DNS hijacking

  • This how-to describes the method for intercepting DNS traffic on OpenWrt.
  • You can combine it with VPN or DNS encryption to protect DNS traffic.
  • Override preconfigured DNS provider for LAN clients.
    • Prevent DNS leak for LAN clients when using VPN or DNS encryption.

Configure firewall to intercept DNS traffic.

  1. Navigate to LuCI → Network → Firewall → Port Forwards.
  2. Click Add and specify:
    • Name: Intercept-DNS
    • Protocol: TCP, UDP
    • Source zone: lan
    • External port: 53
    • Destination zone: unspecified
    • Internal IP address: any
    • Internal port: any
  3. Click Save, then Save & Apply.

Configure firewall to intercept DNS traffic.

# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Verify your DNS provider matches the one on the router when using a different DNS provider on the client.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
# Runtime configuration
# Persistent configuration
uci show firewall

Enable NAT6 to process IPv6 traffic when using dual-stack mode.

# Install packages
opkg update
opkg install kmod-ipt-nat6
# Enable NAT6
cat << "EOF" > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \
| ip6tables-restore -T nat
cat << "EOF" >> /etc/sysupgrade.conf
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Configure firewall to filter DoH traffic forcing LAN clients to switch to plain DNS. Set up Hotplug extras to populate IP sets at startup.

# Install packages
opkg update
opkg install ipset
# Configure IP sets
uci -q delete firewall.doh
uci set firewall.doh="ipset"
uci set firewall.doh.name="doh"
uci set firewall.doh.family="ipv4"
uci set firewall.doh.storage="hash"
uci set firewall.doh.match="ip"
uci -q delete firewall.doh6
uci set firewall.doh6="ipset"
uci set firewall.doh6.name="doh6"
uci set firewall.doh6.family="ipv6"
uci set firewall.doh6.storage="hash"
uci set firewall.doh6.match="ip"
# Filter DoH traffic
uci -q delete firewall.doh_fwd
uci set firewall.doh_fwd="rule"
uci set firewall.doh_fwd.name="Deny-DoH"
uci set firewall.doh_fwd.src="lan"
uci set firewall.doh_fwd.dest="wan"
uci set firewall.doh_fwd.dest_port="443"
uci set firewall.doh_fwd.proto="tcp udp"
uci set firewall.doh_fwd.family="ipv4"
uci set firewall.doh_fwd.ipset="doh dest"
uci set firewall.doh_fwd.target="REJECT"
uci -q delete firewall.doh6_fwd
uci set firewall.doh6_fwd="rule"
uci set firewall.doh6_fwd.name="Deny-DoH"
uci set firewall.doh6_fwd.src="lan"
uci set firewall.doh6_fwd.dest="wan"
uci set firewall.doh6_fwd.dest_port="443"
uci set firewall.doh6_fwd.proto="tcp udp"
uci set firewall.doh6_fwd.family="ipv6"
uci set firewall.doh6_fwd.ipset="doh6 dest"
uci set firewall.doh6_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart
# Populate IP sets
mkdir -p /etc/hotplug.d/online
cat << "EOF" > /etc/hotplug.d/online/70-ipset-doh
if [ ! -e /var/lock/ipset-doh ] \
&& lock -n /var/lock/ipset-doh
uci -q delete firewall.doh.entry
uci -q delete firewall.doh6.entry
uclient-fetch -O - "${IPSET_URL}" \
| while read -r IPSET_ADDR
do uci add_list firewall.doh.entry="${IPSET_ADDR%% *}"
uclient-fetch -O - "${IPSET_URL6}" \
| while read -r IPSET_ADDR
do uci add_list firewall.doh6.entry="${IPSET_ADDR%% *}"
uci commit firewall
/etc/init.d/firewall restart
lock -u /var/lock/ipset-doh
cat << "EOF" >> /etc/sysupgrade.conf
. /etc/hotplug.d/online/70-ipset-doh

Configure firewall to filter DoT traffic forcing LAN clients to switch to plain DNS.

# Filter DoT traffic
uci -q delete firewall.dot_fwd
uci set firewall.dot_fwd="rule"
uci set firewall.dot_fwd.name="Deny-DoT"
uci set firewall.dot_fwd.src="lan"
uci set firewall.dot_fwd.dest="wan"
uci set firewall.dot_fwd.dest_port="853"
uci set firewall.dot_fwd.proto="tcp udp"
uci set firewall.dot_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Set up DNS forwarding to your local DNS server with Dnsmasq. Configure firewall to exclude the local DNS server from the interception rule.

# Configure firewall
uci set firewall.dns_int.src_mac="!00:11:22:33:44:55"
uci commit firewall
/etc/init.d/firewall restart

Avoid using Dnsmasq. Configure firewall to redirect the intercepted DNS traffic to your local DNS server.

# Configure firewall
uci set firewall.dns_int.name="Redirect-DNS"
uci set firewall.dns_int.src_ip="!"
uci set firewall.dns_int.dest_ip=""
uci -q delete firewall.dns_masq
uci set firewall.dns_masq="nat"
uci set firewall.dns_masq.name="Masquerade-DNS"
uci set firewall.dns_masq.src="lan"
uci set firewall.dns_masq.dest_ip=""
uci set firewall.dns_masq.dest_port="53"
uci set firewall.dns_masq.proto="tcp udp"
uci set firewall.dns_masq.target="MASQUERADE"
uci commit firewall
/etc/init.d/firewall restart

Assign the local DNS server an IP address in a separate network to disable masquerading.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/03/24 09:34
  • by vgaetera