New firewalling technique proposal

Jonas Lochmann openwrt at jonaslochmann.de
Fri Oct 31 13:23:28 PDT 2025 

Am Fri, Oct 31, 2025 at 07:20:48PM +0000, schrieb Aaron Gray:
> So does the existing OpenVPN actually check IP's against previous DNS
> request reply IP's ?

I assume you are not talking about OpenVPN but about another component.
I assume nftables.

> If it is not an out of the box configuration, how would I configure
> OpenVPN to do so please ?

The glue you need is a DNS processor that needs to be implemented.

I would assume the rules: dport 53 queue; sport 53 queue;

Maybe "dup lo" (or some extra interface) could work too. The advantage
of queue is that the userspace process could process the packet before
it is forwarded in the network and the effect should apply.

The permited IPs would be added to some nft set from that userspace
process. Then there would be a filter rule expecting the item in the
set:

ip daddr @ip_set accept; ip saddr @ip_set accept;

Otherwise, one would reject or drop.

IPs should also be removed from the set at some point. Set items can
expire, but active traffic to it should probably reset the timer.

This DNS processor could in theory be implemented in the kernel.
I would not recommend this. I would not expect an amount of DNS traffic
where performance would become a problem.

> > Honestly, this sounds like some toy for people that don't know what
> > they are doing.
> 
> I am not really that much of a noob, I did happen to have run dual
> mirrored servers for 7 years with 36 hours downtime due to power and
> internet outages, of which 1 hour was my fault ;)

I am talking about people using this solution. I saw people using some
"traffic analyzer solutions" interpreting the data wrongly because they
have no idea about the limitations of reverse DNS and geolocation (or
don't know at all what this actually is).

> > CDNs limit its use.
> 
> How do Content Delivery Networks work with this, is this just
> blacklists and whitelists rather than DNS based blacklists ? If there
> are whitelists for all the major operating systems installation and
> updates this would be great !

One CDN is used for many services. Thus, the same IP is used for many
services. So it is possible to permit way too much in the end. This
also opens the possibilities for Domain Fronting 2.0. Original Domain
Fronting was about using different hostnames in the TLS and HTTP level.
Now, there is a motivation to specify another legitimate domain at the
DNS level that uses the same CDN as the target service to unblock the
IP.

> > For restrictive setups, proxies are used today. Those could be
> > transparent proxies.
> 
> I am not really sure how proxies are relevant, please explain.

Outbound internet access/any internet access only using some proxy
server that enforces domain filters and device/user authentication.
Example: squid3

> Sorry I don't wish to sound rude, I really don't know OpenWRT itself
> that well yet despite using it for a while.

This is not related to OpenWrt. I consider it general networking.

More information about the openwrt-devel mailing list