If we wanted to filter DNS queries with dnsmasq, other than A, AAAA, MX and CNAME records, how would we implement this in our configuration (like a RUTC50/RUTX50)? Is there any way we can use the new filter-rr option?
filter-aaaa: filter all ipv6 queries
filter-svcb: filter all svcb / query type 64
filter-https: filter all https / query type 65
filter-unknown: filter all unknown query types
filter-any: everything other than A, AAAA, MX and CNAME records are removed
Point of this of course is to block any hardcoded DoH devices.
Just to clarify, wouldn’t the current Web Filter feature be a suitable solution for what you’re trying to achieve? If not, could you please clarify why this approach wouldn’t fit?
All relevant information about the web filtering service can be found here:
Thanks for getting back to me on this question.
The goal is to block any DNS traffic flying under the radar.
The Web Filter is too limited in size and requires manual updates.
Packet filtering/sniffing on the firewall requires decryption and a certain amount of complexity, not to mention load on the device.
Indeed blocking DoH/DoT ports through the firewall is good practice and forcing all DNS requests to our own DNS server as well, but that does not block abuse of port 53. That’s where the additional filter-rr option comes in.
The solution lined out, is to counter IoT devices (and alike) that will try to abuse the DNS server and restrict them and that way keep all internal traffic “transparent”.
Whatever and how we choose to encrypt traffic going outdoors is a different choice.
Please feel free to correct me if I am wrong in this approach or logic. Maybe I am too focused on a single path.
To clarify, blocking DoH/DoT ports alone would not be effective, as DoH uses port 443, which is shared with standard HTTPS traffic. However, I still believe your goal could be achieved using the web filter in combination with a firewall traffic rule that blocks outgoing connections to DNS port 53 (except for those directed to your own DNS server).
Please let us know if you’ve identified an alternative method or workaround for your specific setup. Thank you.
No need to apologise, we all have only 7 days in a week
You are right, blocking DoH/DoT ports alone would not be effective, but I was initially wondering if implementing the filter-rr option is something that is supported.
So far I have indeed blocked the obvious ports 538 and 5353 all together and taken your advice on the web filter, even though the number of entries is rather limited.
Also VLANs have been put into place, with on top a SSID with isolation to connect the IoT devices.
I suppose the next step would indeed be to implement packet filtering, but not quite sure how to set that up on the RUTX50/RUTC50.
Do you happen to know of any Teltonika documentation on that to help me get started?
