Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:intercept_dns [2022/12/27 21:08] – [DNS over HTTPS] avoid restarting firewall before creating and populating IP sets vgaetera | docs:guide-user:firewall:fw3_configurations:intercept_dns [2023/10/05 06:53] – [DNS forwarding] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== DNS hijacking ====== | ====== DNS hijacking ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 8: | Line 8: | ||
| ===== Goals ===== | ===== Goals ===== | ||
| * Override preconfigured DNS provider for LAN clients. | * Override preconfigured DNS provider for LAN clients. | ||
| - | * Prevent DNS leak for LAN clients when using VPN or DNS encryption. | + | * Prevent DNS leaks for LAN clients when using VPN or DNS encryption. |
| ===== Web interface instructions ===== | ===== Web interface instructions ===== | ||
| Line 22: | Line 22: | ||
| * Internal IP address: any | * Internal IP address: any | ||
| * Internal port: any | * Internal port: any | ||
| + | - Click **Save**, then **Save & Apply**. | ||
| + | |||
| + | Intercept IPv6 DNS traffic when using dual-stack mode. | ||
| + | |||
| + | - Click **Add** and duplicate the above port forward, but specify: | ||
| + | * Restrict to address family: IPv6 only | ||
| - Click **Save**, then **Save & Apply**. | - Click **Save**, then **Save & Apply**. | ||
| Line 35: | Line 41: | ||
| uci set firewall.dns_int.src_dport=" | uci set firewall.dns_int.src_dport=" | ||
| uci set firewall.dns_int.proto=" | uci set firewall.dns_int.proto=" | ||
| + | uci set firewall.dns_int.family=" | ||
| uci set firewall.dns_int.target=" | uci set firewall.dns_int.target=" | ||
| uci commit firewall | uci commit firewall | ||
| Line 41: | Line 48: | ||
| ===== Testing ===== | ===== Testing ===== | ||
| - | Verify your [[wp> | + | Configure different |
| - | * [[https:// | + | Verify the identified |
| + | * [[https://www.dnsleaktest.com/ | ||
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 59: | Line 67: | ||
| ===== Extras ===== | ===== Extras ===== | ||
| - | ==== IPv6 DNS ==== | ||
| - | Intercept IPv6 DNS traffic when using dual-stack mode. | ||
| - | |||
| - | <code bash> | ||
| - | # Intercept IPv6 DNS traffic | ||
| - | uci set firewall.dns_int.family=" | ||
| - | uci commit firewall | ||
| - | / | ||
| - | </ | ||
| - | |||
| ==== DNS over HTTPS ==== | ==== DNS over HTTPS ==== | ||
| - | Filter DoH traffic with firewall and IP sets forcing LAN clients | + | Utilize banIP to [[docs: |
| - | Set up [[docs: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Install packages | + | |
| - | opkg update | + | |
| - | opkg install resolveip | + | |
| - | + | ||
| - | # Configure IP sets | + | |
| - | uci -q delete dhcp.doh | + | |
| - | uci set dhcp.doh=" | + | |
| - | uci set dhcp.doh.instance=" | + | |
| - | uci add_list dhcp.doh.name=" | + | |
| - | uci add_list dhcp.doh.name=" | + | |
| - | uci commit dhcp | + | |
| - | / | + | |
| - | + | ||
| - | # Filter DoH traffic | + | |
| - | for IPV in 4 6 | + | |
| - | do | + | |
| - | uci -q delete firewall.doh${IPV%4}_fwd | + | |
| - | uci set firewall.doh${IPV%4}_fwd=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.name=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.src=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.dest=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.dest_port=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.proto=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.family=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.ipset=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.target=" | + | |
| - | done | + | |
| - | uci commit firewall | + | |
| - | + | ||
| - | # Configure hotplug | + | |
| - | mkdir -p / | + | |
| - | cat << " | + | |
| - | if [ ! -e / | + | |
| - | && lock -n / | + | |
| - | then | + | |
| - | uclient-fetch -O - " | + | |
| - | dibdot/ | + | |
| - | | uci -q batch << EOI | + | |
| - | delete dhcp.doh.domain | + | |
| - | $(sed -e " | + | |
| - | del_list dhcp.doh.domain=' | + | |
| - | add_list dhcp.doh.domain=' | + | |
| - | commit dhcp | + | |
| - | EOI | + | |
| - | lock -u / | + | |
| - | fi | + | |
| - | EOF | + | |
| - | cat << " | + | |
| - | / | + | |
| - | EOF | + | |
| - | . / | + | |
| - | + | ||
| - | # Populate IP sets | + | |
| - | ipset setup | + | |
| - | </ | + | |
| ==== DNS over TLS ==== | ==== DNS over TLS ==== | ||
| Line 149: | Line 89: | ||
| ==== DNS forwarding ==== | ==== DNS forwarding ==== | ||
| Set up [[docs: | Set up [[docs: | ||
| - | Configure firewall to exclude | + | Assuming |
| + | Configure firewall to avoid looping. | ||
| <code bash> | <code bash> | ||
| Line 160: | Line 101: | ||
| ==== DNS redirection ==== | ==== DNS redirection ==== | ||
| Avoid using Dnsmasq. | Avoid using Dnsmasq. | ||
| - | Configure firewall to redirect | + | Configure firewall to redirect DNS traffic to your local DNS server. |
| + | Move the local DNS server to a separate subnet to avoid masquerading. | ||
| <code bash> | <code bash> | ||
| # Configure firewall | # Configure firewall | ||
| uci set firewall.dns_int.name=" | uci set firewall.dns_int.name=" | ||
| - | uci set firewall.dns_int.src_ip=" | + | uci set firewall.dns_int.dest_ip=" |
| - | uci set firewall.dns_int.dest_ip=" | + | |
| - | uci -q delete firewall.dns_masq | + | |
| - | uci set firewall.dns_masq=" | + | |
| - | uci set firewall.dns_masq.name=" | + | |
| - | uci set firewall.dns_masq.src=" | + | |
| - | uci set firewall.dns_masq.dest_ip=" | + | |
| - | uci set firewall.dns_masq.dest_port=" | + | |
| - | uci set firewall.dns_masq.proto=" | + | |
| - | uci set firewall.dns_masq.target=" | + | |
| uci commit firewall | uci commit firewall | ||
| / | / | ||
| - | </ | ||
| - | Assign the local DNS server an IP address in a [[docs: | + | # Configure |
| + | uci add_list | ||
| + | uci commit network | ||
| + | / | ||
| + | </ | ||