Skip to main content
HashnodeHub & Spoke | Best SD-WAN Blog on Earth

Command Palette

Search for a command to run...

👊Kl@pping Tiktok🥊

Updated
👊Kl@pping Tiktok🥊
R
Ronald Bartels

Driving SD-WAN Adoption in South Africa

This is a configuration to klap Tiktok on an edge.

The first step configure DNSMASQ. It is suggested to use DNSMASQ 2.89 instead of the default 2.83 as the nftset abilities can be leverage to block on IP and not only DNS.

Here is a same DNSMASQ configuration:

cache-size=4096
min-cache-ttl=900
all-servers
nftset=/tiktok.com/tiktokv.com/tiktokcdn.com/4#inet#dnshijack#dns_ips
addn-hosts=/etc/extra/MASQF/porn
addn-hosts=/etc/extra/MASQF/torrent
addn-hosts=/etc/extra/MASQF/blocklist-social-all
conf-file=/etc/extra/MASQF/doh-vpn-proxy-bypass
conf-file=/etc/extra/MASQF/custom

DNS Hijacking is achieved by creating /etc/bonding/nftables/nat-prerouting-ipv4-port-forwarding.nft:

ip daddr 192.168.1.1 udp dport 53 accept
iifname "eth0" udp dport 53 counter dnat to 192.168.1.1:53

This configuration prevents DoT by creating /etc/bonding/nftables/filter-forward-firewall-rules.nft

tcp dport 853 counter drop comment "Block DNS over TLS"

To create the nft configuration to use nftset in DNSMASQ this is required:

nft add table inet dnshijack
nft add set inet dnshijack dns_ips { type ipv4_addr\; flags interval\; }
nft add rule inet dnshijack forward ip daddr @dns_ips counter drop
# manually add IPs to drop
nft add element inet dnshijack dns_ips { 2.20.13.43 }

To allow PCs to bypass blocking, whitelist the mac addresses:

nft add set ip nat_ipv4 mac_whitelist { type ether_addr\; }

nft insert rule ip nat_ipv4 prerouting ether saddr @mac_whitelist udp dport 53 accept

nft add element ip nat_ipv4 mac_whitelist { 04:b9:e3:74:50:4e, 04:b9:e3:74:52:4a, 1c:af:4a:14:60:2e, 1c:af:4a:15:08:ee, 1c:af:4a:15:26:9c, 1c:af:4a:15:53:52, 70:09:71:92:8d:14, 70:09:71:92:aa:4e, 80:8a:bd:12:8b:4e, 80:8a:bd:12:8d:8c, 80:8a:bd:12:a3:26, 80:8a:bd:12:d9:26, 80:8a:bd:12:f1:ee, bc:45:5b:70:92:d8, bc:45:5b:7d:a5:08, bc:45:5b:7d:b3:6c, bc:45:5b:7d:b7:bc, bc:45:5b:7d:d6:e4, c0:23:8d:5c:6b:50, c0:23:8d:6f:9a:e8, e0:03:6b:e3:57:c4, e0:03:6b:f5:01:26, e0:9d:13:7b:8f:00, f0:70:4f:31:97:c6, f0:70:4f:39:a4:42, f0:70:4f:64:b7:40, f4:dd:06:5f:4d:60 }

That is it!

#nftables

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

H

Hub & Spoke | Best SD-WAN Blog on Earth

830 posts

Driving Software Defined Wide Area Networking (SD-WAN) Adoption in South Africa. The best SD-WAN blog on Earth & in the World that also includes insights on Cybersecurity, IoT, Cloud, & Data Centres!