Alternative to ip6tables DNAT rule (DNS redirection)

[HELLO_wORLD]

Hi,

I currently have a NAS with a DNS server (mostly for DNS cache, local domains, and an ad-blocking sinkhole system).
The DNS server points to the router’s Stubby as its resolver for encrypted DNS to WAN.
I use DHCP (v4 and v6) to advertise to my LAN my NAS as the DNS resolver, and the router (Stubby) as my secondary one.

It works well for a long time now.

My iPad sometimes gets back ads after a while, and running WiFi off/on solves the problem (resetting DNS back to NAS from DHCP). I suspect it drops to resolver 2 for some reasons from time to time.

I was thinking of redirecting all DNS UDP/TCP from iPad to NAS using iptables on the router.
The IPv4 part is pretty straightforward:

#!/bin/sh
exec >/dev/null 2>&1
IP4=##IPAD_IP##
DNS4=##NAS_IP##
DNS_RULE1="PREROUTING -i br0 -s $IP4 -p udp --dport 53 -j DNAT --to $DNS4:53"
DNS_RULE2="PREROUTING -i br0 -s $IP4 -p tcp --dport 53 -j DNAT --to $DNS4:53"
if /usr/bin/nslookup my-domain.fr $DNS4; then
  iptables -w -t nat -C $DNS_RULE1 || iptables -w -t nat -A $DNS_RULE1
  iptables -w -t nat -C $DNS_RULE2 || iptables -w -t nat -A $DNS_RULE2
else
  iptables -w -t nat -D $DNS_RULE1
  iptables -w -t nat -D $DNS_RULE1
fi

With a cron job ran every minute to launch this script (if NAS DNS is down, it removes the DNS rules).

The problem is for IPv6.
ip6tables does not have the nat table (kernel 3.4.x is not supporting it, and @Voxel cannot use a more recent kernel because of NG proprietary code).

What are the solutions, if any, to redirect packets without the nat table?

 

[SomeWhereOverTheRainBow]

Hi,

I currently have a NAS with a DNS server (mostly for DNS cache, local domains, and an ad-blocking sinkhole system).
The DNS server points to the router’s Stubby as its resolver for encrypted DNS to WAN.
I use DHCP (v4 and v6) to advertise to my LAN my NAS as the DNS resolver, and the router (Stubby) as my secondary one.

It works well for a long time now.

My iPad sometimes gets back ads after a while, and running WiFi off/on solves the problem (resetting DNS back to NAS from DHCP). I suspect it drops to resolver 2 for some reasons from time to time.

I was thinking of redirecting all DNS UDP/TCP from iPad to NAS using iptables on the router.
The IPv4 part is pretty straightforward:

#!/bin/sh
exec >/dev/null 2>&1
IP4=##IPAD_IP##
DNS4=##NAS_IP##
DNS_RULE1="PREROUTING -i br0 -s $IP4 -p udp --dport 53 -j DNAT --to $DNS4:53"
DNS_RULE2="PREROUTING -i br0 -s $IP4 -p tcp --dport 53 -j DNAT --to $DNS4:53"
if /usr/bin/nslookup my-domain.fr $DNS4; then
  iptables -w -t nat -C $DNS_RULE1 || iptables -w -t nat -A $DNS_RULE1
  iptables -w -t nat -C $DNS_RULE2 || iptables -w -t nat -A $DNS_RULE2
else
  iptables -w -t nat -D $DNS_RULE1
  iptables -w -t nat -D $DNS_RULE1
fi

With a cron job ran every minute to launch this script (if NAS DNS is down, it removes the DNS rules).

The problem is for IPv6.
ip6tables does not have the nat table (kernel 3.4.x is not supporting it, and @Voxel cannot use a more recent kernel because of NG proprietary code).

What are the solutions, if any, to redirect packets without the nat table?

You can't really redirect it, but you can block it if you had to.

 

[HELLO_wORLD]

You can't really redirect it, but you can block it if you had to.

It is what I was afraid of...

Not a bid deal though, I should see if I can improve that on the iPad side.

 

[SomeWhereOverTheRainBow]

It is what I was afraid of...

Not a bid deal though, I should see if I can improve that on the iPad side.

If you could make a rule that would block anything on port 53 for ipv6 except traffic from your ipv6 dns address you should be fine for devices that are properly using your Lan ipv6 for dns.