![]() I know it isn't DD-WRT, but its an overall question about static blackhole routing as a way to optimize network performance. Stubby DNS over TLS I DNSCrypt v2 by mac913 Netgear R7000 -DD-WRT 53562 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN Netgear R9000 -DD-WRT 53469 Gateway/Stubby DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla Netgear R7800 -DD-WRT 53562 Gateway/DoT,AD-Block,AP&Net Isolation,x3VLAN,Firewall,Vanilla TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas TP-Link WR1043NDv2 -DD-WRT 53469 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN(no-wifi) TP-Link WR1043NDv2 -DD-WRT 53562 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN Other ways are via dnsmasq or iptables where you can only see iptables statistics It matters as on some routers you can use ipset to block it, Location: UK, London, just across the river. How can I view me data about how many times whichever route was blackholed? Does that mean that blackholed route IP's aren't going to show up as dropped packets when I view my IPTables?įor example, if I blackhole Google DNS 8.8.8.8 and also create IPTables rules that drops all packets to-and-from 8.8.8.8, then will IPTables record dropped packets when I try to connect to 8.8.8.8? It shouldn't or else it defeats the idea of route blackholing being performance-friendly compared to Netfilter dropping packets. If blackholing routes is less stressful on routers, then routing is processed before IPTables/NAT Firewall. What do you say? Block IP's via firewall or block IP's via static routing? ![]() "Black-holing" increases chances of your connections using the same route each time, making it easier to track you and to attack you, but the same "black-holing" can be used to prevent routing through malicious IP's or IP's used for tracking (Google DNS, ISP DNS). It can be used to create an attack by re-routing traffic, but it can also reduce tracking because your connections are not routed the same every time. Other articles say that "black-holing" is easier on router hardware and does not decrease throughput as much as NAT firewall rules do.īorder Gateway Protocol (BGP) also plays a role. Some articles online say that "black-holing" via static route metric values should not be used to block whichever IP's, unless it is the last resort to block those IP's. Using NAT static route black-hole feature that increases metric value for mentioned IP's to prevent router from using routes with mentioned IP's and resolving them to a "black hole" (0.0.0.0 Null IP), similar to how DNS blocking works. Using NAT firewall to drop packets of mentioned IP's There are 2 ways I can block Google DNS IP's and ISP DNS IP's on my router: Posted: Sat 13:39 Post subject: Dropping packets from IP's vs Black-holing routes for IP's?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |