User Tools

Site Tools


docs:guide-user:services:dns:intercept

DNS hijacking

Introduction

  • This guide describes how to configure OpenWrt to intercept your DNS traffic.
  • You can use DNS hijacking with VPN or DNS encryption to protect DNS traffic.

Goals

  • Override preconfigured DNS provider for LAN clients.
    • Prevent DNS leak for LAN clients when using VPN or DNS encryption.

Instructions

1. Firewall

Configure firewall to intercept DNS traffic.

# Intercept DNS traffic
uci -q delete firewall.dnsint
uci set firewall.dnsint="redirect"
uci set firewall.dnsint.name="Intercept-DNS"
uci set firewall.dnsint.src="lan"
uci set firewall.dnsint.src_dport="53"
uci set firewall.dnsint.family="ipv4"
uci set firewall.dnsint.proto="tcpudp"
uci set firewall.dnsint.target="DNAT"
uci commit firewall
service firewall restart

2. NAT6

If using dual-stack mode, enable NAT6 to process IPv6 traffic.

# Enable NAT6
opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d" \
| ip6tables-restore --table="nat"
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart

Testing

Verify your DNS provider matches the one on the router when using a different DNS provider on the client.

Troubleshooting

Collect and analyze the following information.

# Log and status
service firewall restart
 
# Runtime configuration
iptables-save
ip6tables-save
 
# Persistent configuration
uci show firewall
docs/guide-user/services/dns/intercept.txt · Last modified: 2019/04/28 02:32 by vgaetera