User Tools

Site Tools


DNS hijacking


  • This guide describes how to configure OpenWrt to intercept your DNS traffic.
  • You can use DNS hijacking with VPN or DNS encryption to protect DNS traffic.


  • Override preconfigured DNS provider for LAN clients.
    • Prevent DNS leak for LAN clients when using VPN or DNS encryption.


1. Firewall

Configure firewall to intercept DNS traffic.

# Intercept DNS traffic
uci -q delete firewall.dnsint
uci set firewall.dnsint="redirect"
uci set"Intercept-DNS"
uci set firewall.dnsint.src="lan"
uci set firewall.dnsint.src_dport="53"
uci set"ipv4"
uci set firewall.dnsint.proto="tcpudp"
uci set"DNAT"
uci commit firewall
service firewall restart

2. NAT6

If using dual-stack mode, enable NAT6 to process IPv6 traffic.

# Enable NAT6
opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d" \
| ip6tables-restore --table="nat"
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart


Verify your DNS provider matches the one on the router when using a different DNS provider on the client.


Collect and analyze the following information.

# Log and status
service firewall restart
# Runtime configuration
# Persistent configuration
uci show firewall
docs/guide-user/services/dns/intercept.txt · Last modified: 2019/04/28 02:32 by vgaetera