Hello everyone,
I'm contacting you again with a question:
I've noticed that some things are using hard-coded GoogleDNS (FireStick, Android phones etc)
I want these devices to use my DNS settings as well.
I would have tried to set a traffic rule, which unfortunately did not work.
Do any of you know what to do?
I am using OpenWRT 23.05
As long as the requests are not encrypted, you can redirect e.g. DST 8.8.8.8 53/udp from lan to 192.168.1.1 53/udp.
Thanks tried this, did not work.
I am using another subnet for my IoT devices - like 192.168.20.*, maybe this is a problem too. Of course I did choose this interface and not 'lan'
ok, and ....?
post your /etc/config/firewall and /etc/config/network files.
Here you go > fyi: removed the intercept setting again
FW
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config zone
option name 'WGVPN'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WGINTERFACE'
config forwarding
option src 'WGVPN'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'WGVPN'
config zone
option name 'GUEST'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config rule
option name 'Allow-DNS-Guest'
option src 'GUEST'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Guest'
list proto 'udp'
option src 'GUEST'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'GUEST'
option dest 'wan'
config forwarding
option src 'GUEST'
option dest 'WGVPN'
config zone
option name 'IoT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'IoT'
option dest 'wan'
config forwarding
option src 'IoT'
option dest 'WGVPN'
config rule
option name 'Allow-DHCP-IoT'
list proto 'udp'
option src 'IoT'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-IoT'
option src 'IoT'
option target 'ACCEPT'
option dest_port '53'
Network
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'CLEARED'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config device
option name 'lan1'
option macaddr 'CLEARED'
config device
option name 'lan2'
option macaddr 'CLEARED'
config device
option name 'lan3'
option macaddr 'CLEARED'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'CLEARED'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'WGINTERFACE'
option proto 'wireguard'
option force_link '1'
option private_key 'CLEARED'
option mtu '1320'
list dns '10.128.0.1'
list dns CLEARED'
list addresses 'CLEARED'
list addresses 'CLEARED'
config wireguard_WGINTERFACE
option description ''
option public_key 'CLEARED'
option preshared_key 'CLEARED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'CLEARED'
option endpoint_port '1637'
option persistent_keepalive '15'
option disabled '1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option type 'bridge'
config wireguard_WGINTERFACE
option description ''
option public_key 'CLEARED'
option preshared_key 'CLEARED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'CLEARED'
option endpoint_port '1637'
option persistent_keepalive '15'
option disabled '1'
config wireguard_WGINTERFACE
option description ''
option public_key 'CLEARED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'CLEARED'
option endpoint_port '51820'
Add to /etc/config/network
config route
option interface 'loopback'
option type 'blackhole'
option target '8.8.8.8/32'
option metric '1234'
thanks, tried this > firestick is still using 8.8.8.8
No way that could happen.
How are you verifying this ?
https://mullvad.net/en/check > used within others mullvad check
And you run this check directly on the fire stick, yes ?
I rebooted several times, it's still using Google's DNS. Here is my current config. Also tried to set DNS servers for the interfaces too. Maybe the HTTPS DNS Proxy needs to be reconfigured too? I mean - I do not have a clue why this should be necessary since we blackhole the request before, right?
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config route
option interface 'loopback'
option type 'blackhole'
option target '8.8.8.8/32'
option metric '1234'
config globals 'globals'
option ula_prefix 'CLEARED'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config device
option name 'lan1'
option macaddr 'CLEARED'
config device
option name 'lan2'
option macaddr 'CLEARED'
config device
option name 'lan3'
option macaddr 'CLEARED'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'CLEARED'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'WGINTERFACE'
option proto 'wireguard'
option force_link '1'
option private_key ''
option mtu '1320'
list addresses 'CLEARED'
list addresses 'CLEARED'
list dns '194.242.2.3'
config wireguard_WGINTERFACE
option description ''
option public_key 'CLEARED'
option preshared_key 'CLEARED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'CLEARED'
option endpoint_port '1637'
option persistent_keepalive '15'
option disabled '1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option type 'bridge'
list dns '10.64.0.1'
config wireguard_WGINTERFACE
option description ''
option public_key 'CLEARED'
option preshared_key 'CLEARED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'CLEARED'
option endpoint_port '1637'
option persistent_keepalive '15'
option disabled '1'
config wireguard_WGINTERFACE
option description ''
option public_key 'CLEARED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'CLEARED'
option endpoint_port '51820'
Exactly, yes.
Use tcpdump on the wan interface to check if there's any outgoing traffic towards 8.8.8.8 ...
good idea, that looks indeed better
tcpdump: listening on phy1-ap1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:20:03.821846 IP (tos 0x0, ttl 64, id 58131, offset 0, flags [DF], proto UDP (17), length 62)
192.168.20.110.48887 > 10.64.0.1.53: [udp sum ok] 34968+ A? msh.amazon.co.uk. (34)
22:20:03.827866 IP (tos 0x0, ttl 63, id 63262, offset 0, flags [none], proto UDP (17), length 78)
10.64.0.1.53 > 192.168.20.110.48887: [udp sum ok] 34968 q: A? msh.amazon.co.uk. 1/0/0 msh.amazon.co.uk. [3s] A 3.254.236.182 (50)
If the Mullvad check only shows the DNSes configured on the stick, it'll be wrong, since you intercept the traffic, something they don't know anything about.
Then again, everything that's not their DNS, is good for business ,)
You're my man. Many thanks! Therefore -- solved!
If you're already using https-dns-proxy, it has an option to intercept hard-coded dns requests without additional firewall rules.
yep thats true, but this option did not work / was bypassed form the firetv stick. the solution was to blackhole 8.8.8.8/32