Redirect DNS to local server

[agneev]

Hi!

I'm running Voxel Firmware on my RBR50 w/ Entware.

I was wondering if it's possible to redirect all DNS queries to my local server (including those made to Google DNS)?

 

[eibgrad]

As long as you have access to the firewall, you can use DNAT rules in PREROUTING for the redirection.

#!/bin/sh
DNS_SERVER_IP='192.168.1.100'
iptables -t nat -I PREROUTING -p tcp --dport 53 ! -d $DNS_SERVER_IP -j DNAT --to $DNS_SERVER_IP
iptables -t nat -I PREROUTING -p udp --dport 53 ! -d $DNS_SERVER_IP -j DNAT --to $DNS_SERVER_IP

 

[agneev]

Thanks. I'll try this. How can I get this to persist when the router reboots?

 

[eibgrad]

I don't use Voxel, but I assume it has a facility to allow the user to add their own firewall rules. With Merlin, for example, it's via user-defined scripts that are triggered in response to specific events (e.g., completed initialization of the firewall). On other firmware, check the firewall configuration area, where there may be an input field for such customization.

 

[agneev]

Yes you’re right, a script can be created that adds the rules to iptables on reboot.

Does this preserve the source IP of the client when it’s hits the local server?

 

[eibgrad]

Does this preserve the source IP of the client when it’s hits the local server?

Yes. You're only changing the destination IP.

 

[eibgrad]

Well now that I think about it more, you may need the following rule as well.

iptables -t nat -I POSTROUTING -d $DNS_SERVER_IP -j SNAT --to <router-lan-ip>

It just depends. If the DNS server's IP is in the same local network as the client, and the router does NOT have NAT loopback enabled for DNAT'd rules, the SNAT will probably be required (you'll need to replace <router-lan-ip> w/ the actual router LAN ip). Either way, that *will* mask the source IP from the DNS server.

That's why it would be preferable to directly configure those clients w/ the DNS server's IP via DHCP. You could then use the rules I provided (including the SNAT) as a means to catch rogue clients. But again, the source IP for those rogue clients would be masked by the router's LAN ip.

It's a bit difficult to be absolutely definitive here since again, I don't use that firmware.

 

[agneev]

I actually want to know which clients are sending the DNS queries.

The first two commands don’t seem to work and now DNS seems to not work.
My DNS server is within my subnet and I’m using it as DHCP as well.
Here’s the iptables output: https://pastebin.ubuntu.com/p/KHhyZ94HMJ/

 

[eibgrad]

Actually, since the rules are added to the NAT table, NOT the FILTER table, it requires the following dump command.

iptables -t nat -vnL

 

[agneev]

Here's the PREROUTING chain after adding the two rules:

root@Orbi:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 17498 packets, 952K bytes)
pkts bytes target prot opt in out source destination
77 4863 DNAT udp -- * * 0.0.0.0/0 !10.0.0.10 udp dpt:53 to:10.0.0.10
0 0 DNAT tcp -- * * 0.0.0.0/0 !10.0.0.10 tcp dpt:53 to:10.0.0.10
0 0 REDIRECT udp -- br0 * 0.0.0.0/0 !10.0.0.1 udp dpt:53UNKNOWN match `dnshijack' redir ports 53
0 0 DROP tcp -- * * 0.0.0.0/0 10.0.0.1 tcp dpt:21
0 0 lan_dnat all -- br0 * 0.0.0.0/0 172.22.227.55
19116 1001K net_dnat all -- brwan * 0.0.0.0/0 0.0.0.0/0
2081 297K igmp_nat udp -- brwan * 0.0.0.0/0 224.0.0.0/4

 

[agneev]

I do have NAT loopback I think, as I can access forwarded ports from my LAN.

With these rules, the DNS queries are answered by my local server but no webpages open and lookups are aware of this:

❯ dig @1.2.3.4 google.com
;; reply from unexpected source: 10.0.0.10#53, expected 1.2.3.4#53

;; reply from unexpected source: 10.0.0.10#53, expected 1.2.3.4#53

;; reply from unexpected source: 10.0.0.10#53, expected 1.2.3.4#53

After I added the SNAT rule, it works properly.

Can I create exceptions for certain IP addresses that don't get redirected?