Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:firewall:fw3_configurations:intercept_dns [2021/03/12 04:11] – [NAT6] vgaeteradocs:guide-user:firewall:fw3_configurations:intercept_dns [2024/07/10 06:14] (current) – [Command-line instructions] lastedit
Line 1: Line 1:
 ====== DNS hijacking ====== ====== DNS hijacking ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 8: Line 8:
 ===== Goals ===== ===== Goals =====
   * Override preconfigured DNS provider for LAN clients.   * Override preconfigured DNS provider for LAN clients.
-    * Prevent DNS leak for LAN clients when using VPN or DNS encryption.+    * Prevent DNS leaks for LAN clients when using VPN or DNS encryption.
  
-===== Web interface =====+===== Web interface instructions =====
 Configure firewall to intercept DNS traffic. Configure firewall to intercept DNS traffic.
  
-  - Navigate to  **LuCI -> Network -> Firewall -> Port Forwards**.+  - Navigate to **LuCI -> Network -> Firewall -> Port Forwards**.
   - Click **Add** and specify:   - Click **Add** and specify:
     * Name: ''Intercept-DNS''     * Name: ''Intercept-DNS''
-    * Protocol: TCP and UDP+    * Restrict to address family: IPv4 and IPv6 
 +    * Protocol: TCPUDP
     * Source zone: ''lan''     * Source zone: ''lan''
     * External port: ''53''     * External port: ''53''
Line 24: Line 25:
   - Click **Save**, then **Save & Apply**.   - Click **Save**, then **Save & Apply**.
  
-===== Command-line interface =====+===== Command-line instructions =====
 Configure firewall to intercept DNS traffic. Configure firewall to intercept DNS traffic.
  
 <code bash> <code bash>
 # Intercept DNS traffic # Intercept DNS traffic
-uci -q delete firewall.dns_int+uci -q del firewall.dns_int
 uci set firewall.dns_int="redirect" uci set firewall.dns_int="redirect"
 uci set firewall.dns_int.name="Intercept-DNS" uci set firewall.dns_int.name="Intercept-DNS"
 +uci set firewall.dns_int.family="any"
 +uci set firewall.dns_int.proto="tcp udp"
 uci set firewall.dns_int.src="lan" uci set firewall.dns_int.src="lan"
 uci set firewall.dns_int.src_dport="53" uci set firewall.dns_int.src_dport="53"
-uci set firewall.dns_int.proto="tcp udp" 
 uci set firewall.dns_int.target="DNAT" uci set firewall.dns_int.target="DNAT"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
 ===== Testing ===== ===== Testing =====
-Verify your [[wp>Public_recursive_name_server|DNS provider]] matches the one on the router when using a different DNS provider on the client+Configure different [[wp>Public_recursive_name_server|DNS providers]] on the client and router
-  * [[https://dnsleaktest.com/]]+Verify the identified DNS provider only matches the router
 +  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 49: Line 52:
 <code bash> <code bash>
 # Log and status # Log and status
-/etc/init.d/firewall restart+service firewall restart
  
 # Runtime configuration # Runtime configuration
-iptables-save +nft list ruleset
-ip6tables-save+
  
 # Persistent configuration # Persistent configuration
Line 60: Line 62:
  
 ===== Extras ===== ===== Extras =====
-==== NAT6 ==== 
-Enable NAT6 to process IPv6 traffic when using dual-stack mode. 
- 
-<code bash> 
-# Install packages 
-opkg update 
-opkg install kmod-ipt-nat6 
- 
-# Enable NAT6 
-cat << "EOF" > /etc/firewall.nat6 
-iptables-save -t nat \ 
-| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \ 
-| ip6tables-restore -T nat 
-EOF 
-cat << "EOF" >> /etc/sysupgrade.conf 
-/etc/firewall.nat6 
-EOF 
-uci -q delete firewall.nat6 
-uci set firewall.nat6="include" 
-uci set firewall.nat6.path="/etc/firewall.nat6" 
-uci set firewall.nat6.reload="1" 
-uci commit firewall 
-/etc/init.d/firewall restart 
-</code> 
- 
 ==== DNS over HTTPS ==== ==== DNS over HTTPS ====
-Configure firewall to filter DoH traffic forcing LAN clients to switch to plain DNS. +Utilize banIP to [[docs:guide-user:services:banip#blocking_doh|filter DoH]] traffic forcing LAN clients to switch to plain DNS.
- +
-<code bash> +
-# Install packages +
-opkg update +
-opkg install ipset +
- +
-# Configure IP sets +
-uci -q delete firewall.doh +
-uci set firewall.doh="ipset" +
-uci set firewall.doh.name="doh" +
-uci set firewall.doh.family="ipv4" +
-uci set firewall.doh.storage="hash" +
-uci set firewall.doh.match="ip" +
-uci -q delete firewall.doh6 +
-uci set firewall.doh6="ipset" +
-uci set firewall.doh6.name="doh6" +
-uci set firewall.doh6.family="ipv6" +
-uci set firewall.doh6.storage="hash" +
-uci set firewall.doh6.match="ip" +
- +
-# Filter DoH traffic +
-uci -q delete firewall.doh_fwd +
-uci set firewall.doh_fwd="rule" +
-uci set firewall.doh_fwd.name="Deny-DoH" +
-uci set firewall.doh_fwd.src="lan" +
-uci set firewall.doh_fwd.dest="wan" +
-uci set firewall.doh_fwd.dest_port="443" +
-uci set firewall.doh_fwd.proto="tcp udp" +
-uci set firewall.doh_fwd.family="ipv4" +
-uci set firewall.doh_fwd.ipset="doh dest" +
-uci set firewall.doh_fwd.target="REJECT" +
-uci -q delete firewall.doh6_fwd +
-uci set firewall.doh6_fwd="rule" +
-uci set firewall.doh6_fwd.name="Deny-DoH" +
-uci set firewall.doh6_fwd.src="lan" +
-uci set firewall.doh6_fwd.dest="wan" +
-uci set firewall.doh6_fwd.dest_port="443" +
-uci set firewall.doh6_fwd.proto="tcp udp" +
-uci set firewall.doh6_fwd.family="ipv6" +
-uci set firewall.doh6_fwd.ipset="doh6 dest" +
-uci set firewall.doh6_fwd.target="REJECT" +
-uci commit firewall +
-/etc/init.d/firewall restart +
- +
-# Populate IP sets +
-cat << "EOF" > /etc/firewall.ipset-doh +
-DOH_URL="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt" +
-DOH6_URL="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt" +
-uci -q delete firewall.doh.entry +
-uclient-fetch -O - "${DOH_URL}"+
-| while read -r DOH_SERV +
-do uci add_list firewall.doh.entry="${DOH_SERV%% *}" +
-done +
-uci -q delete firewall.doh6.entry +
-uclient-fetch -O - "${DOH6_URL}"+
-| while read -r DOH_SERV +
-do uci add_list firewall.doh6.entry="${DOH_SERV%% *}" +
-done +
-uci commit firewall +
-/etc/init.d/firewall restart +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/firewall.ipset-doh +
-EOF +
- +
-# Configure hotplug +
-mkdir -p /etc/hotplug.d/iface +
-cat << "EOF" > /etc/hotplug.d/iface/99-ipset-doh +
-. /lib/functions/network.sh +
-network_flush_cache +
-network_find_wan NET_IF +
-network_find_wan6 NET_IF6 +
-if [ "${INTERFACE}" = "${NET_IF}" -o "${INTERFACE}" = "${NET_IF6}" ] \ +
-&& [ "${ACTION}" = "ifup" -o "${ACTION}" = "ifupdate" ] \ +
-&& [ ! -e /tmp/ipset-doh.done ] \ +
-&& ping -w 3 openwrt.org \ +
-&& [ ! -e /tmp/ipset-doh.lock ] +
-then +
-touch /tmp/ipset-doh.lock +
-. /etc/firewall.ipset-doh +
-touch /tmp/ipset-doh.done +
-rm -f /tmp/ipset-doh.lock +
-fi +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/hotplug.d/iface/99-ipset-doh +
-EOF +
-</code>+
  
 ==== DNS over TLS ==== ==== DNS over TLS ====
Line 190: Line 79:
 uci set firewall.dot_fwd.target="REJECT" uci set firewall.dot_fwd.target="REJECT"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart 
 +</code> 
 + 
 +==== DNS forwarding ==== 
 +Set up [[docs:guide-user:base-system:dhcp_configuration#dns_forwarding|DNS forwarding]] to your local DNS server with Dnsmasq. 
 +Assuming the local DNS server is in the same subnet. 
 +Configure firewall to avoid looping. 
 + 
 +<code bash> 
 +# Configure firewall 
 +uci set firewall.dns_int.src_mac="!11:22:33:44:55:66" 
 +uci commit firewall 
 +service firewall restart
 </code> </code>
  
 ==== DNS redirection ==== ==== DNS redirection ====
-Configure firewall to redirect [[docs:guide-user:firewall:fw3_configurations:intercept_dns#command-line_interface|intercepted]] DNS traffic to your local DNS server.+Avoid using Dnsmasq. 
 +Configure firewall to redirect DNS traffic to your local DNS server
 +Move the local DNS server to a separate subnet to avoid masquerading.
  
 <code bash> <code bash>
-Redirect DNS traffic +Configure firewall
-DNS_SERV="192.168.1.2"+
 uci set firewall.dns_int.name="Redirect-DNS" uci set firewall.dns_int.name="Redirect-DNS"
-uci set firewall.dns_int.src_ip="!${DNS_SERV}" +uci set firewall.dns_int.dest_ip="192.168.2.2"
-uci set firewall.dns_int.dest_ip="${DNS_SERV}" +
-uci -q delete firewall.dns_masq +
-uci set firewall.dns_masq="nat" +
-uci set firewall.dns_masq.name="Masquerade-DNS" +
-uci set firewall.dns_masq.src="lan" +
-uci set firewall.dns_masq.dest_ip="${DNS_SERV}" +
-uci set firewall.dns_masq.dest_port="53" +
-uci set firewall.dns_masq.proto="tcp udp" +
-uci set firewall.dns_masq.target="MASQUERADE"+
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart 
 + 
 +# Configure network 
 +uci add_list network.lan.ipaddr="192.168.2.1/24" 
 +uci commit network 
 +service network restart
 </code> </code>
  
  • Last modified: 2024/07/10 06:14
  • by lastedit