DNS hijacking

  • This how-to describes the method for intercepting DNS traffic on OpenWrt.
  • You can combine it with VPN or DNS encryption to protect DNS traffic.
  • Override preconfigured DNS provider for LAN clients.
    • Prevent DNS leaks for LAN clients when using VPN or DNS encryption.

Configure firewall to intercept DNS traffic.

  1. Navigate to LuCI → Network → Firewall → Port Forwards.
  2. Click Add and specify:
    • Name: Intercept-DNS
    • Protocol: TCP, UDP
    • Source zone: lan
    • External port: 53
    • Destination zone: unspecified
    • Internal IP address: any
    • Internal port: any
  3. Click Save, then Save & Apply.

Intercept IPv6 DNS traffic when using dual-stack mode.

  1. Click Add and duplicate the above port forward, but specify:
    • Restrict to address family: IPv6 only
  2. Click Save, then Save & Apply.

Configure firewall to intercept DNS traffic.

# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.family="any"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Configure different DNS providers on the client and router. Verify the identified DNS provider only matches the router.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
# Runtime configuration
nft list ruleset
# Persistent configuration
uci show firewall

Utilize banIP to filter DoH traffic forcing LAN clients to switch to plain DNS.

Configure firewall to filter DoT traffic forcing LAN clients to switch to plain DNS.

# Filter DoT traffic
uci -q delete firewall.dot_fwd
uci set firewall.dot_fwd="rule"
uci set firewall.dot_fwd.name="Deny-DoT"
uci set firewall.dot_fwd.src="lan"
uci set firewall.dot_fwd.dest="wan"
uci set firewall.dot_fwd.dest_port="853"
uci set firewall.dot_fwd.proto="tcp udp"
uci set firewall.dot_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Set up DNS forwarding to your local DNS server with Dnsmasq. Configure firewall to exclude the local DNS server from the interception rule.

# Configure firewall
uci set firewall.dns_int.src_mac="!00:11:22:33:44:55"
uci commit firewall
/etc/init.d/firewall restart

Avoid using Dnsmasq. Configure firewall to redirect the intercepted DNS traffic to your local DNS server.

# Configure firewall
uci set firewall.dns_int.name="Redirect-DNS"
uci set firewall.dns_int.src_ip="!"
uci set firewall.dns_int.dest_ip=""
uci -q delete firewall.dns_masq
uci set firewall.dns_masq="nat"
uci set firewall.dns_masq.name="Masquerade-DNS"
uci set firewall.dns_masq.src="lan"
uci set firewall.dns_masq.dest_ip=""
uci set firewall.dns_masq.dest_port="53"
uci set firewall.dns_masq.proto="tcp udp"
uci set firewall.dns_masq.target="MASQUERADE"
uci commit firewall
/etc/init.d/firewall restart

Assign the local DNS server an IP address in a separate network to disable masquerading.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/09/12 09:47
  • by vgaetera