1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Commands in the Dnsmasq custom configuration box...

Discussion in 'Tomato Firmware' started by mpegmaster, Sep 26, 2009.

  1. mpegmaster

    mpegmaster Addicted to LI Member


    Here's an example how...

    Checking "Use Internal Caching DNS Forwarder" activates the DNS forwarder and passes the IP of the router to the connected computers through DHCP instead of the ISP configured DNS servers.

    Checking "Used Received DNS with Static DNS" lets you use the DHCP provided DNS servers with the extras added in the custom configuration box.

    Static Lease Time... INFINITE

    The lines beginning with "server=" are the ADDITIONAL DNS servers to query. Change the IPs to what ever you want to use.

    The "all-servers" command queries all configured DNS servers each time, instead of sequentially.

    To be used in the order defined, add "strict-order" to the Dnsmasq custom config.

    Custom Configuration Box Example...

    server=208.67.222.222
    server=208.67.220.220
    server=209.244.0.3
    server=209.244.0.4
    server=4.2.2.2
    server=4.2.2.3
    all servers



    If you left static DNS zero'd out on the main network setup page, so you obtained the automatic ones from DHCP, and you have the "Use Received DNS With Static DNS" option checked, then ALL of them, auto received and those listed in "Custom Configuration", will be used.

    MANUAL page for Dnsmasq for more options...
    http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

    Cheers!!!

     

    Attached Files:

  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Code:
    strict-order
    makes it so the DNS servers are used in the order defined, rather than the "optimization" that Dnsmasq attempts.

    Code:
    bogus-nxdomain=...
    Turns the annoying domain not found redirects into real DNS responses.
     
  3. FattysGoneWild

    FattysGoneWild LI Guru Member

    This guide will be great for help! Thanks so much.
     
  4. Planiwa

    Planiwa LI Guru Member

    So, I wonder ...

    By Default, a DNS query results in 2 sperate connections:

    1. LAN -> Router-LANIF
    2. Router-WANIF -> NS

    Does the above setting, result in just 1 conection?

    I tried it. The answer is no. It still does:

    ADM 54633 DNS ROUTER-I udp 21
    ADM 56397 DNS ROUTER-I udp 21
    ADM 57163 DNS ROUTER-I udp 21
    ADM 58394 DNS ROUTER-I udp 21
    ADM 58463 DNS ROUTER-I udp 21
    ADM 58538 DNS ROUTER-I udp 22
    ADM 62644 DNS ROUTER-I udp 21
    ADM 62950 DNS ROUTER-I udp 20
    ADM 63793 DNS ROUTER-I udp 21
    ADM 64202 DNS ROUTER-I udp 21
    ADM 64249 DNS ROUTER-I udp 21
    ADM 64395 DNS ROUTER-I udp 22
    ADM 64805 DNS ROUTER-I udp 21
    ADM 65500 DNS ROUTER-I udp 21
    RTR 4815 DNS NS1 udp 21
    RTR 8064 DNS NS1 udp 21
    RTR 11214 DNS NS1 udp 21
    RTR 14142 DNS NS1 udp 21
    RTR 16699 DNS NS1 udp 21
    RTR 19623 DNS NS1 udp 22
    RTR 20742 DNS NS1 udp 22
    RTR 25609 DNS NS1 udp 21
    RTR 25781 DNS NS1 udp 21
    RTR 25823 DNS NS1 udp 21
    RTR 30866 DNS NS1 udp 21
    RTR 33648 DNS NS1 udp 21
    RTR 35204 DNS NS1 udp 21
    RTR 37198 DNS NS1 udp 21
    RTR 39992 DNS NS1 udp 21
    RTR 44144 DNS NS1 udp 21
    RTR 47355 DNS NS1 udp 21
    RTR 47393 DNS NS1 udp 21
    RTR 49269 DNS NS1 udp 21
    RTR 51690 DNS NS1 udp 21

    But why?

    Is there a way of avoiding 2 connections?

    I'm not interested in caching. This involves thousands of one-time lookups.
    (P2P applications.)
     
  5. mstombs

    mstombs Network Guru Member

    Lots of info on dnsmasq has been discussed before

    http://www.linksysinfo.org/forums/showthread.php?t=54916

    Unless the Tomato 'feature' of only configuring a total of 3 DNS servers has been fixed I would not recommend using the tick box "Used Received DNS with Static DNS" to add your static servers to the ISP ones - it is better to add your static dns servers using the "server=" custom config. You do need to tick the box to use your ISP servers (which in my case do change regularly), I add the OpenDNS via the "server =" and the startup log confirms all four are used. I also know from failed look-ups OpenDNS are usually used by the dnsmasq hopefully because they are faster?

    see also the adblocking threads which use dnsmasq to efficiently poison domain DNS lookups.
     
  6. kenyloveg

    kenyloveg LI Guru Member

  7. mpegmaster

    mpegmaster Addicted to LI Member

    Adding more than 2 DNS servers...

    Adding more than 2 DNS servers...:thumbup:

    This is a nice feature which would be adding at least one more DNS field...

    Actually there it is possible to specify 3 DNS servers...

    Now we see the situation where your ISP gives 2 DNS servers and You also used OpenDNS (2 more)...

    2+2 = 4 but only 3 can be used once... :lies:

    (This can be done via scripts, but this may be a nice feature).

    This was posted by... acollado - 06-17-2009, 06:27 PM
    http://www.linksysinfo.org/forums/showpost.php?p=347458&postcount=983

    That can already be done using the custom DNSmasq entry box.

    http://192.168.1.1/advanced-dhcpdns.asp

    Just put this in the box with the servers of your choice:

    ## Additional DNS servers
    # OpenDNS AnyCast DNS servers

    server=208.67.222.222
    server=208.67.220.220
    # Old Genuity (Level3) AnyCast DNS servers
    server=4.2.2.3
    server=4.2.2.4
    # Level3 AnyCast DNS servers
    server=209.244.0.3
    server=209.244.0.4
    # DSLextreme DNS servers
    server=66.51.205.100
    server=66.51.206.100
    # Earthlink DNS servers
    server=207.69.188.172
    server=207.69.188.171
    # Speakeasy DNS servers
    server=64.81.45.2
    server=64.81.111.2
    # Roadrunner DNS servers
    server=66.75.160.39
    server=66.75.160.38
    # AT&T DNS servers
    server=68.94.156.1
    server=68.94.157.1
    # Sprintlink DNS servers
    server=204.117.214.10
    server=199.2.252.10
    # Cisco DNS server
    server=128.107.241.185
    server=192.135.250.69

    Then check the "Use Received DNS With Static DNS" box.

    I use it that way to add 20 more DNS servers to the 2 my ISP sends me through DHCP.

    I also add:
    # shotgun DNS requests to all servers at once...
    all-servers
    That way all servers are queried and the first server to respond is used.:thumbup:

    The above was posted in a closed Thread...

    Cheers!!!
     
  8. FattysGoneWild

    FattysGoneWild LI Guru Member

    I think the option "Use Received DNS With Static DNS" more or less is for adding static dns under the basic tab. If you add more dns servers in the dnsmasq box instead. And use all-servers command. All of them show up as being used in this test. So, it seems to be redundant to have that checked if using extra servers in the dnsmasq.

    https://www.dns-oarc.net/oarc/services/dnsentropy
     
  9. mpegmaster

    mpegmaster Addicted to LI Member

    How do I Flush DNS?

    How do I Flush DNS?:thumbup:

    Most DNS clients cache the results of name resolution requests. This speeds up name resolution if multiple lookups are done to the same address, such as is common when browsing the web.

    Sometimes a bad DNS entry will be cached and you will need to either flush the DNS cache to get rid of it, or wait up to 24 hours for it to be dropped from the cache automatically.

    How to Flush DNS in Microsoft Windows

    In Microsoft Windows, you can use the command ipconfig /flushdns to flush the DNS resolver cache:

    C:\>ipconfig /flushdns

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    You can also use the command ipconfig /displaydns to view the DNS resolver cache.
    Turning off DNS Caching under Microsoft Windows

    If you experience frequent issues with DNS caching under Microsoft Windows,
    you can disable client-side DNS caching with either of these two commands:

    * net stop dnscache
    * sc servername stop dnscache

    This will disable DNS caching until the next reboot.

    To make the change permanent, use the Service Controller tool or
    the Services tool to set the DNS Client service startup type to Disabled.
    Tuning DNS Caching under Microsoft Windows

    You can modify the behavior of the Microsoft Windows DNS caching algorithm by setting two registry entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters registry key.

    The MaxCacheTtl represents the maximum time that the results of a DNS lookup will be cached.
    The default value is 86,400 seconds.

    If you set this value to 1, DNS entries will only be cashed for a single second.

    MaxNegativeCacheTtl represents the maximim time that the results of a failed DNS lookup will be cached.

    The default value is 900 seconds. If you set this value to 0, failed DNS lookups will not be cached.


    How to Flush DNS in Mac OSX

    In Mac OSX Leopard, you can use the command dscacheutil -flushcache to flush the DNS resolver cache:

    bash-2.05a$ dscacheutil -flushcache

    In Mac OSX versions 10.5.1 and before, the command lookupd -flushcache performed the same task:

    bash-2.05a$ lookupd -flushcache


    How to Flush DNS in Linux

    In Linux, the nscd daemon manages the DNS cache.

    To flush the DNS cache, restart the nscd daemon.

    To restart the nscd daemon, use the command `/etc/init.d/nscd restart`


    Cheers!!!

    View attachment DNS - How do I Flush it.txt
     
  10. mpegmaster

    mpegmaster Addicted to LI Member

    DNS Root Servers...

    The DNS Root Servers...:thumbup:

    A.ROOT-SERVERS.NET.
    Operator: VeriSign Naming and Directory Services
    IP Address: 198.41.0.4

    B.ROOT-SERVERS.NET.
    Operator: Information Sciences Institute
    IP Address: 192.228.79.201

    C.ROOT-SERVERS.NET.
    Operator: Cogent Communications
    IP Address: 192.33.4.12

    D.ROOT-SERVERS.NET.
    Operator: University of Maryland
    IP Address: 128.8.10.90

    E.ROOT-SERVERS.NET.
    Operator: NASA Ames Research Center
    IP Address: 192.203.230.10

    F.ROOT-SERVERS.NET.
    Operator: Internet Systems Consortium, Inc.
    IP Address: 192.5.5.241

    G.ROOT-SERVERS.NET.
    Operator: U.S. DOD Network Information Center
    IP Address: 192.112.36.4

    H.ROOT-SERVERS.NET.
    Operator: Autonomica/NORDUnet
    IP Address: 128.63.2.53

    I.ROOT-SERVERS.NET.
    Operator: Autonomica/NORDUnet
    IP Address: 192.36.148.17

    J.ROOT-SERVERS.NET.
    Operator: VeriSign Naming and Directory Services
    IP Address: 192.58.128.30

    K.ROOT-SERVERS.NET.
    Operator: Reseaux IP Europeens - Network Coordination Centre
    IP Address: 193.0.14.129

    L.ROOT-SERVERS.NET.
    Operator: Internet Corporation for Assigned Names and Numbers
    IP Address: 199.7.83.42

    M.ROOT-SERVERS.NET.
    Operator: WIDE Project
    IP Address: 202.12.27.33

    To view the canonical list of current DNS root servers,
    view the named.root file at... http://www.internic.net/zones/named.root


    Cheers!!!

    View attachment DNS Root Servers.txt
     
  11. mpegmaster

    mpegmaster Addicted to LI Member

    Public DNS Servers...

    Public DNS Servers...:thumbup:


    OpenDNS (San Francisco, CA, US)
    208.67.222.222
    208.67.220.220

    Level 3 Communications (Broomfield, CO, US)
    4.2.2.1
    4.2.2.2
    4.2.2.3
    4.2.2.4
    4.2.2.5
    4.2.2.6

    Verizon (Reston, VA, US)
    151.197.0.38
    151.197.0.39
    151.202.0.84
    151.202.0.85
    151.202.0.85
    151.203.0.84
    151.203.0.85
    199.45.32.37
    199.45.32.38
    199.45.32.40
    199.45.32.43

    GTE (Irving, TX, US)
    192.76.85.133
    206.124.64.1

    One Connect IP (Albuquerque, NM, US)
    67.138.54.100

    Exetel (Sydney, AU)
    220.233.167.31

    VRx Network Services (New York, NY, US)
    199.166.31.3

    SpeakEasy (Seattle, WA, US)
    66.93.87.2
    216.231.41.2
    216.254.95.2
    64.81.45.2
    64.81.111.2
    64.81.127.2
    64.81.79.2
    64.81.159.2
    66.92.64.2
    66.92.224.2
    66.92.159.2
    64.81.79.2
    64.81.159.2
    64.81.127.2
    64.81.45.2
    216.27.175.2
    66.92.159.2
    66.93.87.2

    Sprintlink (Overland Park, KS, US)

    199.2.252.10
    204.97.212.10
    204.117.214.10

    Cisco (San Jose, CA, US)
    64.102.255.44
    128.107.241.185

    DNSAdvantage.com
    156.154.70.1
    156.154.71.1

    Scrubit.com
    67.138.54.100
    207.225.209.66

    199.166.28.10 (PS0.NS2.VRX.NET) - Atlanta, Ga

    199.166.29.3 (nl.public.rootfix.net) - Nederlands

    199.166.31.3 (NS1.QUASAR.NET) - Orlando, FL, USA

    204.57.55.100 (NS1.JERKY.NET) - Boston, MA, USA

    199.5.157.128 (ASLAN.OPEN-RSC.ORG) - Detroit, MI, USA

    220.233.167.31 = Public Aussie DNS Server

    Lincsat DNS Servers
    $ nslookup
    > set type=ns
    > lincsat.com
    Server: 66.37.143.12
    Address: 66.37.143.12#53

    Non-authoritative answer:
    lincsat.com nameserver = ns2.anywarenetworks.com.
    lincsat.com nameserver = ns1.anywarenetworks.com.

    MCI DNS Servers
    $ nslookup
    > set type=ns
    > mci.com
    Server: 66.37.143.12
    Address: 66.37.143.12#53

    Non-authoritative answer:
    mci.com nameserver = auth61.ns.uu.net.
    mci.com nameserver = auth300.ns.uu.net.
    mci.com nameserver = auth310.ns.uu.net.
    mci.com nameserver = DNS1.mci.com.
    mci.com nameserver = DNS2.mci.com.
    mci.com nameserver = DNS3.mci.com.
    mci.com nameserver = DNS4.mci.com.
    mci.com nameserver = auth01.ns.uu.net.
    mci.com nameserver = auth50.ns.uu.net.

    Authoritative answers can be found from:
    DNS3.mci.com internet address = 199.249.19.2
    DNS4.mci.com internet address = 199.249.18.2

    Shaw Cable DNS Servers

    $ nslookup
    > set type=ns
    > shaw.ca
    Server: 66.37.143.12
    Address: 66.37.143.12#53

    Non-authoritative answer:
    shaw.ca nameserver = ns10sc.cg.shawcable.net.
    shaw.ca nameserver = ns7.no.cg.shawcable.net.

    Authoritative answers can be found from:
    ns10sc.cg.shawcable.net internet address = 204.209.208.51

    Comcast DNS Servers
    $ nslookup
    > set type=ns
    > comcast.net
    Server: 66.37.143.12
    Address: 66.37.143.12#53

    Non-authoritative answer:
    comcast.net nameserver = dns02.jdc01.pa.comcast.net.
    comcast.net nameserver = adns.cmc.comcast.net.
    comcast.net nameserver = dns01.jdc01.pa.comcast.net.

    Authoritative answers can be found from:
    dns01.jdc01.pa.comcast.net internet address = 68.87.96.3
    dns02.jdc01.pa.comcast.net internet address = 68.87.96.4

    Cheers!!!

    View attachment DNS Public Servers - 1.txt
     
  12. mpegmaster

    mpegmaster Addicted to LI Member

    dnsmasq - alternative query Port

    dnsmasq - alternative query Port

    Technically interested if it possible to do this with tomato.

    The dnsmasq man page... http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
    offers... query-port=<query_port>

    But also states...
    "NOTE that using this option will make dnsmasq less secure against DNS spoofing attacks but it may be faster and use less resources."

    Question's...

    1.) Is this less secure?

    2.) Does somebody already have used this setting?

    3.) Other Question, and that points to the Mod TomatoVPN, is...
    Could I use a DNS Server which is running on my dedicated server where i'm connected via VPN the most time?

    I would need to set the vpn ip of the server at Basic -> Network 'Static DNS' or?
    this would route DNS request (could be udp port 53) though the vpn to my dedicated server and also passes dns blocking/interception from my ISP.

    Is this the Answer?

    The query_port option sets the source port (which is random for security), not the destination port.

    The option you want is
    server=xxx.xxx.xxx.xxx#110


    Cheers!!!
     
  13. mpegmaster

    mpegmaster Addicted to LI Member

    which.opendns.com... instructions for checking server

    The following is from... http://www.opendns.com/support/article/208



    To help diagnose technical problems, it's helpful to know which OpenDNS server, in which location, you are using. Since our anycasted nameserver addresses route you automatically to the closest servers, we offer a command line mechanism to determine this information.

    Use which.opendns.com to learn this information. If you're not using OpenDNS, the response will share that information, too. What you are requesting is the which.opendns.com/TXT/IN record. (That's the Internet-class TXT record for which.opendns.com.)

    Enter one of the following commands at the command line prompt on your machine - and do not enter the dollar ($) signs.

    $ dig +noall +answer which.opendns.com txt @208.67.222.222

    OR

    $ nslookup -type=txt which.opendns.com. 208.67.222.222

    If you are using OpenDNS, you will get a response indicating the number and location of the server. Please share this with Support if you are having problems.
    If you are not using OpenDNS, the response will include this text: "I am not an OpenDNS resolver."


    Advanced: Forcing TCP instead of UDP


    Some ISPs perform transparent proxying of port-53 UDP traffic. If you think that a command should be speaking to our server but its output indicates that it is not, try forcing the command to use TCP.

    $dig +vc +noall +answer which.opendns.com txt @208.67.222.222

    OR

    $nslookup -vc -type=txt which.opendns.com. 208.67.222.222

    OpenDNS is a globally available free DNS service.

    Providing safer, faster and smarter DNS is important; being reliable is the foundation.

    OpenDNS takes this responsibility seriously, and transparency about our service uptime and performance is critical.

    Bookmark this IP address... http://208.69.38.170/

    Bookmark this page at http://208.69.38.170/ so you see OpenDNS System Status even if your DNS is not available.

    Cheers!!!
     
  14. kenyloveg

    kenyloveg LI Guru Member

    Hi, mpegmaster
    Would you take a look into my question?
    It's about how to make Windows Server 2008 R2 recognize DNSMASq, and how DNSMASq tell Windows Server it's a primary DNS server for WAN but R2 DNS server for internal usage only.
    Thanks in advance.
     
  15. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I know this is an old post..but if anyone can still answer would be great..
    I use OpenDNS and I have noticed that it can easily be bypassed with Avast "secure DNS", if it's enabled... my question is.. would this setting in the DNSmasq of

    server=208.67.222.222
    server=208.67.220.220
    server=209.244.0.3
    server=209.244.0.4
    server=4.2.2.2
    server=4.2.2.3
    all servers


    prevent Avast from bypassing the DNS settings of the router?
     
  16. eibgrad

    eibgrad Addicted to LI Member

    Actually it's all-servers, not all servers. And if you had used the correct syntax, it would have worsened the situation since it's always possible some DNS other than OpenDNS responded first. If anything, you should be using strict-order (unless the ONLY DNS servers you have listed are OpenDNS).

    I assume by Avast secure DNS, you mean clients are using this software on individual clients to override the DNS server(s) returned by the router. If so, there is an option in the GUI to prevent calls to any DNS server other than the router:

    Intercept DNS port
    (UDP 53)

    As long as Avast secure DNS is using port 53, it should be blocked.
     
  17. somms

    somms Network Guru Member


    Code:
    iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    Can't speak for Avast but I'm using the above in the Firewall script in order to prevent bypassing use of OpenDNS which seems to be what you are also using judging by your DNS server addresses!;)
     
  18. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Hi..
    I should have mentioned it on my previous post.. I use Shibby Tomato firmware on my Linksys e2000 and I do have the Intercept port 53 checked (enabled)..but Avast still bypasses it anyway..

    Also.. you mentioned all-servers.. meaning..

    the setting should look like this?
    server=208.67.222.222
    server=208.67.220.220
    server=209.244.0.3
    server=209.244.0.4
    server=4.2.2.2
    server=4.2.2.3
    all-servers


    right?
     
  19. somms

    somms Network Guru Member


    Thanks for that tip and I just found this option in the GUI!

    If this performs the same function of the script I had in the firewall, I think I would be better off just checking that box and dumping the script!:)
     
  20. eibgrad

    eibgrad Addicted to LI Member

    What I'm saying is, if you use all-servers, that means it will send the DNS query to ALL the DNS servers listed, all at the same time! The one that responds first is used. So using all-servers when your intent is to force the use of OpenDNS makes no sense if you have non OpenDNS servers listed as well. If you want to use non OpenDNS servers too, then don’t use all-servers, but do use strict-order. Now each DNS server will be called in order, and presuming OpenDNS is listed first and responds, the other DNS servers are never called.

    IOW, it may be that Avast is being blocked w/ the GUI feature enabled, but it’s the way you have DNSMasq configured that’s allowing DNS servers other than OpenDNS to respond.
     
  21. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I get what you're saying.. I did not have this setting on my DNSmasq section. I just found this today on this post.. I was just looking for a way to prevent a piece of software like avast to bypass the dns setting I have set on the router. And for the looks if it, noone knows how to prevent Avast from doing this.. Even with Intercept port 53 enabled... this is driving me nuts because kids are aware of this loophole and are using it in schools to bypass pretty much anything.
     
    Last edited: Dec 16, 2014
  22. eibgrad

    eibgrad Addicted to LI Member

    Perhaps Avast is intercepting DNS queries on the client and redirecting them to their own DNS servers; servers that perhaps are not using port 53. They might be proxying them over port 80 or 443, which obviously you can't block if you expect anything else to work. But we’d have to investigate further to be sure.

    That’s why trying to block/filter content is nearly impossible. They quickly learn from their peers how to use these tools to get around your parental controls, including the use of VPNs. Very tough to stop, even for an expert, and probably impossible if they have any skills at all on the computer.
     
  23. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    There's got to be some firewall rule that can prevent this.. haha.. I don't know which one it is..but, Im sure there's something to stop this madness, or at least to delay it for bit until they come up with something new..
    I understand that it is virtually impossible to block everything or to have a 100% control on your network.. but having something like Avast that makes it so easy to circumvent the router filters?.. I mean, anyone trying to bypass my router settings and filters should at least be forced to pull a few hairs before bypassing it, lol
     
  24. eibgrad

    eibgrad Addicted to LI Member

    If Avast is using their own DNS server(s), and you can determine the IP address(es), you can block it (by ip address rather just port, in case it's being proxied).
     
  25. jerrm

    jerrm Network Guru Member

    The port 53 redirect will only work for unencrypted dns. It looks like Avast is using dnscrypt. Redirecting 53 may break avast securedns, but I doubt it will really work as intended. Wouldn't be surprised if they also try other ports as well. Blocking Avast's DNS servers by IP is probably the only guaranteed solution, but I don't know if they publish a list, and if they are really unfriendly, avast may have other content besides DNS (like pattern updates) hosted on those same IPs.

    The server directives in dnsmasq.conf are basically useless.
     
  26. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Well, I posted my concerns on their forum.. I haven't received a response yet...still waiting.
     
  27. Monk E. Boy

    Monk E. Boy Network Guru Member

    It kind of looks like Avast mostly uses port 443 based on this log, occasionally falling back to port 53. Probably using TCP for both (the intercept port 53 box only covers UDP).
    https://forum.avast.com/index.php?topic=159897.0

    The IPs in his log are Avast's DNS servers, so some iptables rules blocking access to those IPs should, in theory, block Avast DNS. Once these get blocked more than likely it'll try additional servers, in which case you'd need to add more rules.
    iptables -I FORWARD -d 159.253.145.176 -j REJECT
    iptables -I FORWARD -d 5.45.62.77 -j REJECT
    iptables -I FORWARD -d 77.234.42.87 -j REJECT
    iptables -I FORWARD -d 216.185.103.158 -j REJECT
    iptables -I FORWARD -d 67.228.177.241 -j REJECT
    iptables -I FORWARD -d 216.185.103.154 -j REJECT

    Since the software makes a log file, it should be easy enough to install the securedns client on a test system and keep monitoring its log as you add iptables rules, adding new rules as it spawns new connections until avast falls over and dies.
     
    Last edited: Dec 16, 2014
  28. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I think you are correct.. port 443 maybe the one to block or reroute..

    This is what I got from them...

    TCP/UDP 53 to opendns.com, api.opendns.com, 208.67.222.222, 208.67.220.220
    TCP/UDP 443 to opendns.com. api.opendns.com, 208.67.222.222, 208.67.220.220

    How do I do this on the router? - This is forcing or re-routing any requests to port 53 or port 443 to dns 208.67.222.222, right? - If this is the case, then this is what I need..
     
  29. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    thanks, but this iptables do not work.
     
  30. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Ok.. so Avast finally responded.. first they told me they were going to provide their IPs.. then, they said they couldn't do so because it would block other instances of Avast..so basically, I got no help from Avast at all.

    So, anyone useing Avast Secure DNS will completely bypass ANY router settings, and this is driving my crazy..
    Isn't there an option to block ANY instances of Avast via the router's firewall? - I don't care if it prevents Avast from being able to get UPDATES.
     
  31. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    UPDATE!!
    iptables was not working to block port 443 udp.. these are the ones I tried which may have been incorrect.

    iptables -A INPUT -p tcp -m tcp --dport 443 -j DROP
    iptables -A INPUT -p udp -m udp --dport 443 -j DROP

    Rebooted the router.. and I still pull blocked pages on the PC with Avast DNS enabled [​IMG]

    also tried
    iptables -A OUTPUT -p tcp -m tcp --dport 443 -j DROP
    iptables -A OUTPUT -p udp -m udp --dport 443 -j DROP

    Still nothing....

    The only thing that worked was blocking UDP port 443 in Access Restrictions..
    that did the trick and now Avast Secure DNS does not work :)

    Now, does anybody know why the iptables were not doing the same function as this?
    port 443 block.PNG
     
  32. jerrm

    jerrm Network Guru Member

    Two problems with the posted rules. iptables -A adds to the end of the chain. The traffic was probably allowed or denied well before getting to those rules. Also INPUT and OUTPUT only impact traffic to/from the outer itself. The proper chain would probably be wanout (where -A might have a chance of working), or FORWARD (but use -I to make sure the rule is executed).
     
  33. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Ok.. so what would the correct iptable look like?
    and also, is it possible to reroute port 443 to another port or another IP?

    would look like this?
    iptables -I OUTPUT -p udp -m udp --dport 443 -j DROP
     
  34. jerrm

    jerrm Network Guru Member

    -I FORWARD
     
  35. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    iptables -I FORWARD -p udp -m udp --dport 443 -j DROP? - (I've seen others use REJECT) - will it do the same thing?

    Now, I can just drop that iptable right under the existing iptables I currenlty have right? I don't have to have a space between the last iptable and a new one?
     
  36. jerrm

    jerrm Network Guru Member

    Either DROP or REJECT should work. Reject may cause the client to give up faster and may be better in this instance. On the other hand, Avast may see it is being actively blocked an try another port.

    Try both and see.
     
  37. Monk E. Boy

    Monk E. Boy Network Guru Member

    iptables -I FORWARD -p udp --dport 443 -j REJECT
    Would reject all forwarded UDP packets being sent to port 443. I don't see why the -m would be needed.

    The problem with DROP is that the client will sit there and try, try, try, try, try to send data because it thinks the packet just got lost instead of simply being rejected by the router. Both generally work but you may end up getting faster results with REJECT since the software will - eventually - do the same thing with DROP as it does with REJECT, you'll just have to sit around twiddling your thumbs waiting for all the packets to time out before the software moves on to its backup plan.
     
    Last edited: May 12, 2015
  38. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Awesome guys... thank you, I play around and see.. I really appreciate you guy's expertise.
    what about the redirect? - I believe I read somewhere that said you can't redirect a port, so that's why I was asking here because you guys would know if that's a fact or not.
     
  39. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    This one works
    iptables -I FORWARD -p udp --dport 443 -j REJECT

    and I also added this rule to block all outgoing ssh connections
    iptables -A OUTPUT -p tcp --dport ssh -j REJECT
    the "A" in this case is correct, right?

    would that also block any outbound vpn connections or is it a different rule?
     
  40. Monk E. Boy

    Monk E. Boy Network Guru Member

    -A appends the rule to the end of the iptables OUTPUT rule. If an earlier iptables rule on the OUTPUT table matches traffic for ssh then it will not reach your reject rule. You would need to list the OUTPUT rule and determine if that's true.

    In your particular case your rule (assuming it wasn't blocked by an earlier rule) would block the router - and only the router - from connecting to an ssh server running on another system. It wouldn't block clients on your network from connecting to the ssh server on the router, nor connecting to an ssh server on the internet.

    I don't deal with redirects much. For a redirect of their traffic to a particular system/port to work, you'd need to have software running on that system/port that understands the traffic being sent. Like, for instance, if you tried to redirect this udp 443 traffic to a web server running somewhere else, that wouldn't work, because the software would be sending its specially crafted udp packets at the server and expecting a specially crafted udp packet in response, and the web server would respond with tcp packets.
     
  41. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Oh ok.. that's fine, the redirect was just for info mainly but as long as I can block a connection is really what I am looking for.

    would there be a rule that blocks users from succesfully making an ssh and/or vpn connection using my router?
    When I say using my router I mean anyone connected to it..not blocking the router from connecting to an ssh connection.. just blocking the capability of anyone from doing so on their machines using my internet.
     
    Last edited: May 12, 2015
  42. Monk E. Boy

    Monk E. Boy Network Guru Member

    Sure, that'd be something very similar to what I wrote earlier, just with a different packet & port.

    iptables -I FORWARD -p tcp --dport 22 -j REJECT

    That'd work for anyone connecting from their client system to an ssh host on another network (so going from LAN out the WAN port, or another VLAN if you have multiple VLANs) on the standard ssh port.

    Obviously if they connect to ssh on a custom port, the rule won't match because the dport is different. SSH can listen on any arbitrary port number so it can turn into a bit of a whack-a-mole game if you're really serious about blocking them, as you add port after port.

    Note you can add multiple ports to that one rule, you don't have to create individual rules for each and every port. In that case the rule changes to:
    iptables -I FORWARD -p tcp -m multiport --dports 22,2222,32222:33335 -j REJECT

    In that example it rejects tcp traffic destined to ports 22, 2222, and 32222 through 33335. Note that this rule will just as easily reject non-ssh traffic that happens to be using those ports and also uses tcp. It just matches the packet type & port and then rejects it, there's no additional logic. "ssh" is just a name for port 22.

    You could try to be a little more selective about what traffic matches by, say, specifying your local LAN/WLAN subnet as the source. Assuming that's 192.168.1.1 the rule would change to:
    iptables -I FORWARD -s 192.168.1.0/24 -p tcp -m multiport --dports 22,2222,32222:33335 -j REJECT

    So only a packet sent from 192.168.1.x over tcp to those ports would be rejected. This tends to help you not reject traffic coming in from the internet (typically port forwards). This typically won't reject traffic coming from the router itself since that should be using the OUTPUT table (or INPUT for traffic coming into the router).

    Hopefully this all makes sense, sometimes I tend to get a little wordy on the wrong topics.
     
  43. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    This is awesome.. very good information.. and YES, it makes a lot of sense and I am learning bit by bit :)
    so basically this
    iptables -I FORWARD -p tcp --dport 22 -j REJECT
    is the same as
    iptables -I FORWARD -p tcp --ssh -j REJECT?

    I understand that this will always be the game of cat and mouse and there will always be a door left opened for those who know how to go through it, lol - but, I can only do what I can.. I try to get bits and pieces from here and there and try my best to work with what little knowledge I've gotten from forums like these and from patient folks like you :)
     
  44. Monk E. Boy

    Monk E. Boy Network Guru Member

    Yes, the two lines are the same. For specific services iptables understands it will list the names of the services instead of the port numbers to make things easier on people who get cross-eyed looking at numbers. When creating rules you can use the names as well. There is a way to get a list of what the current tables are out iptables, and when creating those listings iptables will use the service names, which is really helpful if you're looking at udp port 25 and pondering why it didn't change to smtp (smtp is tcp port 25, udp port 25 isn't smtp, so iptables not showing the name is a great clue that you've messed up the rule a bit).

    In this particular instance I created the rule with 22 instead of ssh because 22 is one character less than ssh, so if you're putting this into NVRAM (like in the scripts/firewall page) that's 8 whole bytes of nvram saved. I do little things here and there to try and conserve NVRAM.

    I kind of look at this cat and mouse game as putting enough stumbling blocks in their path to stop the casual attempt. If someone's really determined, they can get around anything. All I want to do is stop the people who will do things because you let them do it and will give up when they hit resistance.
     
  45. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Well.. let me ask you this.. will I save even more nvram by blocking udp port 443 in Access Restrictions as showed above rather than adding the firewall rule?

    what are the pros and cons of using Access Restritions vs the firewall with regards to blocking ports?
     

Share This Page