This article describes how to redirect/block specified DNS-Names, which can be archived by manipulating the dnsmasq config to return a specified IP-Address to the client. This IP-Address could be:
Note that blocking a Host by its Domain Name does not block access by its IP-Address directly
Medium
A practical Use-case for this is access restriction,
where the administrator wants to prevent clients to access a specific host by its DNS Name.
This can be used to block for example access to Websites.
Not available, yet
# uci add_list dhcp.@dnsmasq[0].address=/blockme.com/0.0.0.0
this command can be repeated for all required hostnames by replacing the url
# uci commit dhcp
# /etc/init.d/dnsmasq restart
Options to dnsmasq are defined in /etc/config/dhcp
Further Domains for redirection can be added manually here with a text-editor.
config dnsmasq ... list address '/google.com/0.0.0.0' list address '/blockme.com/0.0.0.0'
/etc/dndsmasq.conf
echo "address=/blockme.com/0.0.0.0" >> /etc/dnsmasq.conf /etc/init.d/dnsmasq restart
If the settings above were applied successful all attempts to access the Domain Name should return the given IP-Address
# ping blockme.com PING blockme.com (0.0.0.0): 56 data bytes 64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.405 ms
# nslookup blockme.com Server: 192.168.1.1 Address 1: 192.168.1.1 dd-wrt-nxt.lan Name: blockme.com Address 1: 0.0.0.0
The above shown way to block DNS Names work as far as the clients use the configured Router as a DNS Server.
This is the typical case as long as Clients are using DHCP and receiving their DNS Server information's from the configured Router.
To prevent clients from using an external DNS Server for the name resolving, the DNS protocol can be redirected through the router.
This can be archived by configuring the firewall as followed:
uci add firewall redirect uci set firewall.@redirect[0].src=lan uci set firewall.@redirect[0].proto=tcpudp uci set firewall.@redirect[0].src_dport=53 uci commit /etc/init.d/firewall restart
If a client has some static DNS Server entrys such as “8.8.8.8”(public DNS server from google)
it'll also receive the specified IP-Address from the router
# ping blockme.com PING blockme.com (0.0.0.0): 56 data bytes 64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.429 ms
# nslookup blockme.com Server: 8.8.8.8 Address 1: 8.8.8.8 google-public-dns-a.google.com Name: blockme.com Address 1: 0.0.0.0