Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:intercept_dns [2023/03/28 15:37] – [DNS over HTTPS] add crontab vgaetera | docs:guide-user:firewall:fw3_configurations:intercept_dns [2023/10/05 06:53] – [DNS forwarding] vgaetera | ||
|---|---|---|---|
| Line 22: | Line 22: | ||
| * Internal IP address: any | * Internal IP address: any | ||
| * Internal port: any | * Internal port: any | ||
| + | - Click **Save**, then **Save & Apply**. | ||
| + | |||
| + | Intercept IPv6 DNS traffic when using dual-stack mode. | ||
| + | |||
| + | - Click **Add** and duplicate the above port forward, but specify: | ||
| + | * Restrict to address family: IPv6 only | ||
| - Click **Save**, then **Save & Apply**. | - Click **Save**, then **Save & Apply**. | ||
| Line 35: | Line 41: | ||
| uci set firewall.dns_int.src_dport=" | uci set firewall.dns_int.src_dport=" | ||
| uci set firewall.dns_int.proto=" | uci set firewall.dns_int.proto=" | ||
| + | uci set firewall.dns_int.family=" | ||
| uci set firewall.dns_int.target=" | uci set firewall.dns_int.target=" | ||
| uci commit firewall | uci commit firewall | ||
| Line 43: | Line 50: | ||
| Configure different [[wp> | Configure different [[wp> | ||
| Verify the identified DNS provider only matches the router. | Verify the identified DNS provider only matches the router. | ||
| - | * [[https:// | + | * [[https://www.dnsleaktest.com/ |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 60: | Line 67: | ||
| ===== Extras ===== | ===== Extras ===== | ||
| - | ==== IPv6 DNS ==== | ||
| - | Intercept IPv6 DNS traffic when using dual-stack mode. | ||
| - | |||
| - | <code bash> | ||
| - | # Intercept IPv6 DNS traffic | ||
| - | uci set firewall.dns_int.family=" | ||
| - | uci commit firewall | ||
| - | / | ||
| - | </ | ||
| - | |||
| ==== DNS over HTTPS ==== | ==== DNS over HTTPS ==== | ||
| - | Filter DoH traffic with firewall and IP sets forcing LAN clients | + | Utilize banIP to [[docs: |
| - | Set up [[docs: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Configure hotplug | + | |
| - | mkdir -p / | + | |
| - | cat << " | + | |
| - | if [ ! -e / | + | |
| - | || [ -n " | + | |
| - | && lock -n / | + | |
| - | then for IPV in 4 6 | + | |
| - | do uclient-fetch -O - " | + | |
| - | dibdot/ | + | |
| - | | sed -e " | + | |
| - | done | + | |
| - | fw4 reload-sets | + | |
| - | lock -u / | + | |
| - | fi | + | |
| - | EOF | + | |
| - | cat << " | + | |
| - | / | + | |
| - | EOF | + | |
| - | . / | + | |
| - | + | ||
| - | # Configure firewall | + | |
| - | for IPV in 4 6 | + | |
| - | do | + | |
| - | uci -q delete firewall.doh${IPV%4} | + | |
| - | uci set firewall.doh${IPV%4}=" | + | |
| - | uci set firewall.doh${IPV%4}.name=" | + | |
| - | uci set firewall.doh${IPV%4}.family=" | + | |
| - | uci set firewall.doh${IPV%4}.match=" | + | |
| - | uci set firewall.doh${IPV%4}.loadfile="/ | + | |
| - | uci -q delete firewall.doh${IPV%4}_fwd | + | |
| - | uci set firewall.doh${IPV%4}_fwd=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.name=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.src=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.dest=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.dest_port=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.proto=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.family=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.ipset=" | + | |
| - | uci set firewall.doh${IPV%4}_fwd.target=" | + | |
| - | done | + | |
| - | uci commit firewall | + | |
| - | / | + | |
| - | + | ||
| - | # Configure cron | + | |
| - | cat << " | + | |
| - | 0 */3 * * * CRON=" | + | |
| - | EOF | + | |
| - | /etc/init.d/cron restart | + | |
| - | </ | + | |
| ==== DNS over TLS ==== | ==== DNS over TLS ==== | ||
| Line 144: | Line 89: | ||
| ==== DNS forwarding ==== | ==== DNS forwarding ==== | ||
| Set up [[docs: | Set up [[docs: | ||
| - | Configure firewall to exclude | + | Assuming |
| + | Configure firewall to avoid looping. | ||
| <code bash> | <code bash> | ||
| Line 155: | Line 101: | ||
| ==== DNS redirection ==== | ==== DNS redirection ==== | ||
| Avoid using Dnsmasq. | Avoid using Dnsmasq. | ||
| - | Configure firewall to redirect | + | Configure firewall to redirect DNS traffic to your local DNS server. |
| + | Move the local DNS server to a separate subnet to avoid masquerading. | ||
| <code bash> | <code bash> | ||
| # Configure firewall | # Configure firewall | ||
| uci set firewall.dns_int.name=" | uci set firewall.dns_int.name=" | ||
| - | uci set firewall.dns_int.src_ip=" | + | uci set firewall.dns_int.dest_ip=" |
| - | uci set firewall.dns_int.dest_ip=" | + | |
| - | uci -q delete firewall.dns_masq | + | |
| - | uci set firewall.dns_masq=" | + | |
| - | uci set firewall.dns_masq.name=" | + | |
| - | uci set firewall.dns_masq.src=" | + | |
| - | uci set firewall.dns_masq.dest_ip=" | + | |
| - | uci set firewall.dns_masq.dest_port=" | + | |
| - | uci set firewall.dns_masq.proto=" | + | |
| - | uci set firewall.dns_masq.target=" | + | |
| uci commit firewall | uci commit firewall | ||
| / | / | ||
| - | </ | ||
| - | Assign the local DNS server an IP address in a [[docs: | + | # Configure |
| + | uci add_list | ||
| + | uci commit network | ||
| + | / | ||
| + | </ | ||