Hi
How to block certain domain and (!) IP?
I need to block:
8.8.8.8 and 8.8.4.4
domain.* (all TLD)
All DNS requests. Allow only local and Adguard DNS
Can you help?
Here you go: [OpenWrt Wiki] IPv4 firewall examples
But to be honest: This is useless. The device isn’t a UTM firewall, so it will be hard to block what you want - especially 3 and 4 will be impossible.
As I heard, there is the way to block them via Adblock (or dnsmasq) package. But how?
The main problem is that blocking DNS does not really work because it depends strongly on the end device. It is more or less a decision made freely by the client.
Since DNS-over-TLS, DNScrypt and DNS-over-HTTPS have been available, DNS can no longer be blocked unless all clients are under control. You can’t block them because there are plenty of ways to get DNS answers and not even the port is fixed.
You can try within the GL GUI Network > DNS > Override DNS Settings for All Clients which will at least try to make routers DNS the primary one, but as said before, it’s more or less a client thing.
So the main question for you must be: In what environment will you use this setup?
What do you mean? Only in my own devices. I will not allow anyone to connect to my network. Ofc I have full control on them. But I need to block some domains in my IOT things. I don’t really use server (over internet) control as they can be controlled via LAN (you must be connected to same network as IOT devices).
I can block internet on them (can I?) but there is not really good solution as I need to save firmware auto updates but block connections to control server. The firmware server is ota.domain.tld cloud server is domain2.tld
In that case you can block the IPs of the fw OTA servers using my link above and you can block DNS request answer by using AdGuard Home.
No no. I have to save OTA but block cloud (remote) control
Well, doesn’t matter. You can block whatever IP you like and rewrite whatever DNS entry you like.
As long as the device is not using it’s own DNS resolver or hard coded IPs that you don’t know.
It uses two of them and several domains.
I know them. Network sniffer helped 
My router n is not support it 
Try this one: routing - Is it possible to override a single domain name using dnsmasq? - Server Fault
addn-hosts=/etc/dnsmasq.hosts
This is new file I need to create?
Like this?
cd /etc
nano dnsmasq.hosts
Yep.
But don’t forget to add addn-hosts=/etc/dnsmasq.hosts to /etc/dnsmasq.conf
To add this just edit file? Or delete and create new?
PS: this will block domains, how to block IP?
Everything you need to know is writing in the link:
Add this line to /etc/dnsmasq.conf:
addn-hosts=/etc/dnsmasq.hosts
Then insert your domain names into /etc/dnsmasq.hosts:
10.0.0.1 prod.example.com.
10.0.0.2 dev.example.com.
Don’t forget the period at the end of the domain name. It marks it as a TLD, not a local hostname.
As always after configuration changes, restart dnsmasq:
sudo service dnsmasq restart
1 Like
See [OpenWrt Wiki] IPv4 firewall examples
I am deliberately not giving you a complete guide, as you are now getting into OpenWrt and will - unfortunately - have to get to know it.
1 Like
Huge thank you! You are lifesaver!