Hey,
I've been using OpenWRT since it was LEDE and have seen this work before. Since I first started using it (2015), dnscrypt is no longer the standard, dnsmasq has been replaced by Stubby, DNSOverTLS + Signature verification are pretty much required now for privacy/security, etc.
Well, I'm facing reality at the moment because I have a rogue device within my network piggy backing on my DNS requests. Commonly used sites are targeted / dont work and using Stubby+Unbound on either the router or computer hasnt fixed it.
My current networking hardware route is below:
Modem (DHCP) -> Dummy AP (OpenWRT) -> Me
Ideally, I know I'm supposed to put the modem in bridge mode and allow the AP to do the heavy lifting, however in this specific situation and environment, thats not possible.
In effort to isolate myself from the network, I have WAN going to OpenVPN which then goes through to my LAN connected device. IP tests confirm this is working.
Thats fine and dandy, but if DNS requests cannot be verified with accuracy, I've discovered the hard way that doesnt make a difference.
I'm happy to paste my firewall / routing config to help troubleshoot - but can anyone reccomend a way to fix MITM / DNS Poisoning within a non trusted environment behind an AP? Stubby worked at first, but now the attackers have adapted and need to find a way to harden or fix my current configuration.
Thanks for your help!
PS: I mentioned DHCP because I cant get it to work with Stubby/Unbound/OpenVPN but thats most likely user error 
Edit 2: Also, please note I am the only device connected to the AP and have wireless disabled
1 Like
Do you have any idea which one is this rogue device and how is it intercepting your DNS requests?
Your network is fairly simple. You can control which hosts connect by cable and I suppose that you have secured the wifi so that no unauthorized device will be able to connect.
2 Likes
If the OpenWrt device is configured as a dumb AP, then all DHCP and DNS work is being dome by the router...
2 Likes
Unfortunately, no. The DNS issue only occurs within this network (and specific commonly used pages not working) so I can only assume that the network is the culprit. If my AP is validating DNS requests through a modem that has DHCP enabled, I've determined that any network device connected to ISP Modem/Router via WiFi can sniff those requests and adjust the attack accordingly. It was previously explained to me that setting up a router and enabling "Isolate Clients" within WiFi would prevent something like this, but again, I dont have access at the moment to bridge Modem to Router.
Overall, I'm switching networks in a week, but since I work from home, having this slight inconvenience on pages I use (my portfolio page, pages of prospect clients after being referenced in emails) it would be nice to troubleshoot why this is happening to prevent from happening in the future.
These jerks are evil. It would be nice to have some sort of logging in place to see why these domains are being rejected. Browser always claims DNS Bad Config, DNS not found, etc.
Edit: An easy test was to setup a hotspot on my phone to see if the issues continued - they didnt.
Then the question becomes:
- What DNS query servers do you have configured in DNS/DHCP and clients; and on which device did you add them?
I've used Stubby + Unbound, Stubby + Dnsmasq, Dnsmasq, DNSCrypt v2, etc.
Common configuration of stubby.yml referenced here:
As of now, Im just using DNSCrypt because I figured the stubby setup has too much room for error (trying to prevent user error before reporting). This issue continues across all setups mentioned above.
You failed to answer my question...let me rephrase:
- What DNS provider did you program into DNSCrypt?
- Does normal DNS work?
As of right now DnsCrypt is using the default FVZAnyone. All DNS works, just not reliably and switching DNS providers while connected to this AP doesnt fix Bad Config / No Dns errors on target sites.
Edit: I've tried both setting DNS to router and manual IP's within Windows IPv4 config settings.
1 Like
Post here the configuration of network and wifi:
uci show network; uci show dhcp; uci show wireless
You can mask the wifi encryption key, but I hope that you have some complex enough which you have changed upon suspicion that some malicious user might be connected to your network.
Furthermore: do you see any unknown hosts associated to the access point? Any unknown MAC address?
I find it really hard that your DNS queries are hijacked on your ISP side.
One easy way to verify that it is a DNS issue, is to use the nslookup command and try to resolve some names in order to verify if you'll get the correct result.
Finally think about the possibility of having some virus/malware that indeed messes up your DNS and tries to lure you into malicious webpages.
2 Likes
Yeah, I understand it’s hard to believe. Story of my life lately
I have AV/Firewall pretty strict on the OS side with HIPS/Keystrokes encryption etc. I’ve disabled/uninstalled all SSL interfering protection mechanisms (ESET uses it, as does Malwarebytes Internet Suite).
I’d say it’s a random occurrence, but these issues have been paired with other specific attacks that aren’t related to networking so I’ll keep it at the original question. My cautiousness or “paranoia” comes from a sequence of events pointing to customized malware injection or network based attacks.
I’ll post the results of your requested commands as soon as I return to my computer.
I’m happy to admit there may be vulnerabilities based on how I set it up, but I know that the issues occurring are at the least partially due to the above explanation.
Thanks in advance.
Results shown below
uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd5f:b6b4:8273::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='static'
network.wan.ipaddr='10.0.0.238'
network.wan.netmask='255.255.255.0'
network.wan.gateway='10.0.0.1'
network.wan.dns='208.67.222.222 208.67.220.220'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.auto='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6t'
network.myvpnc=interface
network.myvpnc.proto='none'
network.myvpnc.ifname='tun0'
uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].dnssec='1'
dhcp.@dnsmasq[0].dnsseccheckunsigned='1'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].server='127.0.0.1#5353'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='36'
wireless.radio0.hwmode='11a'
wireless.radio0.path='pci0000:01/0000:01:00.0'
wireless.radio0.htmode='VHT80'
wireless.radio0.disabled='1'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='OpenWrt'
wireless.default_radio0.encryption='none'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.channel='11'
wireless.radio1.hwmode='11g'
wireless.radio1.path='platform/qca955x_wmac'
wireless.radio1.htmode='HT20'
wireless.radio1.disabled='1'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='OpenWrt'
wireless.default_radio1.encryption='none'
Please note wireless is disabled on this router so its my belief that the wireless issues stem from the settings on ISP provided router/modem which I dont have access to.
I would install wireguard and try to get more information about the device(s) that cause the problems.
1 Like
Wireguard vs OpenVPN or Wireguard for other purposes? I'm happy to make the switch - are there vulnerabilities within the OpenVPN protocol that could affect DNS?
Edit: I was under the impression that obfuscation or encryption and key exchanges between two clients would be an effective way to determine which traffic is authorized and which is not
He probably meant Wireshark to sniff the network traffic to see what is going on at the packet level.
Can you factory reset your modem and reconfigure from scratch? Can you update its firmware? Or get a new modem from you provider?
1 Like
Wireshark, not wireguard
Ah yes. I can install but to be honest I’m not sure what I’m looking at beyond source and destination (similar to firewall logs). When I’ve dared to look at the packets, they seem to be mostly encrypted so I’m not sure what I’m trying to read. There are plenty of books/manpages out there I can read if it’s 100% necessary to determine what’s causing the issue.
I was hoping an additional layer of protection (pfSense or Firewalla, etc) would be a more “user friendly” solution to dissect all the information into buckets I can logically look through.
Or, in this case was hoping OpenWRT would have a way to log / strict firewall custom rules / community package installation to help with diagnostics.
Can you reset?
Yeah, these are all things I’ve considered but I’ll be out of this environment in a week with a fresh modem that I’ll be ensuring nothing connects to before put into bridge mode. Once I’ve done so with a new router with fresh sha verified firmware, with all wireless clients in “isolation mode”, I’m hoping that would allow me to determine if anything funky is lurking on my machine. I’m guessing running a IP scanner on my subnet would be a sufficient way to tell if Isolation is working.
Sorry my bad, as the others said i've meant wireshark.
Quickly looking through configs, and isn't the DNS on your wan using OpenDNS ?
Also you could install iftop package. Run it from command line in 2 seperate putty windows. In one window watch the wan connection, in the other watch the lan connection. Set a screen filter on each window so you only see packets going to DNS on port 53. From here you can at least see what device is asking for the DNS requests, and where they are being sent.
Use something like iftop -PpNnB -i eth1.1 for LAN and iftop -PpNnB -i eth0.2 for WAN, hit L (lower case L) when in the iftop window and use :53 as the screen filter. It will then only show you packets that are using port 53.
Good luck
1 Like
Isnt this your DNS?
Yeah. I tried a simpler approach (non-proxied DNS) after the initial DNS errors occurred. I'll be transitioning into the new environment within the next couple of days. I'll start completely fresh as previously mentioned (suggested) and see if the issues still occur.
Check out this awesome tool
Oh wow - I didnt know you could mirror logs into desktop environments via SSH! That will definitely help with pinpointing whats going wrong (if I can reproduce the issue in the new environment with all of the new conditions).
Luckily, I found a good deal on "The Practice of Network Security Monitoring" by Richard Bejtlich. I'll definitely make sure to give that a good read.
Thanks everyone for all the help so far.
This seems quite wild.
If I was this paranoid, I'd disconnect everything and set up one-by-one. In addition, I wouldn't be using all this fancy DNS stuff - confusing everything.
Also, you never told me how you configured DNS servers on your clients. It's quite hard to provide assistance when you're not answering inquires.
1 Like
Its not about paranoia, its about troubleshooting my services so they work. I dont care if Joe Schmoe A reads my DNS logs... I've given up on the idea of privacy ever since the net neutrality act was squashed 
Besides...what's the quote "Only the paranoid survive"?
I've seen much crazier ideas implemented in this forum... surprised this qualifies as "wild".
DNS Client Config
Clients IPV4 DNS currently set to the routers gateway. DNS within DNSCrypt set to default (even though route shows set to manual 208.67.***, that was my final attempt to fix after initial issues occurred)