Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:intercept_dns [2023/09/12 13:39] – [Web interface instructions] wording vgaeteradocs:guide-user:firewall:fw3_configurations:intercept_dns [2023/10/05 06:53] – [DNS forwarding] vgaetera
Line 24: Line 24:
   - Click **Save**, then **Save & Apply**.   - Click **Save**, then **Save & Apply**.
  
-Make sure to prevent IPv6 DNS leaks when using dual-stack mode.+Intercept IPv6 DNS traffic when using dual-stack mode.
  
-  - Click **Add** to duplicate the above port forward, but specify:+  - Click **Add** and duplicate the above port forward, but specify:
     * Restrict to address family: IPv6 only     * Restrict to address family: IPv6 only
   - Click **Save**, then **Save & Apply**.   - Click **Save**, then **Save & Apply**.
Line 89: Line 89:
 ==== DNS forwarding ==== ==== DNS forwarding ====
 Set up [[docs:guide-user:base-system:dhcp_configuration#dns_forwarding|DNS forwarding]] to your local DNS server with Dnsmasq. Set up [[docs:guide-user:base-system:dhcp_configuration#dns_forwarding|DNS forwarding]] to your local DNS server with Dnsmasq.
-Configure firewall to exclude the local DNS server from the interception rule.+Assuming the local DNS server is in the same subnet. 
 +Configure firewall to avoid looping.
  
 <code bash> <code bash>
Line 100: Line 101:
 ==== DNS redirection ==== ==== DNS redirection ====
 Avoid using Dnsmasq. Avoid using Dnsmasq.
-Configure firewall to redirect the intercepted DNS traffic to your local DNS server.+Configure firewall to redirect DNS traffic to your local DNS server
 +Move the local DNS server to a separate subnet to avoid masquerading.
  
 <code bash> <code bash>
 # Configure firewall # Configure firewall
 uci set firewall.dns_int.name="Redirect-DNS" uci set firewall.dns_int.name="Redirect-DNS"
-uci set firewall.dns_int.src_ip="!192.168.1.2" +uci set firewall.dns_int.dest_ip="192.168.2.2"
-uci set firewall.dns_int.dest_ip="192.168.1.2+
-uci -q delete firewall.dns_masq +
-uci set firewall.dns_masq="nat" +
-uci set firewall.dns_masq.name="Masquerade-DNS" +
-uci set firewall.dns_masq.src="lan" +
-uci set firewall.dns_masq.dest_ip="192.168.1.2+
-uci set firewall.dns_masq.dest_port="53" +
-uci set firewall.dns_masq.proto="tcp udp" +
-uci set firewall.dns_masq.target="MASQUERADE"+
 uci commit firewall uci commit firewall
 /etc/init.d/firewall restart /etc/init.d/firewall restart
-</code> 
  
-Assign the local DNS server an IP address in a [[docs:guide-user:network:network_interface_alias|separate network]] to disable masquerading.+# Configure network 
 +uci add_list network.lan.ipaddr="192.168.2.1/24" 
 +uci commit network 
 +/etc/init.d/network restart 
 +</code>
  
  • Last modified: 2024/07/10 06:14
  • by lastedit