Dns hijacking failing to work

Installing and Using OpenWrt
1

Hey! :slight_smile:

Currently I'm a little confused because normally this firewall portforwarding rule always worked for me.

root@GL-MT6000:/# uci show firewall.@redirect[-1]
firewall.cfg263837=redirect
firewall.cfg263837.target='DNAT'
firewall.cfg263837.name='force-redirect-dns'
firewall.cfg263837.src='pcnet'
firewall.cfg263837.src_dport='53'

but for some reason if I set my dns on my Windows 11 pc to 1.1.1.1 it still connects to cloudflare even if I flush the dns.

what type of magic would this be :stuck_out_tongue:

I do use luci-app-pbr and luci-app-nextdns I won't think these could cause a issue but maybe they do.

currently I run a snapshot of Vanilla OpenWrt (r24586-f3cdc9f988), but I had also the same behaviour on the original firmware from GL-iNet.

full firewall config 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wgclient'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wgclient'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'pcnet'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'pcnet'

config zone
	option name 'zigbee'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'zigbee'

config zone
	option name 'wlan0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wlan0'

config zone
	option name 'wlan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wlan1'

config zone
	option name 'tvnet'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'tvnet'

config forwarding
	option src 'tvnet'
	option dest 'wan'

config forwarding
	option src 'zigbee'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'aria'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'aria'

config zone
	option name 'steamcache'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'steamcache'

config forwarding
	option src 'steamcache'
	option dest 'wan'

config forwarding
	option src 'aria'
	option dest 'wgclient'

config forwarding
	option src 'wlan1'
	option dest 'wgclient'

config forwarding
	option src 'wlan0'
	option dest 'wgclient'

config forwarding
	option src 'pcnet'
	option dest 'wgclient'

config zone
	option name 'ayaneo'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'ayaneo'

config rule
	option name 'Allow-management-pcnet'
	list proto 'all'
	option src 'pcnet'
	option dest 'lan'
	list dest_ip '10.234.53.10'
	list dest_ip '10.234.53.3'
	list dest_ip '10.234.53.15'
	list dest_ip '10.234.53.20'
	option target 'ACCEPT'

config rule
	option name 'Allow-management-wlan0'
	list proto 'all'
	option src 'wlan0'
	option dest 'lan'
	list dest_ip '10.234.53.3'
	list dest_ip '10.234.53.10'
	list dest_ip '10.234.53.15'
	list dest_ip '10.234.53.20'
	option target 'ACCEPT'

config rule
	option name 'Allow-printer-pcnet'
	option src 'pcnet'
	option dest 'zigbee'
	list dest_ip '10.33.77.4'
	option target 'ACCEPT'
	list proto 'all'

config rule
	option name 'Allow-pcnet-aria'
	option src 'pcnet'
	option dest 'aria'
	option dest_port '5555 445 139'
	option target 'ACCEPT'

config rule
	option name 'Allow-wlan0-aria'
	option src 'wlan0'
	option dest 'aria'
	option dest_port '5555 445 139'
	option target 'ACCEPT'

config rule
	option name 'Allow-ayaneo-aria'
	option src 'ayaneo'
	option dest 'aria'
	option dest_port '5555 445 139'
	option target 'ACCEPT'

config rule
	option name 'Allow-ayaneo-lancache'
	option src 'ayaneo'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '10.234.53.15'

config redirect
	option target 'DNAT'
	option name 'force-redirect-dns'
	option src 'pcnet'
	option src_dport '53'
full network config 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '<snip>'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '<snip>'

config device
	option name 'lan2'
	option macaddr '<snip>'

config device
	option name 'lan3'
	option macaddr '<snip>'

config device
	option name 'lan4'
	option macaddr '<snip>'

config device
	option name 'lan5'
	option macaddr '<snip>'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '10.234.53.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'eth1'
	option macaddr '<snip>'

config interface 'wan'
	option device 'eth1.300'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '49'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '51'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '52'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '53'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config interface 'pcnet'
	option proto 'static'
	option device 'br-lan.49'
	option ipaddr '10.34.79.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config device
	option type 'bridge'
	option name 'br-zigbee'
	list ports 'br-lan.52'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'zigbee'
	option proto 'static'
	option device 'br-zigbee'
	option ipaddr '10.33.77.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config device
	option type 'bridge'
	option name 'br-wlan0'
	list ports 'br-lan.50'
	option bridge_empty '1'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-wlan1'
	list ports 'br-lan.51'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'wlan0'
	option proto 'static'
	option device 'br-wlan0'
	option ipaddr '10.234.80.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config interface 'wlan1'
	option proto 'static'
	option device 'br-wlan1'
	option ipaddr '10.234.81.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config interface 'tvnet'
	option proto 'static'
	option device 'br-lan.53'
	option ipaddr '172.22.18.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config interface 'wgclient'
	option proto 'wireguard'
	option private_key '<snip>'
	list addresses '10.64.xx.xx/32'
	option defaultroute '0'
	option delegate '0'
	option mtu '1380'

config wireguard_wgclient
	option description '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3004'
	option persistent_keepalive '0'
	option public_key '<snip>'
	option disabled '1'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3039'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3040'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3113'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3114'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3094'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3019'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3041'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3048'

config wireguard_wgclient
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3095'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3507'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3508'

config wireguard_wgclient
	option disabled '1'
	option description '<snip>'
	option public_key '<snip>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<snip>'
	option endpoint_port '3509'

config interface 'steamcache'
	option proto 'static'
	option device 'br-lan.5'
	option ipaddr '192.168.98.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config interface 'aria'
	option proto 'static'
	option device 'br-lan.6'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '90'
	list ports 'lan2:t'

config device
	option type 'bridge'
	option name 'br-ayaneo'
	list ports 'br-lan.90'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'ayaneo'
	option proto 'static'
	option device 'br-lan.90'
	option ipaddr '10.89.10.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
full pbr 

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option nft_file_support '0'
	option resolver_set 'dnsmasq.nftset'
	list resolver_instance '*'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list supported_interface 'wgclient'
	list supported_interface 'wgserver'
	list ignored_interface 'vpnserver'
	list ignored_interface 'zigbee'
	list ignored_interface 'tvnet'
	list ignored_interface 'steamcache'
	list ignored_interface 'lan'

config policy
	option name 'force lan over wan'
	option src_addr '10.234.53.0/24'
	option interface 'ignore'

config policy
	option name 'allow-management'
	option src_addr '10.34.79.0/24 10.234.80.0/24 10.234.81.0/24'
	option dest_addr '10.234.53.1/32 10.234.53.3/32 10.234.53.10/32 10.234.53.15/32 10.234.53.20/32'
	option interface 'ignore'

config policy
	option name 'Allow-aria-web'
	option dest_addr '192.168.99.0/24'
	option interface 'ignore'
	option src_addr '10.34.79.0/24 10.234.80.0/24 10.234.81.0/24'

config policy
	option name 'wl-domains'
	option dest_addr 'akamaized.net hp.com hpsmart.com microsoft.com js.monitor.azure.com vo.msecnd.net playnite.link cdkeys.com akamaihd.net akamaitechnologies.com ea.com whatismyip.com aqara.com aqara.cn'
	option interface 'wan'

config policy
	option name 'route-wgserver-vpn'
	option src_addr '10.14.0.0/24'
	option interface 'wgclient'

config policy
	option name 'Forward gta to tor'
	option dest_addr 'rsg.sc rockstargames.com socialclub.rockstargames.com prod.ros.rockstargames.com  ps-rgl-prod.ros.rockstargames.com prod-locator-cloud.rockstargames.com prod.cloud.rockstargames.com'
	option chain 'forward'
	option interface 'tor'
	option enabled '0'

config policy
	option name 'Route tor over vpn'
	option src_addr '10.192.0.0/10'
	option interface 'wgclient'
	option enabled '0'

config policy
	option name 'route-all-vpn'
	option src_addr '10.34.79.0/24 10.234.80.0/24 10.234.81.0/24 192.168.99.0/24 10.89.3.0/24'
	option interface 'wgclient'
2

try https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#command-line_instructions

3

How do you prove it’s connecting to Cloudflare? The hijacking will be invisible to the client.

1 Like
4

excellent point.

@xize block some domain in the router, like google.com, see if the lookups fail once done..

1 Like
5

if I try using dnsleaktest or nslookup it still shows the dns resolution of one.one.one.one domain.

like:

Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:400e:801::200e
          172.217.23.206
6

what @dave14305 said.

it doesn't prove anything.

as for dnsleaktest, have you disabled DoH ("secure DNS") in the browser ?

7

Try

nslookup is-cf.help.every1dns.net

If it’s Cloudflare, you’ll get a valid response, otherwise domain not found. This is one of the domains queried by https://1.1.1.1/help

3 Likes
8

ah, thanks! it indeed doesn't resolve so it should working indeed :+1:

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.