Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:intercept_dns [2021/03/15 20:41] – [DNS over HTTPS] use system lock dir vgaeteradocs:guide-user:firewall:fw3_configurations:intercept_dns [2023/10/05 06:53] – [DNS forwarding] vgaetera
Line 1: Line 1:
 ====== DNS hijacking ====== ====== DNS hijacking ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 8: Line 8:
 ===== Goals ===== ===== Goals =====
   * Override preconfigured DNS provider for LAN clients.   * Override preconfigured DNS provider for LAN clients.
-    * Prevent DNS leak for LAN clients when using VPN or DNS encryption.+    * Prevent DNS leaks for LAN clients when using VPN or DNS encryption.
  
-===== Web interface =====+===== Web interface instructions =====
 Configure firewall to intercept DNS traffic. Configure firewall to intercept DNS traffic.
  
-  - Navigate to  **LuCI -> Network -> Firewall -> Port Forwards**.+  - Navigate to **LuCI -> Network -> Firewall -> Port Forwards**.
   - Click **Add** and specify:   - Click **Add** and specify:
     * Name: ''Intercept-DNS''     * Name: ''Intercept-DNS''
-    * Protocol: TCP and UDP+    * Protocol: TCPUDP
     * Source zone: ''lan''     * Source zone: ''lan''
     * External port: ''53''     * External port: ''53''
Line 24: Line 24:
   - Click **Save**, then **Save & Apply**.   - Click **Save**, then **Save & Apply**.
  
-===== Command-line interface =====+Intercept IPv6 DNS traffic when using dual-stack mode. 
 + 
 +  - Click **Add** and duplicate the above port forward, but specify: 
 +    * Restrict to address family: IPv6 only 
 +  - Click **Save**, then **Save & Apply**. 
 + 
 +===== Command-line instructions =====
 Configure firewall to intercept DNS traffic. Configure firewall to intercept DNS traffic.
  
Line 35: Line 41:
 uci set firewall.dns_int.src_dport="53" uci set firewall.dns_int.src_dport="53"
 uci set firewall.dns_int.proto="tcp udp" uci set firewall.dns_int.proto="tcp udp"
 +uci set firewall.dns_int.family="any"
 uci set firewall.dns_int.target="DNAT" uci set firewall.dns_int.target="DNAT"
 uci commit firewall uci commit firewall
Line 41: Line 48:
  
 ===== Testing ===== ===== Testing =====
-Verify your [[wp>Public_recursive_name_server|DNS provider]] matches the one on the router when using a different DNS provider on the client+Configure different [[wp>Public_recursive_name_server|DNS providers]] on the client and router
-  * [[https://dnsleaktest.com/]]+Verify the identified DNS provider only matches the router
 +  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 52: Line 60:
  
 # Runtime configuration # Runtime configuration
-iptables-save +nft list ruleset
-ip6tables-save+
  
 # Persistent configuration # Persistent configuration
Line 60: Line 67:
  
 ===== Extras ===== ===== Extras =====
-==== NAT6 ==== 
-Enable NAT6 to process IPv6 traffic when using dual-stack mode. 
- 
-<code bash> 
-# Install packages 
-opkg update 
-opkg install kmod-ipt-nat6 
- 
-# Enable NAT6 
-cat << "EOF" > /etc/firewall.nat6 
-iptables-save -t nat \ 
-| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \ 
-| ip6tables-restore -T nat 
-EOF 
-cat << "EOF" >> /etc/sysupgrade.conf 
-/etc/firewall.nat6 
-EOF 
-uci -q delete firewall.nat6 
-uci set firewall.nat6="include" 
-uci set firewall.nat6.path="/etc/firewall.nat6" 
-uci set firewall.nat6.reload="1" 
-uci commit firewall 
-/etc/init.d/firewall restart 
-</code> 
- 
 ==== DNS over HTTPS ==== ==== DNS over HTTPS ====
-Configure firewall to filter DoH traffic forcing LAN clients to switch to plain DNS. +Utilize banIP to [[docs:guide-user:services:banip#blocking_doh|filter DoH]] traffic forcing LAN clients to switch to plain DNS.
-Set up [[docs:guide-user:advanced:hotplug_online|Hotplug online]] to populate IP sets at startup. +
- +
-<code bash> +
-# Install packages +
-opkg update +
-opkg install ipset +
- +
-# Configure IP sets +
-uci -q delete firewall.doh +
-uci set firewall.doh="ipset" +
-uci set firewall.doh.name="doh" +
-uci set firewall.doh.family="ipv4" +
-uci set firewall.doh.storage="hash" +
-uci set firewall.doh.match="ip" +
-uci -q delete firewall.doh6 +
-uci set firewall.doh6="ipset" +
-uci set firewall.doh6.name="doh6" +
-uci set firewall.doh6.family="ipv6" +
-uci set firewall.doh6.storage="hash" +
-uci set firewall.doh6.match="ip" +
- +
-# Filter DoH traffic +
-uci -q delete firewall.doh_fwd +
-uci set firewall.doh_fwd="rule" +
-uci set firewall.doh_fwd.name="Deny-DoH" +
-uci set firewall.doh_fwd.src="lan" +
-uci set firewall.doh_fwd.dest="wan" +
-uci set firewall.doh_fwd.dest_port="443" +
-uci set firewall.doh_fwd.proto="tcp udp" +
-uci set firewall.doh_fwd.family="ipv4" +
-uci set firewall.doh_fwd.ipset="doh dest" +
-uci set firewall.doh_fwd.target="REJECT" +
-uci -q delete firewall.doh6_fwd +
-uci set firewall.doh6_fwd="rule" +
-uci set firewall.doh6_fwd.name="Deny-DoH" +
-uci set firewall.doh6_fwd.src="lan" +
-uci set firewall.doh6_fwd.dest="wan" +
-uci set firewall.doh6_fwd.dest_port="443" +
-uci set firewall.doh6_fwd.proto="tcp udp" +
-uci set firewall.doh6_fwd.family="ipv6" +
-uci set firewall.doh6_fwd.ipset="doh6 dest" +
-uci set firewall.doh6_fwd.target="REJECT" +
-uci commit firewall +
-/etc/init.d/firewall restart +
- +
-# Populate IP sets +
-mkdir -p /etc/hotplug.d/online +
-cat << "EOF" > /etc/hotplug.d/online/99-ipset-doh +
-if lock -n /var/lock/ipset-doh +
-then +
-IPSET_URL="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt" +
-IPSET_URL6="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt" +
-uci -q delete firewall.doh.entry +
-uci -q delete firewall.doh6.entry +
-uclient-fetch -O - "${IPSET_URL}"+
-| while read -r IPSET_ADDR +
-do uci add_list firewall.doh.entry="${IPSET_ADDR%% *}" +
-done +
-uclient-fetch -O - "${IPSET_URL6}"+
-| while read -r IPSET_ADDR +
-do uci add_list firewall.doh6.entry="${IPSET_ADDR%% *}" +
-done +
-uci commit firewall +
-/etc/init.d/firewall restart +
-fi +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/hotplug.d/online/99-ipset-doh +
-EOF +
-. /etc/hotplug.d/online/99-ipset-doh +
-</code>+
  
 ==== DNS over TLS ==== ==== DNS over TLS ====
Line 172: Line 83:
 uci set firewall.dot_fwd.proto="tcp udp" uci set firewall.dot_fwd.proto="tcp udp"
 uci set firewall.dot_fwd.target="REJECT" uci set firewall.dot_fwd.target="REJECT"
 +uci commit firewall
 +/etc/init.d/firewall restart
 +</code>
 +
 +==== DNS forwarding ====
 +Set up [[docs:guide-user:base-system:dhcp_configuration#dns_forwarding|DNS forwarding]] to your local DNS server with Dnsmasq.
 +Assuming the local DNS server is in the same subnet.
 +Configure firewall to avoid looping.
 +
 +<code bash>
 +# Configure firewall
 +uci set firewall.dns_int.src_mac="!00:11:22:33:44:55"
 uci commit firewall uci commit firewall
 /etc/init.d/firewall restart /etc/init.d/firewall restart
Line 177: Line 100:
  
 ==== DNS redirection ==== ==== DNS redirection ====
-Configure firewall to redirect [[docs:guide-user:firewall:fw3_configurations:intercept_dns#command-line_interface|intercepted]] DNS traffic to your local DNS server.+Avoid using Dnsmasq. 
 +Configure firewall to redirect DNS traffic to your local DNS server
 +Move the local DNS server to a separate subnet to avoid masquerading.
  
 <code bash> <code bash>
-Redirect DNS traffic +Configure firewall
-DNS_SERV="192.168.1.2"+
 uci set firewall.dns_int.name="Redirect-DNS" uci set firewall.dns_int.name="Redirect-DNS"
-uci set firewall.dns_int.src_ip="!${DNS_SERV}" +uci set firewall.dns_int.dest_ip="192.168.2.2"
-uci set firewall.dns_int.dest_ip="${DNS_SERV}" +
-uci -q delete firewall.dns_masq +
-uci set firewall.dns_masq="nat" +
-uci set firewall.dns_masq.name="Masquerade-DNS" +
-uci set firewall.dns_masq.src="lan" +
-uci set firewall.dns_masq.dest_ip="${DNS_SERV}" +
-uci set firewall.dns_masq.dest_port="53" +
-uci set firewall.dns_masq.proto="tcp udp" +
-uci set firewall.dns_masq.target="MASQUERADE"+
 uci commit firewall uci commit firewall
 /etc/init.d/firewall restart /etc/init.d/firewall restart
 +
 +# Configure network
 +uci add_list network.lan.ipaddr="192.168.2.1/24"
 +uci commit network
 +/etc/init.d/network restart
 </code> </code>
  
  • Last modified: 2024/07/10 06:14
  • by lastedit