Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:intercept_dns [2023/03/26 12:29] – [DNS over HTTPS] syntax vgaeteradocs:guide-user:firewall:fw3_configurations:intercept_dns [2023/10/05 06:53] – [DNS forwarding] vgaetera
Line 22: Line 22:
     * Internal IP address: any     * Internal IP address: any
     * Internal port: any     * Internal port: any
 +  - Click **Save**, then **Save & Apply**.
 +
 +Intercept IPv6 DNS traffic when using dual-stack mode.
 +
 +  - Click **Add** and duplicate the above port forward, but specify:
 +    * Restrict to address family: IPv6 only
   - Click **Save**, then **Save & Apply**.   - Click **Save**, then **Save & Apply**.
  
Line 35: Line 41:
 uci set firewall.dns_int.src_dport="53" uci set firewall.dns_int.src_dport="53"
 uci set firewall.dns_int.proto="tcp udp" uci set firewall.dns_int.proto="tcp udp"
 +uci set firewall.dns_int.family="any"
 uci set firewall.dns_int.target="DNAT" uci set firewall.dns_int.target="DNAT"
 uci commit firewall uci commit firewall
Line 43: Line 50:
 Configure different [[wp>Public_recursive_name_server|DNS providers]] on the client and router. Configure different [[wp>Public_recursive_name_server|DNS providers]] on the client and router.
 Verify the identified DNS provider only matches the router. Verify the identified DNS provider only matches the router.
-  * [[https://dnsleaktest.com/]]+  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 60: Line 67:
  
 ===== Extras ===== ===== Extras =====
-==== IPv6 DNS ==== 
-Intercept IPv6 DNS traffic when using dual-stack mode. 
- 
-<code bash> 
-# Intercept IPv6 DNS traffic 
-uci set firewall.dns_int.family="any" 
-uci commit firewall 
-/etc/init.d/firewall restart 
-</code> 
- 
 ==== DNS over HTTPS ==== ==== DNS over HTTPS ====
-Filter DoH traffic with firewall and IP sets forcing LAN clients to switch to plain DNS. +Utilize banIP to [[docs:guide-user:services:banip#blocking_doh|filter DoH]] traffic forcing LAN clients to switch to plain DNS.
-Set up [[docs:guide-user:advanced:hotplug_extras|Hotplug extras]] to update IP sets at startup. +
- +
-<code bash> +
-# Configure hotplug +
-mkdir -p /etc/hotplug.d/online +
-cat << "EOF" > /etc/hotplug.d/online/60-ipset-doh +
-if [ ! -e /var/lock/ipset-doh ] \ +
-&& lock -n /var/lock/ipset-doh +
-then for IPV in 4 6 +
-do uclient-fetch -O - "https://raw.githubusercontent.com/+
-dibdot/DoH-IP-blocklists/master/doh-ipv${IPV}.txt"+
-| sed -e "s/\s.*$//" > /etc/nftables.d/doh${IPV%4}.ipset +
-done +
-lock -u /var/lock/ipset-doh +
-fi +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/hotplug.d/online/60-ipset-doh +
-EOF +
-. /etc/hotplug.d/online/60-ipset-doh +
- +
-# Configure firewall +
-for IPV in 4 6 +
-do +
-uci -q delete firewall.doh${IPV%4} +
-uci set firewall.doh${IPV%4}="ipset" +
-uci set firewall.doh${IPV%4}.name="doh${IPV%4}" +
-uci set firewall.doh${IPV%4}.family="ipv${IPV}" +
-uci set firewall.doh${IPV%4}.match="net" +
-uci set firewall.doh${IPV%4}.loadfile="/etc/nftables.d/doh${IPV%4}.ipset" +
-uci -q delete firewall.doh${IPV%4}_fwd +
-uci set firewall.doh${IPV%4}_fwd="rule" +
-uci set firewall.doh${IPV%4}_fwd.name="Deny-DoH" +
-uci set firewall.doh${IPV%4}_fwd.src="lan" +
-uci set firewall.doh${IPV%4}_fwd.dest="wan" +
-uci set firewall.doh${IPV%4}_fwd.dest_port="443" +
-uci set firewall.doh${IPV%4}_fwd.proto="tcp udp" +
-uci set firewall.doh${IPV%4}_fwd.family="ipv${IPV}" +
-uci set firewall.doh${IPV%4}_fwd.ipset="doh${IPV%4} dest" +
-uci set firewall.doh${IPV%4}_fwd.target="REJECT" +
-done +
-uci commit firewall +
-/etc/init.d/firewall restart +
-</code>+
  
 ==== DNS over TLS ==== ==== DNS over TLS ====
Line 136: Line 89:
 ==== DNS forwarding ==== ==== DNS forwarding ====
 Set up [[docs:guide-user:base-system:dhcp_configuration#dns_forwarding|DNS forwarding]] to your local DNS server with Dnsmasq. Set up [[docs:guide-user:base-system:dhcp_configuration#dns_forwarding|DNS forwarding]] to your local DNS server with Dnsmasq.
-Configure firewall to exclude the local DNS server from the interception rule.+Assuming the local DNS server is in the same subnet. 
 +Configure firewall to avoid looping.
  
 <code bash> <code bash>
Line 147: Line 101:
 ==== DNS redirection ==== ==== DNS redirection ====
 Avoid using Dnsmasq. Avoid using Dnsmasq.
-Configure firewall to redirect the intercepted DNS traffic to your local DNS server.+Configure firewall to redirect DNS traffic to your local DNS server
 +Move the local DNS server to a separate subnet to avoid masquerading.
  
 <code bash> <code bash>
 # Configure firewall # Configure firewall
 uci set firewall.dns_int.name="Redirect-DNS" uci set firewall.dns_int.name="Redirect-DNS"
-uci set firewall.dns_int.src_ip="!192.168.1.2" +uci set firewall.dns_int.dest_ip="192.168.2.2"
-uci set firewall.dns_int.dest_ip="192.168.1.2+
-uci -q delete firewall.dns_masq +
-uci set firewall.dns_masq="nat" +
-uci set firewall.dns_masq.name="Masquerade-DNS" +
-uci set firewall.dns_masq.src="lan" +
-uci set firewall.dns_masq.dest_ip="192.168.1.2+
-uci set firewall.dns_masq.dest_port="53" +
-uci set firewall.dns_masq.proto="tcp udp" +
-uci set firewall.dns_masq.target="MASQUERADE"+
 uci commit firewall uci commit firewall
 /etc/init.d/firewall restart /etc/init.d/firewall restart
-</code> 
  
-Assign the local DNS server an IP address in a [[docs:guide-user:network:network_interface_alias|separate network]] to disable masquerading.+# Configure network 
 +uci add_list network.lan.ipaddr="192.168.2.1/24" 
 +uci commit network 
 +/etc/init.d/network restart 
 +</code>
  
  • Last modified: 2024/07/10 06:14
  • by lastedit