User Tools

Site Tools


docs:guide-user:services:dns:intercept

DNS hijacking

Introduction

  • This how-to describes the method for intercepting your DNS traffic on OpenWrt.
  • You can combine it with VPN or DNS encryption to protect DNS traffic.

Goals

  • Override preconfigured DNS provider for LAN clients.
    • Prevent DNS leak for LAN clients when using VPN or DNS encryption.

Instructions

1. Firewall

Configure firewall to intercept DNS traffic.

# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.family="ipv4"
uci set firewall.dns_int.proto="tcpudp"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

2. NAT6

Enable NAT6 to process IPv6 traffic when using dual-stack mode.

# Enable NAT6
opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d" \
| ip6tables-restore -T nat
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Testing

Verify your DNS provider matches the one on the router when using a different DNS provider on the client.

Troubleshooting

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
 
# Runtime configuration
iptables-save
ip6tables-save
 
# Persistent configuration
uci show firewall
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/dns/intercept.txt · Last modified: 2019/10/04 14:53 by vgaetera