DNS hijacking using LuCI

See also: DNS hijacking using CLI

To enforce the use of OpenWrt DNS server settings across your network all DNS traffic must travel through port '53'.

A reason to force router based DNS is when using a service like OpenDNS to blocks domain and filters access to categories of content. If a device on your network isn't using the routers DNS settings it will by pass filtering. As an example many Android devices are hard-set to use Google DNS servers (8.8.8.8 and 8.8.4.4) and therefore won't use router DNS settings.

It's unclear if other devices are following Google but this guide will instruct you on how for force DNS to port '53' using LuCI.

  1. Go to 'Network > Firewall > Port Forwards' and click Add.
  2. Set 'Name' to 'Hijack DNS'
  3. Set 'Protocol' to 'TCP + UDP'
  4. Set 'Source zone' to 'lan'
  5. Set 'External port' to '53'
  6. Set 'Destination zone' to 'lan'
  7. Set 'Internal IP address' to 'any'
  8. Set 'Internal port' to '53'

- Click the 'Save' button
- Click the 'Save & Apply' button

From a client device confirmed to be using a non-router DNS Server, like an Android device described above or one you've hard set yourself, verify the OpenWRT DNS is being used.

https://dnsleaktest.com/

Also, the OARC Reply size Test can validate your DNS queries are not being intercepted.

https://www.dns-oarc.net/oarc/services/replysizetest

dig +short rs.dns-oarc.net TXT @8.8.8.8

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/12/04 04:46
  • by vgaetera