Conditionally exclude host from DNS blocklist only for certain apps/sites?

Started by OPNenthu, April 02, 2025, 03:13:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 02, 2025, 03:13:59 AM
I'm looking for a way to adjust my DNS rules so that I can unblock some websites.  I have a simple rule that blocks requests from network clients to known public DoH providers on port 443.  It looks like this:

Code Select
Action: Block
Interface: HomeSubnets (Group)
Proto: IPv4+6 TCP
Source: ! This Firewall
Dest: Public_DNS_Providers
Port: HTTPS

The sources for the "Public_DNS_Providers" alias are:
- https://public-dns.info/nameservers.txt
- https://raw.githubusercontent.com/jameshas/Public-DoH-Lists/refs/heads/main/lists/doh_ips_plain.txt

The second list contains an entry for a GitHub IP (185.199.111.153) according to WhoIs.

I don't know if this IP is really a DNS or not.  I tried querying it from the DNS diagnostic in OPNsense and it failed to connect, so could be a bad entry.  Or it could be a stealth DNS that certain web packages are embedding.  One affected site that is trying to make requests to this IP is http://networkupstools.org/ (the NUT project site) and my firewall is blocking it.  As a result I cannot access the site at all.

Is there a way I can adjust my ruleset, without resorting to more advanced application-level firewall tools, to conditionally allow connections to 185.199.111.153:443 only when I'm visiting the NUT project site (or other apps/sites as needed)?  I don't want to unblock it for all connections.
April 02, 2025, 03:56:38 AM #1
I don't get it. You choose your DNS provider(s).
Your browser is going to use a combination of its config or your network's config for DNS resolution.

DoH is using HTTPS so whatever you're blocking is also affecting https links in this page.
You should be able to see from your DNS logs which FQDN resolves to that IP. When your browser follows that link, it's going to hang (no reply).
How it affects the entire page is a matter of its content.

Any filtering at the router has 0 awareness about the context of that access.
Some browser extensions could do this (I think) but these are getting killed by Google...
April 02, 2025, 04:43:17 AM #2 Last Edit: April 02, 2025, 05:00:43 AM by OPNenthu
Quote from: EricPerl on April 02, 2025, 03:56:38 AMYour browser is going to use a combination of its config or your network's config for DNS resolution
I'm with you on this.  My browser is set to use my network DNS only.  That's all fine and good and I see all the requests going to Unbound, as expected.

The DoH filter is intended for things that try to go around my DNS settings.

QuoteDoH is using HTTPS so whatever you're blocking is also affecting https links in this page.
Still with you.  As I mentioned I'm not certain whether or not this IP is really a DNS, but it does appear on a DNS list.  I am (for now) giving them the benefit of the doubt and wish to keep blocking it, except when visiting specific sites of my choosing.

QuoteYou should be able to see from your DNS logs which FQDN resolves to that IP.
I think it wouldn't be in my DNS logs, right?  Because DoH requests don't go to Unbound.  If they did I'd be happy.

Update: I would be satisfied for my own network management needs, but I wouldn't be happy about the fact that Unbound could see encrypted traffic as that would be a violation of the chain of trust (I personally am against DNS proxies that hijack and re-encrypt DoT/DoH for this reason).

QuoteSome browser extensions could do this (I think) but these are getting killed by Google...
I know :(  There's a reason I insist on using Firefox still, despite their recent courting of Google's money.
April 02, 2025, 06:32:47 AM #3
Looks to be a CDN...

Code Select
root@tinybox:~# nslookup  185.199.111.153
153.111.199.185.in-addr.arpa    name = cdn-185-199-111-153.github.com.

Authoritative answers can be found from:

root@tinybox:~#

I dropped the second filter list and all is working with the NUT site now.

Would still love to hear if there's a way to do what I was looking to do from vanilla OPNsense/pf.  Thanks all!
April 02, 2025, 09:20:01 PM #4
You were blocking a request (IMO not a DoH query) by the IP with your FW rule.
The IP was obtained from a DNS lookup, using your DNS infra/config.
I expect you to find a DNS query that returned that IP.
I suspect the FQDN in question is embedded in the NUT page.

FW rules are evaluated on the basis of the content of the packet going through.
There's nothing in that packet that indicates that the request is made while loading a NUT page...
Your only option (AFAIK) is to make an exception for that IP.
April 02, 2025, 10:35:41 PM #5
Oops! Thanks. I didn't realize your point about the DNS logs earlier.  Makes sense now.

It did finally dawn on me after my post that it's not a DNS and I've left a note for the list maintainer.  Appreciate the confirmation regarding the F/W question.
Print
Go Up Pages1
User actions