Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:intercept_dns [2021/10/06 15:27] – [DNS over HTTPS] vgaeteradocs:guide-user:firewall:fw3_configurations:intercept_dns [2023/10/05 06:53] – [DNS forwarding] vgaetera
Line 1: Line 1:
 ====== DNS hijacking ====== ====== DNS hijacking ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 8: Line 8:
 ===== Goals ===== ===== Goals =====
   * Override preconfigured DNS provider for LAN clients.   * Override preconfigured DNS provider for LAN clients.
-    * Prevent DNS leak for LAN clients when using VPN or DNS encryption.+    * Prevent DNS leaks for LAN clients when using VPN or DNS encryption.
  
 ===== Web interface instructions ===== ===== Web interface instructions =====
Line 22: Line 22:
     * Internal IP address: any     * Internal IP address: any
     * Internal port: any     * Internal port: any
 +  - Click **Save**, then **Save & Apply**.
 +
 +Intercept IPv6 DNS traffic when using dual-stack mode.
 +
 +  - Click **Add** and duplicate the above port forward, but specify:
 +    * Restrict to address family: IPv6 only
   - Click **Save**, then **Save & Apply**.   - Click **Save**, then **Save & Apply**.
  
Line 35: Line 41:
 uci set firewall.dns_int.src_dport="53" uci set firewall.dns_int.src_dport="53"
 uci set firewall.dns_int.proto="tcp udp" uci set firewall.dns_int.proto="tcp udp"
 +uci set firewall.dns_int.family="any"
 uci set firewall.dns_int.target="DNAT" uci set firewall.dns_int.target="DNAT"
 uci commit firewall uci commit firewall
Line 41: Line 48:
  
 ===== Testing ===== ===== Testing =====
-Verify your [[wp>Public_recursive_name_server|DNS provider]] matches the one on the router when using a different DNS provider on the client+Configure different [[wp>Public_recursive_name_server|DNS providers]] on the client and router
-  * [[https://dnsleaktest.com/]]+Verify the identified DNS provider only matches the router
 +  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 52: Line 60:
  
 # Runtime configuration # Runtime configuration
-iptables-save +nft list ruleset
-ip6tables-save+
  
 # Persistent configuration # Persistent configuration
Line 60: Line 67:
  
 ===== Extras ===== ===== Extras =====
-==== NAT6 ==== 
-Enable NAT6 to process IPv6 traffic when using dual-stack mode. 
- 
-<code bash> 
-# Install packages 
-opkg update 
-opkg install kmod-ipt-nat6 
- 
-# Enable NAT6 
-cat << "EOF" > /etc/firewall.nat6 
-iptables-save -t nat \ 
-| sed -e " 
-/\sMASQUERADE$/d 
-/\s[DS]NAT\s/d 
-/\s--match-set\s\S*/s//\06/ 
-/,BROADCAST\s/s// /" \ 
-| ip6tables-restore -T nat 
-EOF 
-cat << "EOF" >> /etc/sysupgrade.conf 
-/etc/firewall.nat6 
-EOF 
-uci -q delete firewall.nat6 
-uci set firewall.nat6="include" 
-uci set firewall.nat6.path="/etc/firewall.nat6" 
-uci set firewall.nat6.reload="1" 
-uci commit firewall 
-/etc/init.d/firewall restart 
-</code> 
- 
 ==== DNS over HTTPS ==== ==== DNS over HTTPS ====
-Configure firewall to filter DoH traffic forcing LAN clients to switch to plain DNS. +Utilize banIP to [[docs:guide-user:services:banip#blocking_doh|filter DoH]] traffic forcing LAN clients to switch to plain DNS.
-Set up [[docs:guide-user:advanced:hotplug_extras|Hotplug extras]] and [[docs:guide-user:firewall:fw3_configurations:ipset|IP sets with firewall]] to populate IP sets. +
- +
-<code bash> +
-# Install packages +
-opkg update +
-opkg install ipset resolveip +
- +
-# Configure IP sets +
-uci -q delete dhcp.doh +
-uci set dhcp.doh="ipset" +
-uci add_list dhcp.doh.name="filter" +
-uci add_list dhcp.doh.name="filter6" +
-uci commit dhcp +
-/etc/init.d/dnsmasq restart +
- +
-# Filter DoH traffic +
-uci -q delete firewall.doh_fwd +
-uci set firewall.doh_fwd="rule" +
-uci set firewall.doh_fwd.name="Deny-DoH" +
-uci set firewall.doh_fwd.src="lan" +
-uci set firewall.doh_fwd.dest="wan" +
-uci set firewall.doh_fwd.dest_port="443" +
-uci set firewall.doh_fwd.proto="tcp udp" +
-uci set firewall.doh_fwd.family="ipv4" +
-uci set firewall.doh_fwd.ipset="doh dest" +
-uci set firewall.doh_fwd.target="REJECT" +
-uci -q delete firewall.doh6_fwd +
-uci set firewall.doh6_fwd="rule" +
-uci set firewall.doh6_fwd.name="Deny-DoH" +
-uci set firewall.doh6_fwd.src="lan" +
-uci set firewall.doh6_fwd.dest="wan" +
-uci set firewall.doh6_fwd.dest_port="443" +
-uci set firewall.doh6_fwd.proto="tcp udp" +
-uci set firewall.doh6_fwd.family="ipv6" +
-uci set firewall.doh6_fwd.ipset="doh6 dest" +
-uci set firewall.doh6_fwd.target="REJECT" +
-uci commit firewall +
-/etc/init.d/firewall restart +
- +
-# Populate IP sets +
-mkdir -p /etc/hotplug.d/online +
-cat << "EOF" > /etc/hotplug.d/online/70-ipset-doh +
-if [ ! -e /var/lock/ipset-doh ] \ +
-&& lock -n /var/lock/ipset-doh +
-then . /etc/profile.d/ipset.sh +
-IPSET_URL="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-domains.txt" +
-uci -q delete dhcp.doh.domain +
-uclient-fetch -O - "${IPSET_URL}"+
-| sed -e "s/^.*$/+
-del_list dhcp.doh.domain=\0\n\ +
-add_list dhcp.doh.domain=\0/"+
-| uci -q batch +
-uci commit dhcp +
-ipset setup +
-lock -u /var/lock/ipset-doh +
-fi +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/hotplug.d/online/70-ipset-doh +
-EOF +
-. /etc/hotplug.d/online/70-ipset-doh +
-</code>+
  
 ==== DNS over TLS ==== ==== DNS over TLS ====
Line 173: Line 89:
 ==== DNS forwarding ==== ==== DNS forwarding ====
 Set up [[docs:guide-user:base-system:dhcp_configuration#dns_forwarding|DNS forwarding]] to your local DNS server with Dnsmasq. Set up [[docs:guide-user:base-system:dhcp_configuration#dns_forwarding|DNS forwarding]] to your local DNS server with Dnsmasq.
-Configure firewall to exclude the local DNS server from the interception rule.+Assuming the local DNS server is in the same subnet. 
 +Configure firewall to avoid looping.
  
 <code bash> <code bash>
Line 184: Line 101:
 ==== DNS redirection ==== ==== DNS redirection ====
 Avoid using Dnsmasq. Avoid using Dnsmasq.
-Configure firewall to redirect the intercepted DNS traffic to your local DNS server.+Configure firewall to redirect DNS traffic to your local DNS server
 +Move the local DNS server to a separate subnet to avoid masquerading.
  
 <code bash> <code bash>
 # Configure firewall # Configure firewall
 uci set firewall.dns_int.name="Redirect-DNS" uci set firewall.dns_int.name="Redirect-DNS"
-uci set firewall.dns_int.src_ip="!192.168.1.2" +uci set firewall.dns_int.dest_ip="192.168.2.2"
-uci set firewall.dns_int.dest_ip="192.168.1.2+
-uci -q delete firewall.dns_masq +
-uci set firewall.dns_masq="nat" +
-uci set firewall.dns_masq.name="Masquerade-DNS" +
-uci set firewall.dns_masq.src="lan" +
-uci set firewall.dns_masq.dest_ip="192.168.1.2+
-uci set firewall.dns_masq.dest_port="53" +
-uci set firewall.dns_masq.proto="tcp udp" +
-uci set firewall.dns_masq.target="MASQUERADE"+
 uci commit firewall uci commit firewall
 /etc/init.d/firewall restart /etc/init.d/firewall restart
-</code> 
  
-Assign the local DNS server an IP address in a [[docs:guide-user:network:network_interface_alias|separate network]] to disable masquerading.+# Configure network 
 +uci add_list network.lan.ipaddr="192.168.2.1/24" 
 +uci commit network 
 +/etc/init.d/network restart 
 +</code>
  
  • Last modified: 2024/07/10 06:14
  • by lastedit