DNS hijacking

  • This how-to describes the method for intercepting DNS traffic on OpenWrt.
  • You can combine it with VPN or DNS encryption to protect DNS traffic.
  • Override preconfigured DNS provider for LAN clients.
    • Prevent DNS leak for LAN clients when using VPN or DNS encryption.

Configure firewall to intercept DNS traffic.

  1. Navigate to LuCI → Network → Firewall → Port Forwards.
  2. Click Add and specify:
    • Name: Intercept-DNS
    • Protocol: TCP, UDP
    • Source zone: lan
    • External port: 53
    • Destination zone: unspecified
    • Internal IP address: any
    • Internal port: any
  3. Click Save, then Save & Apply.

Configure firewall to intercept DNS traffic.

# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Verify your DNS provider matches the one on the router when using a different DNS provider on the client.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
 
# Runtime configuration
iptables-save
ip6tables-save
 
# Persistent configuration
uci show firewall

Enable NAT6 to process IPv6 traffic when using dual-stack mode.

# Install packages
opkg update
opkg install kmod-ipt-nat6
 
# Enable NAT6
cat << "EOF" > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "
/\sMASQUERADE$/d
/\s[DS]NAT\s/d
/\s--match-set\s\S*/s//\06/
/,BROADCAST\s/s// /" \
| ip6tables-restore -T nat
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/firewall.nat6
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Filter DoH traffic with firewall and IP sets forcing LAN clients to switch to plain DNS. Set up IP set extras and Hotplug extras to automatically populate IP sets.

# Install packages
opkg update
opkg install ipset resolveip
 
# Configure IP sets
uci -q delete dhcp.doh
uci set dhcp.doh="ipset"
uci set dhcp.doh.instance="doh"
uci add_list dhcp.doh.name="doh"
uci add_list dhcp.doh.name="doh6"
uci commit dhcp
/etc/init.d/dnsmasq restart
 
# Filter DoH traffic
uci -q delete firewall.doh_fwd
uci set firewall.doh_fwd="rule"
uci set firewall.doh_fwd.name="Deny-DoH"
uci set firewall.doh_fwd.src="lan"
uci set firewall.doh_fwd.dest="wan"
uci set firewall.doh_fwd.dest_port="443"
uci set firewall.doh_fwd.proto="tcp udp"
uci set firewall.doh_fwd.family="ipv4"
uci set firewall.doh_fwd.ipset="doh dest"
uci set firewall.doh_fwd.target="REJECT"
uci -q delete firewall.doh6_fwd
uci set firewall.doh6_fwd="rule"
uci set firewall.doh6_fwd.name="Deny-DoH"
uci set firewall.doh6_fwd.src="lan"
uci set firewall.doh6_fwd.dest="wan"
uci set firewall.doh6_fwd.dest_port="443"
uci set firewall.doh6_fwd.proto="tcp udp"
uci set firewall.doh6_fwd.family="ipv6"
uci set firewall.doh6_fwd.ipset="doh6 dest"
uci set firewall.doh6_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart
 
# Configure hotplug
mkdir -p /etc/hotplug.d/online
cat << "EOF" > /etc/hotplug.d/online/60-ipset-doh
if [ ! -e /var/lock/ipset-doh ] \
&& lock -n /var/lock/ipset-doh
then
uclient-fetch -O - "https://raw.githubusercontent.com/\
dibdot/DoH-IP-blocklists/master/doh-domains.txt" \
| uci -q batch << EOI
delete dhcp.doh.domain
$(sed -e "s/^.*$/\
del_list dhcp.doh.domain='\0'\n\
add_list dhcp.doh.domain='\0'/")
commit dhcp
EOI
lock -u /var/lock/ipset-doh
fi
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/hotplug.d/online/60-ipset-doh
EOF
. /etc/hotplug.d/online/60-ipset-doh
 
# Populate IP sets
ipset setup

Configure firewall to filter DoT traffic forcing LAN clients to switch to plain DNS.

# Filter DoT traffic
uci -q delete firewall.dot_fwd
uci set firewall.dot_fwd="rule"
uci set firewall.dot_fwd.name="Deny-DoT"
uci set firewall.dot_fwd.src="lan"
uci set firewall.dot_fwd.dest="wan"
uci set firewall.dot_fwd.dest_port="853"
uci set firewall.dot_fwd.proto="tcp udp"
uci set firewall.dot_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Set up DNS forwarding to your local DNS server with Dnsmasq. Configure firewall to exclude the local DNS server from the interception rule.

# Configure firewall
uci set firewall.dns_int.src_mac="!00:11:22:33:44:55"
uci commit firewall
/etc/init.d/firewall restart

Avoid using Dnsmasq. Configure firewall to redirect the intercepted DNS traffic to your local DNS server.

# Configure firewall
uci set firewall.dns_int.name="Redirect-DNS"
uci set firewall.dns_int.src_ip="!192.168.1.2"
uci set firewall.dns_int.dest_ip="192.168.1.2"
uci -q delete firewall.dns_masq
uci set firewall.dns_masq="nat"
uci set firewall.dns_masq.name="Masquerade-DNS"
uci set firewall.dns_masq.src="lan"
uci set firewall.dns_masq.dest_ip="192.168.1.2"
uci set firewall.dns_masq.dest_port="53"
uci set firewall.dns_masq.proto="tcp udp"
uci set firewall.dns_masq.target="MASQUERADE"
uci commit firewall
/etc/init.d/firewall restart

Assign the local DNS server an IP address in a separate network to disable masquerading.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/10/20 03:32
  • by vgaetera