Solved iptables question: How to make a custom interface get DNS response?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Yota

Senior Member
Forgive me, I am a newbie to iptables. I have tried to do this all week alone, but I can't so I need a help.

I have a custom interface ci01 that was created by another program. I now need this interface to get the DNS response from the router.

Here is what I did:
Allow access to the router:
Code:
iptables -I INPUT -i ci+ -j ACCEPT

Allow access to the internet:
Code:
iptables -I FORWARD -i ci+ -j ACCEPT

Allow access to my home subnet
Code:
iptables -I FORWARD -i ci+ -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o ci+ -j ACCEPT

What I did successfully:
Any device under the custom interface can ping the router, and vice versa.
Any device under the custom interface can use 8.8.8.8 DNS or other public DNS.
Without using NAT rules, custom interface using public DNS can access the Internet normally.

Needs I can't achieve:
None of the devices under the custom interface can use the router's 192.168.50.1 as the DNS server, and there is no response.
But I can use other DNS servers in my home subnet, such as 192.168.50.2 (hosted by another router). This proves that the custom interface can normally access my home subnet.

I used the command below to intercept DNS requests to my router, but after using it, I still did not get any DNS response.
Code:
iptables -t nat -I PREROUTING -i ci+ -p udp --dport 53 -j DNAT --to 192.168.50.1
iptables -t nat -I PREROUTING -i ci+ -p tcp --dport 53 -j DNAT --to 192.168.50.1


I just found that there is a DNS server on my VPN interface, so I tried to use the NAT command below to reset the DNS request to the VPN client. This command works normally. But I hope that DNS requests through the router.
Code:
iptables -t nat -I PREROUTING -i ci+ -p udp --dport 53 -j DNAT --to 10.8.0.1
This confirms that the syntax of the command is correct, but I can't make it working for my router DNS server.


The current state is

The custom interface:
Can access Internal: OK
Can ping the router and vice versa: OK
Can access Internet: OK
Can get public DNS response: OK
Can get the DNS response from the router: NO

So, what should I do so that the custom interface can get the router's DNS response?


Background Information:
I enabled DNS over TLS, And the DNSFilter is enabled (it has been tested to close the DNSFilter is still not working)
My router's RT-AC86U runs 386.2_4 firmware.
I will restart the firewall after each test, so there is no iptables rule conflict.
 
Last edited:

Yota

Senior Member
In the test I found that the new Guest Network used by Aimesh 2.0 have a separate subnet, and the subnet's devices can bypass the Router rules of DNSFilter.

Just add this command to prevent it:
Code:
iptables -t nat -I PREROUTING -i br+ -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -I PREROUTING -i br+ -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

@RMerlin
 
Last edited:

ColinTaylor

Part of the Furniture
I just found that there is a DNS server on my VPN interface, so I tried to use the NAT command below to reset the DNS request to the VPN client. This command works normally. But I hope that DNS requests through the router.
Code:
iptables -t nat -I PREROUTING -i ci+ -p udp --dport 53 -j DNAT --to 10.8.0.1
This confirms that the syntax of the command is correct, but I can't make it working for my router DNS server.
10.8.0.1 is your router's DNS server. But you don't need to do any DNAT, just add the ci interface (ci0 or ci*) to /etc/dnsmasq.conf.
 

Yota

Senior Member
10.8.0.1 is your router's DNS server. But you don't need to do any DNAT, just add the ci interface (ci0?) to /etc/dnsmasq.conf.
Thank you, but what should I do?

In addition, I can get DNS response through VPN, but this is not my purpose. My purpose is to get DNS response through router, which is 192.168.50.1.
 
Last edited:

ColinTaylor

Part of the Furniture
Thank you, but what should I do?
I just told you. Add the ci interface to your dnsmasq.conf file. Look at your current dnsmasq.conf to see how it's done for br0.

See my edit to my previous post. You can either name a specific interface (e.g. ci0) or use a wildcard (e.g. ci*), whatever is most appropriate for you.
 

Yota

Senior Member
I just told you. Add the ci interface to your dnsmasq.conf file. Look at your current dnsmasq.conf to see how it's done for br0.

See my edit to my previous post. You can either name a specific interface (e.g. ci0) or use a wildcard (e.g. ci*), whatever is most appropriate for you.
Thanks you,

My custom interface can even access the router GUI and ping 192.168.50.1 (router), but when I use 192.168.50.1 as the DNS server, my resolution result is timed out and nothing is returned. So I think there must be something blocking the request. Maybe I can add ci01 to /etc/dnsmasq.conf, what should I do?

/etc/dnsmasq.conf
Code:
interface=br0
Should it be like this?
Code:
interface=ci*
 

Yota

Senior Member
Yes. Add this to the file (don't replace the existing line).
Thank you very much, let me give it a try.

Edit: I have confirmed that this works, I thought this would be an iptables problem, but I didn't expect it to be that simple, thanks again.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
In the test I found that the new Guest Network used by Aimesh 2.0 have a separate subnet, and the subnet's devices can bypass the Router rules of DNSFilter.

Just add this command to prevent it:
Code:
iptables -t nat -I PREROUTING -i br+ -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -I PREROUTING -i br+ -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

@RMerlin

Thanks, fixed.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top