Reroute direct DNS requests on OpenWRT
Use iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.1.1
Explanation
iptables uses chains to route traffic.
We use iptables -t nat -A PREROUTING
to select the chain which we want to add the new rule. Then we narrow down the selection to include only traffic going out to the internet by selecting the interface -i br-lan
which is OpenWRT's LAN interface. Since we're only redirecting DNS udp 53
we add -p udp --dport 53
. Now that we only get DNS packets, we redirect them to the local DNS server using -j DNAT --to 192.168.1.1
. You can replace the destination with any DNS server.
Hope this helps.
Related videos on Youtube
TacoV
Updated on September 18, 2022Comments
-
TacoV over 1 year
On my router with OpenWRT, I use dnsmasq for DNS poisoning to block ads. If the host is on the list, the router replies to the DNS request with 192.168.99.99, which only and always serves a 1x1 transparent gif (the pixelserv method).
However, local devices can bypass this by directly using their own DNS server. How can I reroute these DNS requests so the ads are blocked?.
I tried commands like these (8.8.8.8 and 8.8.4.4 being the DNS servers, 192.168.1.102 the source device, 192.168.1.1 the IP of my router):
iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 192.168.1.1 iptables -t nat -A PREROUTING -d 8.8.4.4 -j DNAT --to-destination 192.168.1.1 # or: iptables -t nat -A PREROUTING -i wlan0 -s 192.168.1.102 -p udp --dport 53 -j REDIRECT --to-port 53 iptables -t nat -A PREROUTING -i wlan0 -s 192.168.1.102 -p tcp --dport 53 -j REDIRECT --to-post 53
I tried adding adding a traffic rule through the OpenWrt admin panel -> Source NAT, matching "Any TCP, UDP From IP 192.168.1.102 in lan To any host, port 53 in lan", with action "Rewrite to source IP 192.168.1.1, port 53". I believe this is effectuated in iptables as well either way.
But I find the DNS queries are still resolving:
root@OpenWrt:~# tcpdump -vvv -i wlan0 port 53 Chromecast.lan.42591 > google-public-dns-a.google.com.domain: [udp sum ok] 57897+ A? pubads.g.doubleclick.net. (42) google-public-dns-a.google.com.domain > Chromecast.lan.42591: [udp sum ok] 57897 q: A? pubads.g.doubleclick.net. 5/0/0 pubads.g.doubleclick.net. [5h59m59s] CNAME partnerad.l.doubleclick.net., partnerad.l.doubleclick.net. [4m59s] A 74.125.136.157, partnerad.l.doubleclick.net. [4m59s] A 74.125.136.156, partnerad.l.doubleclick.net. [4m59s] A 74.125.136.155, partnerad.l.doubleclick.net. [4m59s] A 74.125.136.154 (132)
Maybe a completely different method, for example through dnsmasq, would work? I could not find this, however.
(I've found some explanation on how to reroute to another remote DNS server, but that won't help me here. It's mostly for unblocking regions or for Tomato or DD-WRT. Also, this is closely related to my previous question)
-
Zalmy almost 9 yearstry
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.1.1
-
TacoV almost 9 yearsThat actually works! Can you make it into an answer so you can elaborate and I can accept it?
-
-
TacoV almost 9 yearsI especially wonder why I can capture the packets on wlan0 but need to use br-lan to reroute them... And probably would need to add the same filter for tcp as well (for the larger responses)?
-
qasdfdsaq almost 9 years@TacoV: wlan0 is a physical interface. It does not have an IP address. The IP address is bound to br-lan.
-
Zalmy almost 9 years@tacov wlan0 is the wireless physical interface. So all you get is wifi traffic.