DNS hijacking

  • This how-to describes the method for intercepting your DNS traffic on OpenWrt.
  • You can combine it with VPN or DNS encryption to protect DNS traffic.
  • Override preconfigured DNS provider for LAN clients.
    • Prevent DNS leak for LAN clients when using VPN or DNS encryption.

Configure firewall to intercept DNS traffic.

# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Enable NAT6 to process IPv6 traffic when using dual-stack mode.

# Enable NAT6
opkg update
opkg install kmod-ipt-nat6
cat << "EOF" > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \
| ip6tables-restore -T nat
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Verify your DNS provider matches the one on the router when using a different DNS provider on the client.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
# Runtime configuration
# Persistent configuration
uci show firewall

If you want to manage the settings using web interface.

Navigate to LuCI → Network → Firewall → Port Forwards → Intercept-DNS to manage firewall rules.

See also: DNS hijacking using LuCI

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/12/30 20:07
  • by vgaetera