User Tools

Site Tools


docs:guide-user:services:dns:intercept

DNS hijacking

Introduction

  • This guide describes how to configure OpenWrt to intercept your DNS traffic.

Goals

  • Override preconfigured DNS provider for LAN clients.
    • Prevent DNS leak for LAN clients when using VPN or DNS encryption.

Instructions

Intercept DNS queries to override LAN client settings.

# Intercept DNS queries
uci -q delete firewall.dnsint
uci set firewall.dnsint="redirect"
uci set firewall.dnsint.name="Intercept-DNS"
uci set firewall.dnsint.src="lan"
uci set firewall.dnsint.src_dport="53"
uci set firewall.dnsint.family="ipv4"
uci set firewall.dnsint.proto="tcpudp"
uci set firewall.dnsint.target="DNAT"
uci commit firewall
service firewall restart

If using dual-stack mode, enable NAT6 to intercept DNS6 queries.

# Intercept DNS6 queries
opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d" \
| ip6tables-restore --table="nat"
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart

Testing

Verify your DNS provider matches the one on the router when using a different DNS provider on the client.

Troubleshooting

Collect and analyze the following information.

# Log and status
service firewall restart
 
# Runtime configuration
iptables-save
ip6tables-save
 
# Persistent configuration
uci show firewall
docs/guide-user/services/dns/intercept.txt · Last modified: 2019/04/19 18:25 by vgaetera