DNS Block

this is a work in progress in order to allow more control on what DNS enters in your LAN. DO NOT use in production.

	Work in Progress:
	This page is a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.

to protect from malware and adds, one priority now is to manage your own DNS.

some will go using pihole to block adds, and limit spying on you.

next step would be to make sure that pihole does not forward to another service that could spy on you, but rather uses you own server,

finally you really want any app on your phone or your clients on your own network are only able to access your SME dns server.

Closing port 53 from LAN to outside

of course you need your Server to be able to access.

iptables -A INPUT -i $lan -p udp -m multiport --dports 53,853 -j DROP

iptables -A FORWARD -i $lan -p udp -m multiport --dports 53,853 -j DROP

this will leave access to IP $INTERNALDNS to external world to request DNS.

iptables -A FORWARD -p udp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p tcp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

then closing for others

iptables -A FORWARD -o $WAN -p tcp --dport 53 -j REJECT

iptables -A FORWARD -o $WAN -p udp --dport 53 -j REJECT

Redirect port 53 from LAN

iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT

what if you want to redirect to your PiHole ?

iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to $INTERNALDNS:53

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $INTERNALDNS:53

iptables -A FORWARD -p udp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p tcp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

block DOH 443

DNS over Https is what some present to you as the real way to guarantee your privacy over some companies (read here a shady hotspot, or a shady ISP) who are spying on your DNS request OR changing the results. HOwever this introduce also a way for shady apps a way to get the content they want without being filtered... time to filter them back...

TODO

way to do seems to block destination IP from a list of

ipset might be of use https://ipset.netfilter.org/

# Block DNS over HTTPS

iptables -I OUTPUT -m set --match-set Block_DoH src -j DROP

iptables -I INPUT -m set --match-set Block_DoH dst -j DROP

or https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf with bash https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/

_input=/root/firewall/badips.db
_pub_if="eth1"
_priv_if="eth0"
IPT=/sbin/iptables

### Setup our black list ###
# Create a new chain 
$IPT -N droplist
 
# Filter out comments and blank lines
# store each ip or subnet in $ip
egrep -v "^#|^$" x | while IFS= read -r ip
do
        # Append everything to droplist
	$IPT -A droplist -i ${_priv_if} -d $ip --dport 443 -j LOG --log-prefix " Drop DOH ip "
	$IPT -A droplist -i ${_priv_if} -d $ip --dport 443 -j DROP
done <"${_input}"
 
# Finally, insert or append our black list 
$IPT -I INPUT -j droplist
$IPT -I OUTPUT -j droplist
$IPT -I FORWARD -j droplist

as pointed out in some places you might need to whitelist

block DOT 853

this is an alternative of Https, using DNS over TLS on port 853

# Block DNS over TLS

iptables -I INPUT -i $lan -p tcp --sport 853 -j DROP

iptables -I INPUT -i $lan -p udp --sport 853 -j DROP

iptables -I OUTPUT -p tcp --dport 853 -j DROP

iptables -I OUTPUT -p udp --dport 853 -j DROP

or

iptables -A INPUT -i $lan -p udp -m multiport --dports 53,853 -j DROP

iptables -A FORWARD -i $lan -p udp -m multiport --dports 53,853 -j DROP

iptables -A INPUT -i $lan -p tcp -m multiport --dports 53,853 -j DROP

iptables -A FORWARD -i $lan -p tcp -m multiport --dports 53,853 -j DROP

testing needed in order to keep the sever free of limits.

TODO

• check the pros and cons to use FORWARD vs PREROUTING in nat
• organize using proper chains
• create templates
• create contrib

sources

• https://serverfault.com/questions/499435/gateway-iptables-dns-redirect
• https://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html
• https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
• https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf
• https://github.com/curl/curl/wiki/DNS-over-HTTPS
• https://serverfault.com/questions/996469/how-to-block-dns-over-https-using-iptables