DNSMasq - Block sites - HowTo

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
ronaldo_rc9
DD-WRT Novice


Joined: 21 Aug 2018
Posts: 8

PostPosted: Tue Oct 16, 2018 21:01    Post subject: DNSMasq - Block sites - HowTo Reply with quote
Hi all,

I need to configure the accesses of a station (PC-Windows) to meet the following rules:

1. completely free only three sites for external access;
2. block external access to all sites;
3. block all HTTPS sites;

To do general blocking of the main HTTPS sites, I use DNSMasq, which points the URLs of the domains to the IP: 127.0.0.1
ex: address = / facebook.com / 127.0.0.1
address = / instagram.com / 127.0.0.1

Using DNSMasq is there any way to block all sites and only release the three that I need?

If it is not possible, how to combine the DNSMasq rules with the IPtables rules to make these locks.

Many thanks for any help
Sponsor
jxm
DD-WRT User


Joined: 23 Jul 2017
Posts: 370
Location: Brisbane, Australia

PostPosted: Tue Oct 16, 2018 21:43    Post subject: Reply with quote
Using DNSMasq to return a false IP address for a dns lookup does not block a site. You can still accesses it using its IP address or by using a hosts file.

To block sites you need to use iptables firewall rules. You need one accept rule for each of the three addresses that you want to permit access, then a rule to reject traffic to all other addresses.

Here is a link to the iptables wiki
https://wiki.dd-wrt.com/wiki/index.php/Iptables

Cheers.
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 6455
Location: YWG, Canada

PostPosted: Tue Oct 16, 2018 21:46    Post subject: Reply with quote
this is dns blocking not total site blocking, but it works for novice users and good for ad/tracking blocking. if ur going to use this, make sure to force the dns setting on main setup page.

dont use 127.0.0.1, use 0.0.0.0 (and :: for ipv6) but best is just / so "address=/google.com/" for NXDOMAIN, and one entry covers both ipv4 and ipv6, = less than half the total file size.

using it in dnsmasq config uses nvram space, it wont last long, so stick it in a .txt file, name it something simple with no spaces like adblock.txt, put it in /jffs or on a usb (if usb works properly in ddwrt yet). once loaded it sits in ram.

address=/com/ should block all .com sites
server=/google.com/# would override that only for x.google.com while remaining .com are all blocked

_________________
LATEST FIRMWARE(S) || Qualcomm Atheros Wi-Fi Settings Guide || Qualcomm Atheros Repeating

[QUALCOMM] R7800 ---------------> DD-WRT v3.0-r37420M kongat
[QUALCOMM] WNDR4300 v1 ------> DD-WRT v3.0-r37442 std
[QUALCOMM] DIR-862L ------------> DD-WRT v3.0-r37442 std
[QUALCOMM] DIR-862L ------------> DD-WRT v3.0-r37442 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 --------> DD-WRT v3.0-r36808 std

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
ronaldo_rc9
DD-WRT Novice


Joined: 21 Aug 2018
Posts: 8

PostPosted: Tue Oct 16, 2018 22:50    Post subject: Reply with quote
jxm wrote:
Using DNSMasq to return a false IP address for a dns lookup does not block a site. You can still accesses it using its IP address or by using a hosts file.

To block sites you need to use iptables firewall rules. You need one accept rule for each of the three addresses that you want to permit access, then a rule to reject traffic to all other addresses.

Here is a link to the iptables wiki
https://wiki.dd-wrt.com/wiki/index.php/Iptables

Cheers.


Thanks, I made an iptables command group, but sites that change the IP and uses https, like facebook, it's very difficult to make a specific iptables rules.

Another point is that I need to make a selective block, each station need different block rules.
ronaldo_rc9
DD-WRT Novice


Joined: 21 Aug 2018
Posts: 8

PostPosted: Tue Oct 16, 2018 23:03    Post subject: Reply with quote
tatsuya46 wrote:
this is dns blocking not total site blocking, but it works for novice users and good for ad/tracking blocking. if ur going to use this, make sure to force the dns setting on main setup page.

dont use 127.0.0.1, use 0.0.0.0 (and :: for ipv6) but best is just / so "address=/google.com/" for NXDOMAIN, and one entry covers both ipv4 and ipv6, = less than half the total file size.

using it in dnsmasq config uses nvram space, it wont last long, so stick it in a .txt file, name it something simple with no spaces like adblock.txt, put it in /jffs or on a usb (if usb works properly in ddwrt yet). once loaded it sits in ram.

address=/com/ should block all .com sites
server=/google.com/# would override that only for x.google.com while remaining .com are all blocked


tatsuya46,

I need to make a selective block, each station need different block rules. It's possible apply these instructions to a specific station?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum