OpenWrt Forum Archive

Topic: Question - Force DNS Traffic on IPV4 only

The content of this topic has been archived on 2 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

I have OpenWRT Bleeding Edge r49296 on Linksys EA3500 (Marvell Kirkwood). The configuration is perfect otherwise Really loving the material Theme BTW. I use a PPPOE connection for my ISP.

I wish to use OpenDNS in order to block certain websites on my home network, as my version of Parental Controls. I did configure that part fine and I see my traffic on my OpenDNS dashboard. However, they do not support enhanced features on IPV6. So brings me to my question.

Is it possible to force DNS traffic to go out over IPv4 instead of IPv6? that way I can still use IPV6 on Lan side. If that's not an option, How does one disable IPv6 connectivity in OpenWRT?

Be kind and provide the luci steps rather than SSH steps. I know the SSH way is preferred. But Putty and Windows are giving me a separate problem with VPN and I'd prefer not to use it, unless its the last resort.

Kindly let me know. Thanks for the time invested.
Edit - Did see  how to disable / turn off ipv6 support in bb
and found out to be not that useful.

(Last edited by perseus on 30 Jun 2016, 23:05)

I am not a big fan of turning off IPv6. IPv6 is the future of the internet.  It sounds like you need to bug OpenDNS for feature parity on IPv6 for a longterm solution.

In the short term, you could block DNS requests over IPv6 at the firewall, but that won't stop OpenDNS from return IPv6 AAAA records over IPv4, which may not solve your problem.

Thank you cvmiller for taking the time to respond. I will see about implementing at Firewall level.

Here's what I am trying to do. Due to lack of usable Parental Controls, I was forced to use OpenDNS as a way to block certain websites. Even if I implement your suggestion Android and IOS apps for the likes of youtube tend to circumvent DNS lookup and go to the site directly. Possibly with hardcoded IP addresses. So it defeats my use of a block at OpenDNS. I did try to configure Tiny Proxy however, I want it to be transparant to all devices. And I don't find ways of doing so. Or my search-Fu is weak.

So my unrelated question is, how does one go about blocking such requests ?

perseus,

It must be challenging to restrict internet access as a parent these days, when kids are so tech savvy.

DNS uses UDP port 53 when making requests over IPv4 and IPv6. So in order to block IPv6 DNS requests, you need to configure the firewall to block UDP Port 53 over IPv6.

But as you pointed out, if people are using IP addresses directly, blocking DNS lookups won't stop the connections.

cvmiller wrote:

perseus,

It must be challenging to restrict internet access as a parent these days, when kids are so tech savvy.

DNS uses UDP port 53 when making requests over IPv4 and IPv6. So in order to block IPv6 DNS requests, you need to configure the firewall to block UDP Port 53 over IPv6.

Indeed that was the suggestion offered in this thread to block Port 53 requests. After taking your suggestion, I followed the steps to block such requests. Now all pcs who try to go to youtube website, are indeed blocked. But the youtube app on smartphones and tablets don't seem to have any such issues, as they access directly with IP Address.

If you're not hijacking DNS requests that might be a reason. Some Androids have Google DNS servers (both IPv4 and IPv6) hardcoded, so they can resolve domain names still.

stangri wrote:

If you're not hijacking DNS requests that might be a reason. Some Androids have Google DNS servers (both IPv4 and IPv6) hardcoded, so they can resolve domain names still.

I know right. Although I have ways to block at Android level using DroidWall, I wish I can do the same at Router level or something. Would a properly configured Tinyproxy achieve blocking such requests where Google's DNS is hardcoded?

Run the code below in the console once, it will create the necessary firewall rules:

uci set firewall.@include[0]=include
uci set firewall.@include[0].path=/etc/firewall.user
uci commit firewall
ip=$(uci -q -P/var/state get network.lan.ipaddr)
ip6=$(echo $(uci -q -P/var/state get network.globals.ula_prefix) | cut -d/ -f1) && [ "$ip6" ] && ip6=${ip6}1
if [ ! -z $ip -a ! -z $ip6 ]; then
    grep -q "ip6tables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination \[$ip6\]" /etc/firewall.user || "ip6tables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination [$ip6]" >> /etc/firewall.user
    grep -q "ip6tables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination \[$ip6\]" /etc/firewall.user || "ip6tables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to-destination [$ip6]" >> /etc/firewall.user
fi
if [ ! -z $ip ]; then
    grep -q "iptables -t nat -A prerouting_rule -i br-lan -p udp --dport 53 -j DNAT --to $ip" /etc/firewall.user || "iptables -t nat -A prerouting_rule -i br-lan -p udp --dport 53 -j DNAT --to $ip" >> /etc/firewall.user
    grep -q "iptables -t nat -A prerouting_rule -i br-lan -p tcp --dport 53 -j DNAT --to $ip" /etc/firewall.user || "iptables -t nat -A prerouting_rule -i br-lan -p tcp --dport 53 -j DNAT --to $ip" >> /etc/firewall.user
fi
/etc/init.d/firewall reload >/dev/null  2>&1

Or you can just edit /etc/firewall.user manually. wink

stangri wrote:

Run the code below in the console once, it will create the necessary firewall rules:

Or you can just edit /etc/firewall.user manually. wink

Thank you. That worked. However the Apps with the hardcoded IPs still get through though. But oh well, nothing you can do there right ? DroidWall to the rescue.

The discussion might have continued from here.