DNS blocking

This article describes how to redirect/block specified DNS-Names, which can be archived by manipulating the dnsmasq config to return a specified IP-Address to the client. This IP-Address could be:

• 0.0.0.0 to redirect the client to its own machine
• a web-server serving a landing page telling the client that the requested Domain may be blocked.

Note that blocking a Host by its Domain Name does not block access by its IP-Address directly

 Medium

A practical Use-case for this is access restriction, where the administrator wants to prevent clients to access a specific host by its DNS Name.
This can be used to block for example access to Websites.

• UCI
• Multiple DHCP-Server instances
• /etc/config/dhcp

Not available, yet

• Add Domain Name and IP in dnsmasq's syntax to the UCI dhcp config section:

# uci add_list dhcp.@dnsmasq[0].address=/blockme.com/0.0.0.0

this command can be repeated for all required hostnames by replacing the url

• write UCI config to /etc/config/dhcp

# uci commit dhcp

• restarting dnsmasq is required to make any changes to dnsmasq's config apply

# /etc/init.d/dnsmasq restart

Options to dnsmasq are defined in /etc/config/dhcp
Further Domains for redirection can be added manually here with a text-editor.

config dnsmasq
    ...
    list address '/google.com/0.0.0.0'
    list address '/blockme.com/0.0.0.0'

/etc/dndsmasq.conf

echo "address=/blockme.com/0.0.0.0" >> /etc/dnsmasq.conf
/etc/init.d/dnsmasq restart

If the settings above were applied successful all attempts to access the Domain Name should return the given IP-Address

# ping blockme.com
PING blockme.com (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.405 ms

# nslookup blockme.com
Server:    192.168.1.1
Address 1: 192.168.1.1 dd-wrt-nxt.lan

Name:      blockme.com
Address 1: 0.0.0.0

The above shown way to block DNS Names work as far as the clients use the configured Router as a DNS Server. This is the typical case as long as Clients are using DHCP and receiving their DNS Server information's from the configured Router.
To prevent clients from using an external DNS Server for the name resolving, the DNS protocol can be redirected through the router.

This can be archived by configuring the firewall as followed:

uci add firewall redirect
uci set firewall.@redirect[0].src=lan
uci set firewall.@redirect[0].proto=tcpudp
uci set firewall.@redirect[0].src_dport=53
uci commit
/etc/init.d/firewall restart

If a client has some static DNS Server entrys such as “8.8.8.8”(public DNS server from google)
it'll also receive the specified IP-Address from the router

# ping blockme.com
PING blockme.com (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.429 ms

# nslookup blockme.com
Server:    8.8.8.8
Address 1: 8.8.8.8 google-public-dns-a.google.com

Name:      blockme.com
Address 1: 0.0.0.0