DNS hijacking + custom DNS per MAC

The rule works fine in IPv4, as shown from the hits on the iptables. However, since you are using ipv6, you'll have to either enable a similar redirect on ip6tables or deactivate the lookups on ipv6.

1 Like

Cloning redirects for dual-stack mode is only possible when the destination IP is unspecified.
Redirecting both IPv4 and IPv6 queries to a single DNS is best to combine with DNS forwarding.
Or you can stop advertising IPv6 DNS with DHCPv6/RA.

If I remember correctly, an IPv4 nameserver can be used in RA/DHCP6 settings, thus forcing to use the IPv4 only.

Odhcpd ignored custom IPv4 DNS still pushing automatic IPv6 ones when I tested it last time.

1 Like

Since NordVPN doesn't support IPv6 from a quick search I did, one solution would be to add a firewall rule to reject port 53 on the router input for IPv6 only.
Better to follow @vgaetera 's advice.

Does this disable DHCP passing to my clients my router IP as the DNS server? I thought the idea is that my router IP (192.168.1.1) gets presented to clients as the DNS server, and then my router, when it receives the DNS request, either uses the one set in the WAN interface, or, if hijacked, forwards it to the NordVPN DNS. So either way, all the client knows is that it sent DNS to 192.168.1.1 (or some other DNS set in software), and my router sends back an appropriate response?

So this way the ordinary DNS lookups using the DNS set in the WAN interface benefit from DNS masq caching, but the special case of redirect / hijack bypasses that and goes to the NordVPN?

If you have hijacking to NordVPN nameserver, dnsmasq will not get any query. Also it doesn't really matter if you'll advertise the OpenWrt or some other internet nameserver over DHCP, as everything will be hijacked.

1 Like

I set this:

uci set dhcp.lan.dns_service="0"
uci set dhcp.lan.ra_dns="0"
uci commit dhcp
/etc/init.d/odhcpd restart

And after getting fresh connection, it seems to work.

1 Like

Make sure there's no IPv6 DNS in the output on the PC:

ipconfig /all
1 Like

It works - just had to get fresh connection. Thanks very much.


If I set top one limited to only one or two MAC addresses, then am I right that the top one willl go straight to NordVPN, but the bottom one will use the cache?

2 Likes

That's right.

2 Likes

I noticed that my whereas Netflix from pretty much any device works fine with this hijacking rule, it does not work with my LG OS Web TV. Could this be because the LG TV Netflix app uses a hardcoded DNS over HTTPS. If so I wonder if blocking the outgoing connection to the DNS IP in question might cause it to fall back to the NordVPN DNS, which seems to manage to circumvent the Netflix VPN detection? Any thoughts? Perhaps the only reliable solution is to just use VPN PBR to bypass VPN for the televisions.

If there is hardcoded DNS over HTTPS then you don't have many options but to block it and hope that it will honour the dhcp advertised nameserver.
In case this doesn't work, go ahead and bypass the VPN.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.