Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:intercept_dns [2023/09/09 23:30] – [DNS over HTTPS] update url vgaetera | docs:guide-user:firewall:fw3_configurations:intercept_dns [2023/10/05 06:53] – [DNS forwarding] vgaetera | ||
|---|---|---|---|
| Line 22: | Line 22: | ||
| * Internal IP address: any | * Internal IP address: any | ||
| * Internal port: any | * Internal port: any | ||
| + | - Click **Save**, then **Save & Apply**. | ||
| + | |||
| + | Intercept IPv6 DNS traffic when using dual-stack mode. | ||
| + | |||
| + | - Click **Add** and duplicate the above port forward, but specify: | ||
| + | * Restrict to address family: IPv6 only | ||
| - Click **Save**, then **Save & Apply**. | - Click **Save**, then **Save & Apply**. | ||
| Line 35: | Line 41: | ||
| uci set firewall.dns_int.src_dport=" | uci set firewall.dns_int.src_dport=" | ||
| uci set firewall.dns_int.proto=" | uci set firewall.dns_int.proto=" | ||
| + | uci set firewall.dns_int.family=" | ||
| uci set firewall.dns_int.target=" | uci set firewall.dns_int.target=" | ||
| uci commit firewall | uci commit firewall | ||
| Line 60: | Line 67: | ||
| ===== Extras ===== | ===== Extras ===== | ||
| - | ==== IPv6 DNS ==== | ||
| - | Intercept IPv6 DNS traffic when using dual-stack mode. If not specified, this should be the default. In LuCI, this is displayed as **Restrict to address family** and '' | ||
| - | |||
| - | <code bash> | ||
| - | # Intercept IPv6 DNS traffic | ||
| - | uci set firewall.dns_int.family=" | ||
| - | uci commit firewall | ||
| - | / | ||
| - | </ | ||
| - | |||
| ==== DNS over HTTPS ==== | ==== DNS over HTTPS ==== | ||
| Utilize banIP to [[docs: | Utilize banIP to [[docs: | ||
| Line 92: | Line 89: | ||
| ==== DNS forwarding ==== | ==== DNS forwarding ==== | ||
| Set up [[docs: | Set up [[docs: | ||
| - | Configure firewall to exclude | + | Assuming |
| + | Configure firewall to avoid looping. | ||
| <code bash> | <code bash> | ||
| Line 103: | Line 101: | ||
| ==== DNS redirection ==== | ==== DNS redirection ==== | ||
| Avoid using Dnsmasq. | Avoid using Dnsmasq. | ||
| - | Configure firewall to redirect | + | Configure firewall to redirect DNS traffic to your local DNS server. |
| + | Move the local DNS server to a separate subnet to avoid masquerading. | ||
| <code bash> | <code bash> | ||
| # Configure firewall | # Configure firewall | ||
| uci set firewall.dns_int.name=" | uci set firewall.dns_int.name=" | ||
| - | uci set firewall.dns_int.src_ip=" | + | uci set firewall.dns_int.dest_ip=" |
| - | uci set firewall.dns_int.dest_ip=" | + | |
| - | uci -q delete firewall.dns_masq | + | |
| - | uci set firewall.dns_masq=" | + | |
| - | uci set firewall.dns_masq.name=" | + | |
| - | uci set firewall.dns_masq.src=" | + | |
| - | uci set firewall.dns_masq.dest_ip=" | + | |
| - | uci set firewall.dns_masq.dest_port=" | + | |
| - | uci set firewall.dns_masq.proto=" | + | |
| - | uci set firewall.dns_masq.target=" | + | |
| uci commit firewall | uci commit firewall | ||
| / | / | ||
| - | </ | ||
| - | Assign the local DNS server an IP address in a [[docs: | + | # Configure |
| + | uci add_list | ||
| + | uci commit network | ||
| + | / | ||
| + | </ | ||