Show pagesourceOld revisionsBacklinksBack to top × Table of Contents DNS hijacking Introduction Goals Web interface instructions Command-line instructions Testing Troubleshooting Extras DNS over HTTPS DNS over TLS DNS forwarding DNS redirection DNS hijacking This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This how-to describes the method for intercepting DNS traffic on OpenWrt. You can combine it with VPN or DNS encryption to protect DNS traffic. Goals Override preconfigured DNS provider for LAN clients. Prevent DNS leaks for LAN clients when using VPN or DNS encryption. Web interface instructions Configure firewall to intercept DNS traffic. Navigate to LuCI → Network → Firewall → Port Forwards. Click Add and specify: Name: Intercept-DNS Protocol: TCP, UDP Source zone: lan External port: 53 Destination zone: unspecified Internal IP address: any Internal port: any Click Save, then Save & Apply. Intercept IPv6 DNS traffic when using dual-stack mode. Click Add and duplicate the above port forward, but specify: Restrict to address family: IPv6 only Click Save, then Save & Apply. Command-line instructions Configure firewall to intercept DNS traffic. # Intercept DNS traffic uci -q delete firewall.dns_int uci set firewall.dns_int="redirect" uci set firewall.dns_int.name="Intercept-DNS" uci set firewall.dns_int.src="lan" uci set firewall.dns_int.src_dport="53" uci set firewall.dns_int.proto="tcp udp" uci set firewall.dns_int.family="any" uci set firewall.dns_int.target="DNAT" uci commit firewall /etc/init.d/firewall restart Testing Configure different DNS providers on the client and router. Verify the identified DNS provider only matches the router. dnsleaktest.com Troubleshooting Collect and analyze the following information. # Log and status /etc/init.d/firewall restart # Runtime configuration nft list ruleset # Persistent configuration uci show firewall Extras DNS over HTTPS Utilize banIP to filter DoH traffic forcing LAN clients to switch to plain DNS. DNS over TLS Configure firewall to filter DoT traffic forcing LAN clients to switch to plain DNS. # Filter DoT traffic uci -q delete firewall.dot_fwd uci set firewall.dot_fwd="rule" uci set firewall.dot_fwd.name="Deny-DoT" uci set firewall.dot_fwd.src="lan" uci set firewall.dot_fwd.dest="wan" uci set firewall.dot_fwd.dest_port="853" uci set firewall.dot_fwd.proto="tcp udp" uci set firewall.dot_fwd.target="REJECT" uci commit firewall /etc/init.d/firewall restart DNS forwarding Set up DNS forwarding to your local DNS server with Dnsmasq. Configure firewall to exclude the local DNS server from the interception rule. # Configure firewall uci set firewall.dns_int.src_mac="!00:11:22:33:44:55" uci commit firewall /etc/init.d/firewall restart DNS redirection Avoid using Dnsmasq. Configure firewall to redirect the intercepted DNS traffic to your local DNS server. # Configure firewall uci set firewall.dns_int.name="Redirect-DNS" uci set firewall.dns_int.src_ip="!192.168.1.2" uci set firewall.dns_int.dest_ip="192.168.1.2" uci -q delete firewall.dns_masq uci set firewall.dns_masq="nat" uci set firewall.dns_masq.name="Masquerade-DNS" uci set firewall.dns_masq.src="lan" uci set firewall.dns_masq.dest_ip="192.168.1.2" uci set firewall.dns_masq.dest_port="53" uci set firewall.dns_masq.proto="tcp udp" uci set firewall.dns_masq.target="MASQUERADE" uci commit firewall /etc/init.d/firewall restart Assign the local DNS server an IP address in a separate network to disable masquerading. This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/09/12 09:47by vgaetera