Then you need to perform the troubleshooting:
uci show firewall
iptables-save -t nat
netstat -l -n -p | grep -e :53 -e dnsmasq
That may not work in all cases, That rule only covers UDP port 53 and DNS will sometimes use TCP.
Is it possible to get one of moderators to change that to either "ANY" protocol or at the very least set it at "TCP + UDP"
link to page I looked at:
https://openwrt.org/docs/guide-user/dns-request-hijacking
I run 2 DNS serrvers locally and have firewall rules setup in Luci firewall settings.
# Force my DNS servers
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.200.11:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.200.11:53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.200.13:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.200.13:53
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.11 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.11 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.13 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.13 --dport 53 -j ACCEPT
#End iptable rules
I also have rules to block google's IPv4 and IPv6 DNS servers that I created in Luci Traffic Rules.
These rules in Luci Firewall also seem to work for one local DNS server but I do not use them anymore, Can't remember why
iptables -t nat -A PREROUTING -i br-lan -p udp ! --source 192.168.200.11 ! --destination 192.168.200.11 --dport 53 -j DNAT --to 192.168.200.11
iptables -t nat -A PREROUTING -i br-lan -p tcp ! --source 192.168.200.11 ! --destination 192.168.200.11 --dport 53 -j DNAT --to 192.168.200.11
@sml156, FYI OpenWrt discourages:
- Operating raw iptables commands unless it's really necessary.
- Ignoring pre-configured firewall chains.
- Using physical interface names.
3 Likes
Did not know that, I will have to search the forum unless you know a link that can read about it.
Thank's I may be figuring out another way to solve the problem this weekend, I have a couple of devices that don't respect my DHCP servers wishes with "option6".
Do you have devices on your network that have UDP blocked?
Simply make a TCP rule as well. Good catch!
You would add a DHCP Option 6 in the LuCI web GUI:
You can also give a specific DHCP reply to the particular client...
I actually know about Openwrt and it's option 6 box and I believe your second example is called tagging.
For over a year now I have been disabling Openwrt's DHCP server and using 2 Pihole"s, each running DHCP and DNS.
I just got a new Samsung S8 phone before Christmas and noticed in my logs that even though I had setup option6 on the DHCP server's to point to my PiHoles it would bypass them and go strait to Google's DNS servers every other device would use what I told it to.
This is a new feature that newer Android devices have started (for me) since Android 8 Oreo and the only cure I have found is to block Google's IPv4 and IPv6 DNS servers, This forces my phone to use my server and the iptable rules help which I might change over the weekend for a more approved method.
More and more devices in the future are going to hard code in their own preferred DNS servers.
I applaud Google for making the internet a bit easier for the masses but I wish they included a way to disable it for fringe cases like me, I have no idea what corporation's do who have strict rules about logging and what sites people are aloud to visit.
About pihole if you have never heard about it.
1 Like
I doubt this. IPs are not a permanent fixture. Hard coding in Android's case is actually pretty bad.
I don't see how that's easy. This means those devices won't resolve local hostnames from the OpenWrt.
Well, that's your issue - you completely disabled it.
Enabling your OpenWrt's Dnsmasq and adding the DNS HIjack firewall rule(s) should fix the problem of your clients using their own static DNS server.
2 Likes
adblock has a tick box for that.... for users who are GUI inclined... it's "lan" zone only... but you could diff to get the rules
Force Local DNS
Redirect all DNS queries from 'lan' zone to the local resolver, apply to udp and tcp protocol on ports 53, 853 and 5353.
opkg update; opkg install adblock luci-app-adblock diffutils;
iptables-save > /tmp/prednsredir;
echo "go and tick option";
iptables-save > /tmp/postdnsredir;
diff /tmp/prednsredir /tmp/postdnsredir
At the moment I'm back on my stock Linksys WRT1900AC firmware after I realised my ISP DNS servers weren't working on my own compiled OpenWRT build. I first tried my ISP router and everything worked so I then checked the stock firmware for my router and that seems to be working. As soon as I'm the only one on the internet I'm going to flash a stable 18.06.2 build and see if I can get the ISP DNS servers working, because that me a reason why my firewall ports weren't behaving. If no luck I will try
uci show firewall
iptables-save -t nat
netstat -l -n -p | grep -e :53 -e dnsmasq
as vgaetera mentioned.
However, I did notice that with the the box 'Use DNS servers advertised by peer' checked and setting DHCP-option 6 to '6,208.67.220.220,208.67.222.222' actually established connections.
Also in regards to the hard encoded Google DNS servers, I can confirm that under the advanced options there is default options in the DNS server boxes.
Okay I have downloaded the pre-built build of OpenWrt and my ISP DNS servers are working. So far I have set DNS server under the WAN connection and then I tried to add the following to the firewall before I couldn't connect to any website:-
config redirect
option name 'DNS Redirect'
option src 'lan'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option enabled '1'
I think (could be wrong; I am, frequently), you'll need to add:
option dest 'lan'
option proto 'tcp udp'
@tectonic, no need.
In this case even option dest_port=53 is redundant and option proto=tcpudp by default:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#options2
@willowen100, if your issue persists, then provide the requested diagnostic information.
1 Like
Okay I've finally sorted it! I've made some instructions just in case anyone comes across this thread 
WAN
- Go to 'Network > Interfaces > WAN'
- Under 'Common Configuration' select the 'Advanced Settings' tab and uncheck ' Use DNS servers advertised by peer'
- In the box below enter the OpenDNS Servers '208.67.220.22'0 and '208.67.222.222'
- Click the 'Save' button
config interface 'wan'
option proto 'pppoe'
option username 'user@domain.com'
option password 'password'
option ipv6 'auto'
option ifname 'eth1'
option mtu '1492'
option peerdns '0'
option dns '208.67.222.222 208.67.220.220'
LAN
- Go to 'Network > Interfaces > LAN'
- Under 'DHCP Server' set 'DHCP-Options' to '6,208.67.222.222,208.67.220.220'
- Click the 'Save' button
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '1h'
list dhcp_option '6,208.67.222.222,208.67.220.220'
DHCP & DNS
- Go to 'Network > DHCP and DNS'
- Under 'Server Settings' select the 'Resolv and Hosts Files' tab ensure the 'Ignore resolve file' is unchecked
- Click the 'Save' button
Firewall
- Go to 'Network > Firewall'
- Under the 'Port Forwards' tab enter 'Force DNS' under 'New port forward' section
- Set the 'Protocol to TCP+UDP
- Set 'External zone' to 'WAN' **
- Set 'External port' to '53'
- Set 'Internal zone' to 'lan' **
- Set 'Internal port' to '53'
- Click the 'Add' button
- Once it's added to the list open it back up by clicking the 'Edit' button
- Change the 'Source zone' from 'wan' to 'lan'
- Click the 'Save & Apply' button
** If you're unable to set the exact zones simply select anything as you can change it in step 9
config redirect
option enabled '1'
option target 'DNAT'
option dest 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option name 'Force DNS'
option src 'lan'
Your firewall rule you should like the following
Finally reboot your router by heading to 'System > Reboot'
11 Likes
If your problem is solved, please consider marking the topic as [Solved] (Click the pencil behind the topic...).
1 Like
@bobafetthotmail what would be the correct namespace for this page; perhaps docs/guide-user/network/?
I was thinking docs/guide-user/services/dns/
The Android issue does not seem to be the case for me I am on Pie on a Note 9 and I use a PiHole on my network as my only DNS. Even with it hard coded as you say I can see my device logs within my PiHole simply use the dhcp-options 6 choice and all my clients are receiving my PiHole DNS including all those who use our guest network.
I am of course able to bypass my PiHole by adding my own DNS servers under static.
@willowen100, do you understand that enabling DNS-hijacking makes DNS configuration via DHCP meaningless?
@mrpink57, Google-DNS should be used only as fallback method.
No, it's a firewall thing, similar to Parental controls. I already moved it in https://openwrt.org/docs/guide-user/start#firewall_configuration
2 Likes