??? Do I need to specify port for "--0.0.0.0" or leave it as "--0.0.0.0"
A bit off-topic, but did you know public blackhole DNS servers exist? They are quite useful if you have a router that sends telemetry from itself and doesn't allow you to use 0.0.0.0 or 127.0.0.1 for WAN DNS.
DDWRT has a lot of DNS redirection built-in, used for VAP's, Split DNS for VPN, to mitigate rogue DNS requests etc.
So I would be really careful with this.
What is the problem you are trying to solve?
Good points, but at least he's inserting the rules so they take precedence.
But to your point, iptables *used* to allow DROPing in the nat table, but then removed that capability. And that's effectively what's happening here. So at least from iptables perspective, this is NOT considered appropriate. All filtering should take place in the filter table (duh).
This isn't a DD-WRT-specific question, but a general one. I keep thinking that it makes more sense to blackhole a packet or drop it as early in the process as possible (in PREROUTING) than to wait until it gets processed by filtering. If PREROUTING for filtered aspects is altered by redirecting taffic, then filter is not going to pick up anything.
DNS was never meant to be blackholed to 0.0.0.0 anyway. REJECT response is the correct way to block domains, but 0.0.0.0 works better. It is kind of a hack, I think, similar to how DNS-over-HTTPS is kind of a hack.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Jul 07, 2022 20:06 Post subject:
This latest post reminds me of a question, is it better to blacklist or whitelist something?
Whitelists are simpler, you start with a known expected scenario and whatever else outside this narrow spectrum is blacklisted by default, easier to maintain. While the opposite requires constant discovery and maintenance.
That's not to say for specific applications blacklists aren't better suited.
But this may not necessarily apply to all scenarios as supported by current design and implementations.
This latest post reminds me of a question, is it better to blacklist or whitelist something?
Whitelists are simpler, you start with a known expected scenario and whatever else outside this narrow spectrum is blacklisted by default, easier to maintain. While the opposite requires constant discovery and maintenance.
That's not to say for specific applications blacklists aren't better suited.
But this may not necessarily apply to all scenarios as supported by current design and implementations.
Sorry for noise, my brain farts are always just that, gas. Sadly cant take that gas to the bank.
Yes, in a perfect (DD-WRT) scenario, it is more secure to block everything and allow only what is necessary than to allow everything and block the unnecessary, but when dealing with router API's that load their OS before it executing custom scripts with personal rules, you have to improvise...
I already found some scenarios where blackholing in NAT portion is not a good idea. For example, when using DHCP for WAN, dropping 255.255.255.255/32 broadcast packets in Mangle section has no ill effect and neither does dropping same packets in INPUT filtering section, but applying "DNAT --to-destination 0.0.0.0" blackhole rule for WAN 255.255.255.255/32 packets in NAT PREROUTING portion results in non-stop connects and disconnects from WAN.
The router I use (non-DD-WRT) doesn't have RAW module and RAW isn't part of available modules. It does have Mangle section, which precedes NAT and allows to simply drop packets (like in filtering portions). Mangle section is supposed to be for "specialized" packets, but what does that mean? QoS packets? Traffic Shaping?