DNS Hijacking Doc - 2 rules for DNS over HTTPS

On the page https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#dns_over_https

In the following code, IPv4 and IPv6 are defined separately but the rule is exactly the same for both protocols.

Can someone check this and then combine the rules confusing. If I have missed something then you should at least call one Deny-DoH6

# Filter DoH traffic
uci -q delete firewall.doh_fwd
uci set firewall.doh_fwd="rule"
uci set firewall.doh_fwd.name="Deny-DoH"
uci set firewall.doh_fwd.src="lan"
uci set firewall.doh_fwd.dest="wan"
uci set firewall.doh_fwd.dest_port="443"
uci set firewall.doh_fwd.proto="tcp udp"
uci set firewall.doh_fwd.family="ipv4"
uci set firewall.doh_fwd.ipset="doh dest"
uci set firewall.doh_fwd.target="REJECT"
uci -q delete firewall.doh6_fwd
uci set firewall.doh6_fwd="rule"
uci set firewall.doh6_fwd.name="Deny-DoH"
uci set firewall.doh6_fwd.src="lan"
uci set firewall.doh6_fwd.dest="wan"
uci set firewall.doh6_fwd.dest_port="443"
uci set firewall.doh6_fwd.proto="tcp udp"
uci set firewall.doh6_fwd.family="ipv6"
uci set firewall.doh6_fwd.ipset="doh6 dest"
uci set firewall.doh6_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Also the last command in this block ipset setup fails because the switch setup does not exist.

I am running OpenWrt 20.02.01


The ipsets are different. There is one for matching IPv6 entries and one for matching IPv4 entries.

1 Like

So why is there only 1 rule for DNS over TLS DoT?

You could just combine the rules.

Any explanation would be appreciated.

DoT port is unique matching both IPv4 and IPv6 traffic, so filtering by port works well.
DoH uses the same port as HTTPS, so we need to filter by the destination IP address.

There are many public DoH servers, and filtering them all efficiently relies on IP sets.
Each IP set contains only IPv4 or IPv6 entries, so a couple of sets/rules is necessary.

See also: Ipset setup does not work - #2 by vgaetera


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.