====== DNS blocking ======

This article describes how to redirect/block specified DNS-Names,
which can be archived by manipulating the dnsmasq config to return a specified IP-Address to the client.
This IP-Address could be: 
  * 0.0.0.0 to redirect the client to its own machine
  * a web-server serving a landing page telling the client that the requested Domain may be blocked.

Note that blocking a Host by its Domain Name does not block access by its IP-Address directly

===== Overview =====

==== Level of difficulty ===

   Medium

==== Use-case ====

A practical Use-case for this is access restriction, 
where the administrator wants to prevent clients to access a specific host by its DNS Name. \\
This can be used to block for example access to Websites.

==== Related topics ====

  * [[documentation:configuration:uci|UCI]]
  * [[howto:general:dhcp:multiple_dhcp|Multiple DHCP-Server instances]]
  * [[documentation:configuration:config_files:config_dhcp|/etc/config/dhcp]]
  
===== Instructions =====

==== GUI ====

Not available, yet

==== UCI Config System ====
  * Add Domain Name and IP in dnsmasq's syntax to the UCI dhcp config section:
<code>
# uci add_list dhcp.@dnsmasq[0].address=/blockme.com/0.0.0.0
</code>
this command can be repeated for all required hostnames by replacing the url 


  * write UCI config to [[documentation:configuration:config_files:config_dhcp|/etc/config/dhcp]]
<code>
# uci commit dhcp
</code>


  * restarting dnsmasq is required to make any changes to dnsmasq's config apply
<code>
# /etc/init.d/dnsmasq restart
</code>

==== UCI config files (native) ====
Options to dnsmasq are defined in [[documentation:configuration:config_files:config_dhcp|/etc/config/dhcp]] \\
Further Domains for redirection can be added manually here with a text-editor.
<code>
config dnsmasq
    ...
    list address '/google.com/0.0.0.0'
    list address '/blockme.com/0.0.0.0'
</code>

==== DNSMasq config file (native) ====
/etc/dndsmasq.conf
<code>
echo "address=/blockme.com/0.0.0.0" >> /etc/dnsmasq.conf
/etc/init.d/dnsmasq restart
</code>

===== Troubleshooting =====

If the settings above were applied successful
all attempts to access the Domain Name should return the given IP-Address

<code>
# ping blockme.com
PING blockme.com (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.405 ms
</code>

<code>
# nslookup blockme.com
Server:    192.168.1.1
Address 1: 192.168.1.1 dd-wrt-nxt.lan

Name:      blockme.com
Address 1: 0.0.0.0
</code>

===== Additional DNS proxy =====
The above shown way to block DNS Names work as far as the clients use the configured Router as a DNS Server.
This is the typical case as long as Clients are using DHCP and receiving their DNS Server information's from the configured Router. \\
To prevent clients from using an external DNS Server for the name resolving, the DNS protocol can be redirected through the router.

This can be archived by configuring the firewall as followed:
<code>
uci add firewall redirect
uci set firewall.@redirect[0].src=lan
uci set firewall.@redirect[0].proto=tcpudp
uci set firewall.@redirect[0].src_dport=53
uci commit
/etc/init.d/firewall restart
</code>

If a client has some static DNS Server entrys such as "8.8.8.8"(public DNS server from google)\\
it'll also receive the specified IP-Address from the router

<code>
# ping blockme.com
PING blockme.com (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.429 ms
</code>


<code>
# nslookup blockme.com
Server:    8.8.8.8
Address 1: 8.8.8.8 google-public-dns-a.google.com

Name:      blockme.com
Address 1: 0.0.0.0
</code>