This is an old revision of the document!
DNS hijacking
Introduction
- This how-to describes the method for intercepting DNS traffic on OpenWrt.
- You can combine it with VPN or DNS encryption to protect DNS traffic.
Goals
- Override preconfigured DNS provider for LAN clients.
- Prevent DNS leak for LAN clients when using VPN or DNS encryption.
Web interface
Configure firewall to intercept DNS traffic.
- Navigate to LuCI → Network → Firewall → Port Forwards.
- Click Add and specify:
- Name:
Intercept-DNS - Protocol: TCP and UDP
- Source zone:
lan - External port:
53 - Destination zone: unspecified
- Internal IP address: any
- Internal port: any
- Click Save, then Save & Apply.
Command-line interface
Configure firewall to intercept DNS traffic.
# Intercept DNS traffic uci -q delete firewall.dns_int uci set firewall.dns_int="redirect" uci set firewall.dns_int.name="Intercept-DNS" uci set firewall.dns_int.src="lan" uci set firewall.dns_int.src_dport="53" uci set firewall.dns_int.proto="tcp udp" uci set firewall.dns_int.target="DNAT" uci commit firewall /etc/init.d/firewall restart
Testing
Verify your DNS provider matches the one on the router when using a different DNS provider on the client.
Troubleshooting
Collect and analyze the following information.
# Log and status /etc/init.d/firewall restart # Runtime configuration iptables-save ip6tables-save # Persistent configuration uci show firewall
Extras
NAT6
Enable NAT6 to process IPv6 traffic when using dual-stack mode.
# Install packages opkg update opkg install kmod-ipt-nat6 # Enable NAT6 cat << "EOF" > /etc/firewall.nat6 iptables-save -t nat \ | sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \ | ip6tables-restore -T nat EOF cat << "EOF" >> /etc/sysupgrade.conf /etc/firewall.nat6 EOF uci -q delete firewall.nat6 uci set firewall.nat6="include" uci set firewall.nat6.path="/etc/firewall.nat6" uci set firewall.nat6.reload="1" uci commit firewall /etc/init.d/firewall restart
DNS over HTTPS
Configure firewall to filter DoH traffic forcing LAN clients to switch to plain DNS.
# Install packages opkg update opkg install ipset # Configure IP sets uci -q delete firewall.doh uci set firewall.doh="ipset" uci set firewall.doh.name="doh" uci set firewall.doh.family="ipv4" uci set firewall.doh.storage="hash" uci set firewall.doh.match="ip" uci -q delete firewall.doh6 uci set firewall.doh6="ipset" uci set firewall.doh6.name="doh6" uci set firewall.doh6.family="ipv6" uci set firewall.doh6.storage="hash" uci set firewall.doh6.match="ip" # Filter DoH traffic uci -q delete firewall.doh_fwd uci set firewall.doh_fwd="rule" uci set firewall.doh_fwd.name="Deny-DoH" uci set firewall.doh_fwd.src="lan" uci set firewall.doh_fwd.dest="wan" uci set firewall.doh_fwd.dest_port="443" uci set firewall.doh_fwd.proto="tcp udp" uci set firewall.doh_fwd.family="ipv4" uci set firewall.doh_fwd.ipset="doh dest" uci set firewall.doh_fwd.target="REJECT" uci -q delete firewall.doh6_fwd uci set firewall.doh6_fwd="rule" uci set firewall.doh6_fwd.name="Deny-DoH" uci set firewall.doh6_fwd.src="lan" uci set firewall.doh6_fwd.dest="wan" uci set firewall.doh6_fwd.dest_port="443" uci set firewall.doh6_fwd.proto="tcp udp" uci set firewall.doh6_fwd.family="ipv6" uci set firewall.doh6_fwd.ipset="doh6 dest" uci set firewall.doh6_fwd.target="REJECT" uci commit firewall /etc/init.d/firewall restart # Populate IP sets cat << "EOF" > /etc/firewall.ipset-doh DOH_URL="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt" DOH6_URL="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt" uci -q delete firewall.doh.entry uclient-fetch -O - "${DOH_URL}" \ | while read -r DOH_SERV do uci add_list firewall.doh.entry="${DOH_SERV%% *}" done uci -q delete firewall.doh6.entry uclient-fetch -O - "${DOH6_URL}" \ | while read -r DOH_SERV do uci add_list firewall.doh6.entry="${DOH_SERV%% *}" done uci commit firewall /etc/init.d/firewall restart EOF cat << "EOF" >> /etc/sysupgrade.conf /etc/firewall.ipset-doh EOF . /etc/firewall.ipset-doh # Configure hotplug mkdir -p /etc/hotplug.d/iface cat << "EOF" > /etc/hotplug.d/iface/99-ipset-doh . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_find_wan6 NET_IF6 if [ "${INTERFACE}" = "${NET_IF}" -o "${INTERFACE}" = "${NET_IF6}" ] \ && [ "${ACTION}" = "ifup" -o "${ACTION}" = "ifupdate" ] \ && [ ! -e /tmp/ipset-doh.done ] \ && ping -w 3 openwrt.org \ && [ ! -e /tmp/ipset-doh.lock ] then touch /tmp/ipset-doh.lock . /etc/firewall.ipset-doh touch /tmp/ipset-doh.done rm -f /tmp/ipset-doh.lock fi EOF cat << "EOF" >> /etc/sysupgrade.conf /etc/hotplug.d/iface/99-ipset-doh EOF
DNS over TLS
Configure firewall to filter DoT traffic forcing LAN clients to switch to plain DNS.
# Filter DoT traffic uci -q delete firewall.dot_fwd uci set firewall.dot_fwd="rule" uci set firewall.dot_fwd.name="Deny-DoT" uci set firewall.dot_fwd.src="lan" uci set firewall.dot_fwd.dest="wan" uci set firewall.dot_fwd.dest_port="853" uci set firewall.dot_fwd.proto="tcp udp" uci set firewall.dot_fwd.target="REJECT" uci commit firewall /etc/init.d/firewall restart
DNS redirection
Configure firewall to redirect intercepted DNS traffic to your local DNS server.
# Redirect DNS traffic DNS_SERV="192.168.1.2" uci set firewall.dns_int.name="Redirect-DNS" uci set firewall.dns_int.src_ip="!${DNS_SERV}" uci set firewall.dns_int.dest_ip="${DNS_SERV}" uci -q delete firewall.dns_masq uci set firewall.dns_masq="nat" uci set firewall.dns_masq.name="Masquerade-DNS" uci set firewall.dns_masq.src="lan" uci set firewall.dns_masq.dest_ip="${DNS_SERV}" uci set firewall.dns_masq.dest_port="53" uci set firewall.dns_masq.proto="tcp udp" uci set firewall.dns_masq.target="MASQUERADE" uci commit firewall /etc/init.d/firewall restart