Blocking outbound dns

bgstack15

2023-02-25 09:26

The overall goal is to have all dns requests possible go to my recursive servers.

List of my dns servers

$ dig -t NS ipa.internal.com
;; ANSWER SECTION:
ipa.internal.com.   604800  IN  NS  dns2.ipa.internal.com.
ipa.internal.com.   604800  IN  NS  dns1.ipa.internal.com.
;; ADDITIONAL SECTION:
dns1.ipa.internal.com.  604800  IN  A   192.168.1.50
dns2.ipa.internal.com.  604800  IN  A   192.168.1.51

Dns3 host is a freeipa domain replica but does not have dns+dhcp on it as of 2023-02.

Experiment 1

Just redirect all outbound dns requests to my dns servers. This is done by setting a command on router1.

DNS="192.168.1.50"
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "${DNS}:53"
iptables -t nat -I PREROUTING -i br0 -p udp -s "${DNS}" --dport 53 -j ACCEPT
test -f /jffs/doh-ipv4 && sh /jffs/doh-ipv4
test -f /jffs/doh-ipv6 && sh /jffs/doh-ipv6

Added this to the "firewall command" of the router, web ui -> tab Administration -> tab Commands.

I modified dns1 named.conf to include some logging of queries:

channel queries_log {
  file "/var/named/queries" versions 600 size 20m;
  print-time yes;
  print-category yes;
  print-severity yes;
  severity info;
};
category queries { queries_log; };

Inside the logging{} section. Reference 6

This experiment was successful. On dns1, /var/named/queries shows the queries being submitted.

Experiment 2: see if I can get extra, permanent storage with usb drive

I grabbed a 128MB USB flash drive (yes, MB). I enabled usb support in the web ui: tab Services -> tab USB -> core USB Support is enabled, mount this partition to /jffs: 581af4db-8dfc-41af-9e8b-f612bd32508c

I also enabled jffs2 stuff in web ui: tab Administration -> tab Management -> section JFFS2 Support -> Intenal flash storage enabled

Some commands I ran on router1:

fdisk -l
# i already had a partition on msdos label, but it was not formatted yet
mkfs.ext4 /dev/sda1
modprobe ext4
mount /dev/sda1 /jffs

This appears to work persistently after reboots.

Experiment 3: manual DoH block functionality

I set up the blocking script and run it on the dd-wrt router. goal: manually copy up the IPv4 (and IPv6?) servers to be blocked, add routing rules to disallow connections to those

echo '#!/bin/sh' > ~/doh-ipv4
for ip in $( <doh-ipv4.txt awk '{print $1}' ) ; do echo "iptables -I FORWARD -p tcp -d ${ip} --dport 443 -j REJECT --reject-with tcp-reset" ; done >> ~/doh-ipv4
# copy it to router1
<~/doh-ipv4 ssh root@router1 'cat > /jffs/doh-ipv4'
ssh root@router1 chmod +x /jffs/doh-ipv4

Experiment 4: ipv6 doh blocking

echo '#!/bin/sh' > ~/doh-ipv6
for ip in $( <doh-ipv6.txt awk '{print $1}' ) ; do echo "ip6tables -I FORWARD -p tcp -d ${ip} --dport 443 -j REJECT --reject-with tcp-reset" ; done >> ~/doh-ipv6
# copy it to router1; scp was acting weird so use a stream
<~/doh-ipv6 ssh root@router1 'cat > /jffs/doh-ipv6'
ssh root@router1 chmod +x /jffs/doh-ipv6

Improve

I still need to set up a cron job script for doing all this automatically. For now, I have to run these steps manually. I suppose the script would pull the latest contents from the doh list git repo, generate the script, upload it, and optionally run it. I have not pondered how to prevent duplicate entries yet.

Knowledge Base