From 8d1782161fa1d511982f21209b4f62232b3fae6d Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Fri, 19 Jan 2024 13:44:47 -0500
Subject: [PATCH] stop sending external ADoT queries through unbound

---
 nftables-ns1.conf | 5 ++++-
 nftables-ns2.conf | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/nftables-ns1.conf b/nftables-ns1.conf
index 57d86de..fcc1801 100644
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@@ -53,7 +53,10 @@ table inet filter {
 
     chain output-internal {
         skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
-        skuid {chrony, http, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+        skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+
+        skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept
+        skuid http meta l4proto {tcp, udp} th sport >= 1024 th dport 54 accept
 
         skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
 
diff --git a/nftables-ns2.conf b/nftables-ns2.conf
index 2461577..06cf0c5 100644
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@@ -55,7 +55,10 @@ table inet filter {
 
     chain output-internal {
         skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
-        skuid {chrony, http, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+        skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+
+        skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept
+        skuid http meta l4proto {tcp, udp} th sport >= 1024 th dport 54 accept
 
         skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept