DNS Block
this is a work in progress in order to allow more control on what DNS enters in your LAN. DO NOT use in production.
to protect from malware and adds, one priority now is to manage your own DNS.
some will go using pihole to block adds, and limit spying on you.
next step would be to make sure that pihole does not forward to another service that could spy on you, but rather uses you own server,
finally you really want any app on your phone or your clients on your own network are only able to access your SME dns server.
Closing port 53 from LAN to outside
of course you need your Server to be able to access.
iptables -A INPUT -i $lan -p udp -m multiport --dports 53,853 -j DROP
iptables -A FORWARD -i $lan -p udp -m multiport --dports 53,853 -j DROP
this will leave access to IP $INTERNALDNS
to external world to request DNS.
iptables -A FORWARD -p udp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
then closing for others
iptables -A FORWARD -o $WAN -p tcp --dport 53 -j REJECT
iptables -A FORWARD -o $WAN -p udp --dport 53 -j REJECT
Redirect port 53 from LAN
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT
what if you want to redirect to your PiHoleĀ ?
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to $INTERNALDNS:53
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $INTERNALDNS:53
iptables -A FORWARD -p udp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
block DOH 443
DNS over Https is what some present to you as the real way to guarantee your privacy over some companies (read here a shady hotspot, or a shady ISP) who are spying on your DNS request OR changing the results. HOwever this introduce also a way for shady apps a way to get the content they want without being filtered... time to filter them back...
TODO
way to do seems to block destination IP from a list of
ipset might be of use https://ipset.netfilter.org/
# Block DNS over HTTPS
iptables -I OUTPUT -m set --match-set Block_DoH src -j DROP
iptables -I INPUT -m set --match-set Block_DoH dst -j DROP
or https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf with bash https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
_input=/root/firewall/badips.db
_pub_if="eth1"
_priv_if="eth0"
IPT=/sbin/iptables
### Setup our black list ###
# Create a new chain
$IPT -N droplist
# Filter out comments and blank lines
# store each ip or subnet in $ip
egrep -v "^#|^$" x | while IFS= read -r ip
do
# Append everything to droplist
$IPT -A droplist -i ${_priv_if} -d $ip --dport 443 -j LOG --log-prefix " Drop DOH ip "
$IPT -A droplist -i ${_priv_if} -d $ip --dport 443 -j DROP
done <"${_input}"
# Finally, insert or append our black list
$IPT -I INPUT -j droplist
$IPT -I OUTPUT -j droplist
$IPT -I FORWARD -j droplist
as pointed out in some places you might need to whitelist
block DOT 853
this is an alternative of Https, using DNS over TLS on port 853
# Block DNS over TLS
iptables -I INPUT -i $lan -p tcp --sport 853 -j DROP
iptables -I INPUT -i $lan -p udp --sport 853 -j DROP
iptables -I OUTPUT -p tcp --dport 853 -j DROP
iptables -I OUTPUT -p udp --dport 853 -j DROP
or
iptables -A INPUT -i $lan -p udp -m multiport --dports 53,853 -j DROP
iptables -A FORWARD -i $lan -p udp -m multiport --dports 53,853 -j DROP
iptables -A INPUT -i $lan -p tcp -m multiport --dports 53,853 -j DROP
iptables -A FORWARD -i $lan -p tcp -m multiport --dports 53,853 -j DROP
testing needed in order to keep the sever free of limits.
TODO
- check the pros and cons to use FORWARD vs PREROUTING in nat
- organize using proper chains
- create templates
- create contrib
sources
- https://serverfault.com/questions/499435/gateway-iptables-dns-redirect
- https://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html
- https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
- https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf
- https://github.com/curl/curl/wiki/DNS-over-HTTPS
- https://serverfault.com/questions/996469/how-to-block-dns-over-https-using-iptables