code does not support. But I'm using the build-in version successfully with Quad9 DNS and Adguard DNS still, just as detailed in that post.
Using entware to install an upgraded dnscrypt-proxy to handle the new protocol is also an option. See thread https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320764. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Mon Mar 16, 2020 17:47 Post subject:
tinkeruntilitworks wrote:
if your router has unbound you can turn tcp off
DDWRT build in Unbound is not that versatile as the full Unbound installation via Entware....it does just recursive resolving and that's all...
Among all the 3 options for encrypting DNS mentioned above
Unbound is more picky and hard to set up for beginers...
while Stubby for DoT is the easiest and works even out of the box... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Mon Mar 16, 2020 20:50 Post subject:
Alozaros wrote:
...while Stubby for DoT is the easiest and works even out of the box
danielwritesback wrote:
Does that have a fallback to ordinary DNS, just in case?
it does have a fallback DNS, in fact you can add as many as you want, you have to be careful and keep the initial format/syntax correct....
nope its not and ordinary DNS, its a stub recursive resolver..
much better and secure than ordinary DNS...and this is its purpose to encrypt DNS with TLS encryption... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
These seem fine, but I had questions:
Do they need to be the first rule?
Is the -m tcp needed with the protocol already specified as TCP?
Wildlion wrote:
INPUT -- is for connections TO the router
FORWARD -- is for connections THROUGH the router
OUTPUT -- is for connections FROM the router
What I need to do is narrow the scope of DNS from commercial-size overdo, down to what is appropriate for home use--DNS without TCP, is the correct scope for home use. So, which command(s) should be used for that?
Yes DROP would be correct if you wanted full stealth or you put it as a later rule. I just did the first rule to ensure that it worked for you. The -m tcp is probably not needed I think i was just typing and it does not hurt.
For the scope, that is up to you, most systems never use tcp dns, but either shut it down on the router or block the ports.
...I just did the first rule to ensure that it worked for you. The -m tcp is probably not needed I think i was just typing and it does not hurt.
For the scope, that is up to you, most systems never use tcp dns, but either shut it down on the router or block the ports.
Awesome. I am grateful for your help. That is effective.
It blocks command&control and binary-schlepping, which never were in scope for DNS in a house.