Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:intercept_dns [2021/03/16 01:34] – [DNS over HTTPS] update links vgaetera | docs:guide-user:firewall:fw3_configurations:intercept_dns [2023/10/05 06:53] – [DNS forwarding] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== DNS hijacking ====== | ====== DNS hijacking ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 8: | Line 8: | ||
| ===== Goals ===== | ===== Goals ===== | ||
| * Override preconfigured DNS provider for LAN clients. | * Override preconfigured DNS provider for LAN clients. | ||
| - | * Prevent DNS leak for LAN clients when using VPN or DNS encryption. | + | * Prevent DNS leaks for LAN clients when using VPN or DNS encryption. |
| - | ===== Web interface ===== | + | ===== Web interface |
| Configure firewall to intercept DNS traffic. | Configure firewall to intercept DNS traffic. | ||
| - | - Navigate to **LuCI -> Network -> Firewall -> Port Forwards**. | + | - Navigate to **LuCI -> Network -> Firewall -> Port Forwards**. |
| - Click **Add** and specify: | - Click **Add** and specify: | ||
| * Name: '' | * Name: '' | ||
| - | * Protocol: TCP and UDP | + | * Protocol: TCP, UDP |
| * Source zone: '' | * Source zone: '' | ||
| * External port: '' | * External port: '' | ||
| Line 24: | Line 24: | ||
| - Click **Save**, then **Save & Apply**. | - Click **Save**, then **Save & Apply**. | ||
| - | ===== Command-line | + | Intercept IPv6 DNS traffic when using dual-stack mode. |
| + | |||
| + | - Click **Add** and duplicate the above port forward, but specify: | ||
| + | * Restrict to address family: IPv6 only | ||
| + | - Click **Save**, then **Save & Apply**. | ||
| + | |||
| + | ===== Command-line | ||
| Configure firewall to intercept DNS traffic. | Configure firewall to intercept DNS traffic. | ||
| Line 35: | Line 41: | ||
| uci set firewall.dns_int.src_dport=" | uci set firewall.dns_int.src_dport=" | ||
| uci set firewall.dns_int.proto=" | uci set firewall.dns_int.proto=" | ||
| + | uci set firewall.dns_int.family=" | ||
| uci set firewall.dns_int.target=" | uci set firewall.dns_int.target=" | ||
| uci commit firewall | uci commit firewall | ||
| Line 41: | Line 48: | ||
| ===== Testing ===== | ===== Testing ===== | ||
| - | Verify your [[wp> | + | Configure different |
| - | * [[https:// | + | Verify the identified |
| + | * [[https://www.dnsleaktest.com/ | ||
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 52: | Line 60: | ||
| # Runtime configuration | # Runtime configuration | ||
| - | iptables-save | + | nft list ruleset |
| - | ip6tables-save | + | |
| # Persistent configuration | # Persistent configuration | ||
| Line 60: | Line 67: | ||
| ===== Extras ===== | ===== Extras ===== | ||
| - | ==== NAT6 ==== | ||
| - | Enable NAT6 to process IPv6 traffic when using dual-stack mode. | ||
| - | |||
| - | <code bash> | ||
| - | # Install packages | ||
| - | opkg update | ||
| - | opkg install kmod-ipt-nat6 | ||
| - | |||
| - | # Enable NAT6 | ||
| - | cat << " | ||
| - | iptables-save -t nat \ | ||
| - | | sed -e "/ | ||
| - | | ip6tables-restore -T nat | ||
| - | EOF | ||
| - | cat << " | ||
| - | / | ||
| - | EOF | ||
| - | uci -q delete firewall.nat6 | ||
| - | uci set firewall.nat6=" | ||
| - | uci set firewall.nat6.path="/ | ||
| - | uci set firewall.nat6.reload=" | ||
| - | uci commit firewall | ||
| - | / | ||
| - | </ | ||
| - | |||
| ==== DNS over HTTPS ==== | ==== DNS over HTTPS ==== | ||
| - | Configure firewall | + | Utilize banIP to [[docs: |
| - | Set up [[docs: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Install packages | + | |
| - | opkg update | + | |
| - | opkg install ipset | + | |
| - | + | ||
| - | # Configure IP sets | + | |
| - | uci -q delete firewall.doh | + | |
| - | uci set firewall.doh=" | + | |
| - | uci set firewall.doh.name=" | + | |
| - | uci set firewall.doh.family=" | + | |
| - | uci set firewall.doh.storage=" | + | |
| - | uci set firewall.doh.match=" | + | |
| - | uci -q delete firewall.doh6 | + | |
| - | uci set firewall.doh6=" | + | |
| - | uci set firewall.doh6.name=" | + | |
| - | uci set firewall.doh6.family=" | + | |
| - | uci set firewall.doh6.storage=" | + | |
| - | uci set firewall.doh6.match=" | + | |
| - | + | ||
| - | # Filter DoH traffic | + | |
| - | uci -q delete firewall.doh_fwd | + | |
| - | uci set firewall.doh_fwd=" | + | |
| - | uci set firewall.doh_fwd.name=" | + | |
| - | uci set firewall.doh_fwd.src=" | + | |
| - | uci set firewall.doh_fwd.dest=" | + | |
| - | uci set firewall.doh_fwd.dest_port=" | + | |
| - | uci set firewall.doh_fwd.proto=" | + | |
| - | uci set firewall.doh_fwd.family=" | + | |
| - | uci set firewall.doh_fwd.ipset=" | + | |
| - | uci set firewall.doh_fwd.target=" | + | |
| - | uci -q delete firewall.doh6_fwd | + | |
| - | uci set firewall.doh6_fwd=" | + | |
| - | uci set firewall.doh6_fwd.name=" | + | |
| - | uci set firewall.doh6_fwd.src=" | + | |
| - | uci set firewall.doh6_fwd.dest=" | + | |
| - | uci set firewall.doh6_fwd.dest_port=" | + | |
| - | uci set firewall.doh6_fwd.proto=" | + | |
| - | uci set firewall.doh6_fwd.family=" | + | |
| - | uci set firewall.doh6_fwd.ipset=" | + | |
| - | uci set firewall.doh6_fwd.target=" | + | |
| - | uci commit firewall | + | |
| - | / | + | |
| - | + | ||
| - | # Populate IP sets | + | |
| - | mkdir -p / | + | |
| - | cat << " | + | |
| - | if [ ! -e / | + | |
| - | && lock -n / | + | |
| - | then | + | |
| - | IPSET_URL=" | + | |
| - | IPSET_URL6=" | + | |
| - | uci -q delete firewall.doh.entry | + | |
| - | uci -q delete firewall.doh6.entry | + | |
| - | uclient-fetch -O - " | + | |
| - | | while read -r IPSET_ADDR | + | |
| - | do uci add_list firewall.doh.entry=" | + | |
| - | done | + | |
| - | uclient-fetch -O - " | + | |
| - | | while read -r IPSET_ADDR | + | |
| - | do uci add_list firewall.doh6.entry=" | + | |
| - | done | + | |
| - | uci commit firewall | + | |
| - | / | + | |
| - | fi | + | |
| - | lock -u / | + | |
| - | EOF | + | |
| - | cat << " | + | |
| - | / | + | |
| - | EOF | + | |
| - | . / | + | |
| - | </ | + | |
| ==== DNS over TLS ==== | ==== DNS over TLS ==== | ||
| Line 174: | Line 83: | ||
| uci set firewall.dot_fwd.proto=" | uci set firewall.dot_fwd.proto=" | ||
| uci set firewall.dot_fwd.target=" | uci set firewall.dot_fwd.target=" | ||
| + | uci commit firewall | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | ==== DNS forwarding ==== | ||
| + | Set up [[docs: | ||
| + | Assuming the local DNS server is in the same subnet. | ||
| + | Configure firewall to avoid looping. | ||
| + | |||
| + | <code bash> | ||
| + | # Configure firewall | ||
| + | uci set firewall.dns_int.src_mac=" | ||
| uci commit firewall | uci commit firewall | ||
| / | / | ||
| Line 179: | Line 100: | ||
| ==== DNS redirection ==== | ==== DNS redirection ==== | ||
| - | Configure firewall to redirect | + | Avoid using Dnsmasq. |
| + | Configure firewall to redirect DNS traffic to your local DNS server. | ||
| + | Move the local DNS server to a separate subnet to avoid masquerading. | ||
| <code bash> | <code bash> | ||
| - | # Redirect DNS traffic | + | # Configure firewall |
| - | DNS_SERV=" | + | |
| uci set firewall.dns_int.name=" | uci set firewall.dns_int.name=" | ||
| - | uci set firewall.dns_int.src_ip=" | + | uci set firewall.dns_int.dest_ip=" |
| - | uci set firewall.dns_int.dest_ip=" | + | |
| - | uci -q delete firewall.dns_masq | + | |
| - | uci set firewall.dns_masq=" | + | |
| - | uci set firewall.dns_masq.name=" | + | |
| - | uci set firewall.dns_masq.src=" | + | |
| - | uci set firewall.dns_masq.dest_ip=" | + | |
| - | uci set firewall.dns_masq.dest_port=" | + | |
| - | uci set firewall.dns_masq.proto=" | + | |
| - | uci set firewall.dns_masq.target=" | + | |
| uci commit firewall | uci commit firewall | ||
| / | / | ||
| + | |||
| + | # Configure network | ||
| + | uci add_list network.lan.ipaddr=" | ||
| + | uci commit network | ||
| + | / | ||
| </ | </ | ||