This is an old revision of the document!


DNS hijacking

  • This how-to describes the method for intercepting DNS traffic on OpenWrt.
  • You can combine it with VPN or DNS encryption to protect DNS traffic.
  • Override preconfigured DNS provider for LAN clients.
    • Prevent DNS leak for LAN clients when using VPN or DNS encryption.

Configure firewall to intercept DNS traffic.

  1. Navigate to LuCI → Network → Firewall → Port Forwards.
  2. Click Add and specify:
    • Name: Intercept-DNS
    • Protocol: TCP and UDP
    • Source zone: lan
    • External port: 53
    • Destination zone: unspecified
    • Internal IP address: any
    • Internal port: any
  3. Click Save, then Save & Apply.

Configure firewall to intercept DNS traffic.

# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Verify your DNS provider matches the one on the router when using a different DNS provider on the client.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
 
# Runtime configuration
iptables-save
ip6tables-save
 
# Persistent configuration
uci show firewall

Enable NAT6 to process IPv6 traffic when using dual-stack mode.

# Install packages
opkg update
opkg install kmod-ipt-nat6
 
# Enable NAT6
cat << "EOF" > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \
| ip6tables-restore -T nat
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/firewall.nat6
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Configure firewall to filter DoH traffic forcing LAN clients to switch to plain DNS.

# Install packages
opkg update
opkg install ipset
 
# Configure IP sets
uci -q delete firewall.doh
uci set firewall.doh="ipset"
uci set firewall.doh.name="doh"
uci set firewall.doh.family="ipv4"
uci set firewall.doh.storage="hash"
uci set firewall.doh.match="ip"
uci -q delete firewall.doh6
uci set firewall.doh6="ipset"
uci set firewall.doh6.name="doh6"
uci set firewall.doh6.family="ipv6"
uci set firewall.doh6.storage="hash"
uci set firewall.doh6.match="ip"
 
# Filter DoH traffic
uci -q delete firewall.doh_fwd
uci set firewall.doh_fwd="rule"
uci set firewall.doh_fwd.name="Deny-DoH"
uci set firewall.doh_fwd.src="lan"
uci set firewall.doh_fwd.dest="wan"
uci set firewall.doh_fwd.dest_port="443"
uci set firewall.doh_fwd.proto="tcp udp"
uci set firewall.doh_fwd.family="ipv4"
uci set firewall.doh_fwd.ipset="doh dest"
uci set firewall.doh_fwd.target="REJECT"
uci -q delete firewall.doh6_fwd
uci set firewall.doh6_fwd="rule"
uci set firewall.doh6_fwd.name="Deny-DoH"
uci set firewall.doh6_fwd.src="lan"
uci set firewall.doh6_fwd.dest="wan"
uci set firewall.doh6_fwd.dest_port="443"
uci set firewall.doh6_fwd.proto="tcp udp"
uci set firewall.doh6_fwd.family="ipv6"
uci set firewall.doh6_fwd.ipset="doh6 dest"
uci set firewall.doh6_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart
 
# Populate IP sets
cat << "EOF" > /etc/firewall.ipset-doh
DOH_URL="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt"
DOH6_URL="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt"
uci -q delete firewall.doh.entry
uclient-fetch -O - "${DOH_URL}" \
| while read -r DOH_SERV
do uci add_list firewall.doh.entry="${DOH_SERV%% *}"
done
uci -q delete firewall.doh6.entry
uclient-fetch -O - "${DOH6_URL}" \
| while read -r DOH_SERV
do uci add_list firewall.doh6.entry="${DOH_SERV%% *}"
done
uci commit firewall
/etc/init.d/firewall restart
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/firewall.ipset-doh
EOF
. /etc/firewall.ipset-doh
 
# Configure hotplug
mkdir -p /etc/hotplug.d/iface
cat << "EOF" > /etc/hotplug.d/iface/99-ipset-doh
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_find_wan6 NET_IF6
if [ "${INTERFACE}" = "${NET_IF}" -o "${INTERFACE}" = "${NET_IF6}" ] \
&& [ "${ACTION}" = "ifup" -o "${ACTION}" = "ifupdate" ] \
&& [ ! -e /tmp/ipset-doh.done ] \
&& ping -w 3 openwrt.org \
&& [ ! -e /tmp/ipset-doh.lock ]
then
touch /tmp/ipset-doh.lock
. /etc/firewall.ipset-doh
touch /tmp/ipset-doh.done
rm -f /tmp/ipset-doh.lock
fi
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/hotplug.d/iface/99-ipset-doh
EOF

Configure firewall to filter DoT traffic forcing LAN clients to switch to plain DNS.

# Filter DoT traffic
uci -q delete firewall.dot_fwd
uci set firewall.dot_fwd="rule"
uci set firewall.dot_fwd.name="Deny-DoT"
uci set firewall.dot_fwd.src="lan"
uci set firewall.dot_fwd.dest="wan"
uci set firewall.dot_fwd.dest_port="853"
uci set firewall.dot_fwd.proto="tcp udp"
uci set firewall.dot_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Configure firewall to redirect intercepted DNS traffic to your local DNS server.

# Redirect DNS traffic
DNS_SERV="192.168.1.2"
uci set firewall.dns_int.name="Redirect-DNS"
uci set firewall.dns_int.src_ip="!${DNS_SERV}"
uci set firewall.dns_int.dest_ip="${DNS_SERV}"
uci -q delete firewall.dns_masq
uci set firewall.dns_masq="nat"
uci set firewall.dns_masq.name="Masquerade-DNS"
uci set firewall.dns_masq.src="lan"
uci set firewall.dns_masq.dest_ip="${DNS_SERV}"
uci set firewall.dns_masq.dest_port="53"
uci set firewall.dns_masq.proto="tcp udp"
uci set firewall.dns_masq.target="MASQUERADE"
uci commit firewall
/etc/init.d/firewall restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/03/12 04:14
  • by vgaetera