Firewall rule(s) for single DoT server

[arjun]

I'm trying to implement firewall rules that essentially does: "disallow all TCP traffic to remote port 853 except to family{DOT}cloudflare-dns{DOT}com". I can't figure it out and my googling hasn't turned up anything promising either, surprisingly. Please help.

[Lantis]

First question, what version are you using? This will determine whether the advice should be based on iptables or nftables.

In essence, neither of them natively supports what you’re looking for, but we can use ipsets (or nftsets) and dnsmasq to look up the FQDN and create a set.
You would then create a rule that references the set to allow it first before blocking everything else on that port.

Hope that gives you some extra help in searching for the solution, otherwise happy to keep exploring it here in the forum together.

[arjun]

Appreciate any guidance you can give me; my networking chops are amateur at best. I'm running 1.15.x_20250331 for WRT1900ACSv2.

[Lantis]

So I was thinking more on this and blocking the domain name may not be necessary (at least for cloudflare). We can probably achieve this with simple IP based rules.

Try this out.

Code: Select all

nft insert rule inet fw4 forward_lan tcp dport 853 reject;
nft insert rule inet fw4 forward_lan ip daddr { 1.1.1.3,1.0.0.3 } tcp dport 853 accept;
nft insert rule inet fw4 forward_lan ip6 daddr { 2606:4700:4700::1113,2606:4700:4700::1003 } tcp dport 853 accept;

This establishes 3 rules (note that they are INSERT rules so the order is reversed in the table to the order we run the commands).
First rule allows TCP 853 traffic to the IPv6 addresses for cloudflare family DNS.
Second rule allows TCP 853 traffic to the IPv4 addresess for cloudflare family DNS.
Third rule blocks all other traffic to TCP 853.

If this achieves what you want, then we need to make it persistent.

Code: Select all

mkdir /usr/share/nftables.d/chain-pre/
mkdir /usr/share/nftables.d/chain-pre/forward_lan/
touch /usr/share/nftables.d/chain-pre/forward_lan/10-dotblock.nft

Then go and modify /usr/share/nftables.d/chain-pre/forward_lan/10-dotblock.nft to include the following:

Code: Select all

ip daddr { 1.1.1.3,1.0.0.3 } tcp dport 853 accept;
ip6 daddr { 2606:4700:4700::1113,2606:4700:4700::1003 } tcp dport 853 accept;
tcp dport 853 reject;

These rules will then auto insert into the firewall everytime it restarts.

[arjun]

Awesome. Thanks. I think this is the beginning of a solution. At least on Android, if I utilize the private DNS feature, I have to give a hostname. An IP address won't work. The use-case is that I want to enforce family filtering on kids' phones using this feature, to ensure DNS filtering at home-wifi as well as mobile data (and it even circumvents VPN, amazingly).

[Lantis]

I believe that host name will always resolve to these 4 IPs I’ve listed, that’s why I had hoped the rule is allowed to be this simple.

There are definitely more complicated rules we can implement with domains, but we need to swap out dnsmasq for a fully featured version and while I was testing the steps for you I knocked my own network out so I’m not confident yet to advise on it.

Give the simple approach a try and see what happens