Block incoming access by URL/Domain name

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
px03afk
DD-WRT User


Joined: 09 Mar 2012
Posts: 95
PostPosted: Fri Mar 17, 2017 18:30    Post subject: Block incoming access by URL/Domain name Reply with quote
Is there a way within DD-WRT of blocking by URL/Domain. IP address range only goes so far and would need continual updating if the address keeps changing.
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Sat Mar 18, 2017 9:06    Post subject: Reply with quote
A simple but not foolproof solution is to block the domain from resolving by adding this in the Additional DNSMAsq Options on the services page:

Quote:
address=/.microsoft.com/127.0.0.1


This effectively blocks the domain microsoft.com from resolving (actually redirecting the DNS query to the local host which can not resolve it)

But an even better solutions is using the Access restriction page from the gui where you can block access by domain, this adds a firewall rule blocking the website . Do not forget to enable the rule by checking enable and enter the IP range of List of Clients Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
px03afk
DD-WRT User


Joined: 09 Mar 2012
Posts: 95
PostPosted: Tue May 16, 2017 17:57    Post subject: Reply with quote
The access restrictions page still needs IP addresses so how does this help to block a domain by name?
Back to top View user's profile Send private message
Kadigan
DD-WRT Novice


Joined: 19 May 2017
Posts: 12
PostPosted: Sat May 20, 2017 15:44    Post subject: Reply with quote
First of all, I don't fully understand the problem -- your topic says "incoming access", so block WAN-side access to the router? (if you mean connections from LAN to the Internet, amend your topic to say "outgoing")


Second, no amount of filtering will work against HTTPS connections, since they're encrypted (so no keyword-based blocking). But there's a way to block the domain:

Code:
iptables -I FORWARD 1 -p tcp -d domain.com -m multiport --dports 80,443 -j DROP


This filter will block all outgoing requests to "domain.com" on ports 80 (HTTP) and 443 (HTTPS) over TCP. You'll want to insert this into Firewall rules in Administration > Commands.

Taken from: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=79097#502101


Do note that DNS blocking is ineffective if you don't also block outgoing connections to third-party DNS servers (since anyone can just change their DNS server entry to point elsewhere, like Google's 8.8.4.4, and bypass the DNS block altogether).

Unfortunately, at least my dd-wrt (r29147) doesn't include the "string" module, so I can't test blocking by "Host: ".
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum