DNS hijacking not working

Installing and Using OpenWrt
1

Attempting to prevent hardcoded DNS from reaching its server and just redirect to local router resolution (unbound).

Following docs - https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#web_interface_instructions

Setup and results:

PC. This is how default setup works, just redirect to local router DNS

> nslookup msn.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
Name:   msn.com
Address: 204.79.197.219

# Router
> tcpdump -i any port 53
03:04:18.309613 phy0-ap0 P   IP 192.168.1.17.37829 > 192.168.1.1.53: 5568+ A? msn.com. (25)
03:04:18.309621 br-lan In  IP 192.168.1.17.37829 > 192.168.1.1.53: 5568+ A? msn.com. (25)
03:04:18.311029 eth0  Out IP 172.31.2.249.45152 > ns4.demysdns.co.uk.53: 17912% [1au] A? msn.com. (36)
03:04:18.311089 eth0  Out IP 172.31.2.249.9426 > ns2-04.azure-dns.net.53: 65339% [1au] A? ns2-204.azure-dns.net. (50)
03:04:18.311144 eth0  Out IP 172.31.2.249.59229 > ns3-02.azure-dns.org.53: 12561% [1au] A? ns3-204.azure-dns.org. (50)
03:04:18.311194 eth0  Out IP 172.31.2.249.65500 > ns4-04.azure-dns.info.53: 38067% [1au] A? ns4-204.azure-dns.info. (51)
03:04:18.315722 eth0  In  IP ns4.demysdns.co.uk.53 > 172.31.2.249.45152: 17912*- 1/0/1 A 204.79.197.219 (52)
03:04:18.315859 eth0  In  IP ns2-04.azure-dns.net.53 > 172.31.2.249.9426: 65339*-$ 1/0/1 A 150.171.21.204 (66)
03:04:18.316208 eth0  In  IP ns4-04.azure-dns.info.53 > 172.31.2.249.65500: 38067*-$ 1/0/1 A 208.84.5.204 (67)
03:04:18.316286 eth0  In  IP ns3-02.azure-dns.org.53 > 172.31.2.249.59229: 12561*-$ 1/0/1 A 204.14.183.204 (66)
03:04:18.316349 eth0  Out IP 172.31.2.249.42910 > e.gtld-servers.net.53: 5437% [1au] DS? msn.com. (36)
03:04:18.321035 eth0  In  IP e.gtld-servers.net.53 > 172.31.2.249.42910: 5437*- 0/6/1 (565)
03:04:18.324118 br-lan Out IP 192.168.1.1.53 > 192.168.1.17.37829: 5568 1/0/0 A 204.79.197.219 (41)
03:04:18.324134 phy0-ap0 Out IP 192.168.1.1.53 > 192.168.1.17.37829: 5568 1/0/0 A 204.79.197.219 (41)
03:04:18.326559 phy0-ap0 P   IP 192.168.1.17.53561 > 192.168.1.1.53: 34166+ AAAA? msn.com. (25)

firewall setting attempt 1:

config redirect
        option target 'DNAT'
        option name 'Redirect DNS'
        option family 'ipv4'
        option src 'lan'
        option src_dport '53'
        option dest_ip '192.168.1.1'
        option dest_port '53'
        option dest 'wan'

PC, if we try to force DNS (it does not redirect to local router DNS)

> nslookup msn.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   msn.com
Address: 204.79.197.219

Router

> tcpdump -i any port 53
03:06:09.631941 phy0-ap0 P   IP 192.168.1.17.35837 > dns.google.53: 37977+ A? msn.com. (25)
03:06:09.631949 br-lan In  IP 192.168.1.17.35837 > dns.google.53: 37977+ A? msn.com. (25)
03:06:09.632715 br-lan Out IP dns.google.53 > 192.168.1.17.35837: 37977 1/0/0 A 204.79.197.219 (41)
03:06:09.632725 phy0-ap0 Out IP dns.google.53 > 192.168.1.17.35837: 37977 1/0/0 A 204.79.197.219 (41)
03:06:09.635083 phy0-ap0 P   IP 192.168.1.17.53382 > dns.google.53: 63907+ AAAA? msn.com. (25)
03:06:09.635091 br-lan In  IP 192.168.1.17.53382 > dns.google.53: 63907+ AAAA? msn.com. (25)
03:06:09.635792 br-lan Out IP dns.google.53 > 192.168.1.17.53382: 63907 0/1/0 (90)
03:06:09.635802 phy0-ap0 Out IP dns.google.53 > 192.168.1.17.53382: 63907 0/1/0 (90)

firewall setting attempt 2:

config redirect
        option target 'DNAT'
        option name 'Redirect DNS'
        option family 'ipv4'
        option src 'lan'
        option src_dport '53'
        option dest_ip '192.168.1.1'
        option dest_port '53'
  • Interesting note, if we follow openwrt docs, setting unspecified in destination zone will default to LAN - Section @redirect[0] (Redirect DNS) does not specify a destination, assuming 'lan'

Router

> tcpdump -i any port 53
03:13:45.211612 phy0-ap0 P   IP 192.168.1.17.59031 > dns.google.53: 9166+ A? msn.com. (25)
03:13:45.211620 br-lan In  IP 192.168.1.17.59031 > dns.google.53: 9166+ A? msn.com. (25)
03:13:45.212388 br-lan Out IP dns.google.53 > 192.168.1.17.59031: 9166 1/0/0 A 204.79.197.219 (41)
03:13:45.212397 phy0-ap0 Out IP dns.google.53 > 192.168.1.17.59031: 9166 1/0/0 A 204.79.197.219 (41)
03:13:45.214669 phy0-ap0 P   IP 192.168.1.17.43075 > dns.google.53: 20830+ AAAA? msn.com. (25)
03:13:45.214674 br-lan In  IP 192.168.1.17.43075 > dns.google.53: 20830+ AAAA? msn.com. (25)
03:13:45.215152 br-lan Out IP dns.google.53 > 192.168.1.17.43075: 20830 0/1/0 (90)
03:13:45.215157 phy0-ap0 Out IP dns.google.53 > 192.168.1.17.43075: 20830 0/1/0 (90)
03:13:45.226523 lo    In  IP localhost.45033 > localhost.53: 56170+ PTR? 8.8.8.8.in-addr.arpa. (38)
03:13:45.227367 lo    In  IP localhost.53 > localhost.45033: 56170 1/0/0 PTR dns.google. (62)
03:13:45.227775 lo    In  IP localhost.52943 > localhost.53: 22788+ PTR? 17.1.168.192.in-addr.arpa. (43)
03:13:45.228482 lo    In  IP localhost.53 > localhost.52943: 22788 NXDomain 0/1/0 (127)

Router

> cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='24.10.2'
DISTRIB_REVISION='r28739-d9340319c6'
DISTRIB_TARGET='x86/64'
DISTRIB_ARCH='x86_64'
DISTRIB_DESCRIPTION='OpenWrt 24.10.2 r28739-d9340319c6'
DISTRIB_TAINTS=''

Confused why it goes to dns.google.53 despite the firewall setting, any idea?

2

Did you follow the DNS hijacking guide?

3

hello, yes as said above I have similar config as in docs. Mine:

firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Redirect DNS'
firewall.@redirect[0].family='ipv4'
firewall.@redirect[0].src='lan'
firewall.@redirect[0].src_dport='53'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].dest_port='53'

docs config:

uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.family="any"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.target="DNAT"

Only differences docs have:

  • different name
  • family any (v4/v6) - shouldnt matter here as we use v4
  • hmm noticed that option proto 'tcp udp' is missing from my firewall rules but on the UI it is shown accordingly (small edit: I have added this line directly and restarted firewall, still the same result - no redirection)
  • not have firewall.@redirect[0].dest_ip='192.168.1.1'
  • not have firewall.@redirect[0].dest_port='53'
4

I have used actual docs recommendation as well and disabled my custom firewall rule:

uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.family="any"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
service firewall restart

PC

> nslookup msn.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   msn.com
Address: 204.79.197.219

Router

> tcpdump -vv -i any port 53
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
03:55:55.156509 phy0-ap0 P   IP (tos 0x0, ttl 64, id 46582, offset 0, flags [none], proto UDP (17), length 53)
    192.168.1.17.52376 > dns.google.53: [udp sum ok] 58400+ A? msn.com. (25)
03:55:55.156516 br-lan In  IP (tos 0x0, ttl 64, id 46582, offset 0, flags [none], proto UDP (17), length 53)
    192.168.1.17.52376 > dns.google.53: [udp sum ok] 58400+ A? msn.com. (25)
03:55:55.157272 br-lan Out IP (tos 0x0, ttl 64, id 29059, offset 0, flags [DF], proto UDP (17), length 69)
    dns.google.53 > 192.168.1.17.52376: [bad udp cksum 0xd20b -> 0xda51!] 58400 q: A? msn.com. 1/0/0 msn.com. A 204.79.197.219 (41)
03:55:55.157282 phy0-ap0 Out IP (tos 0x0, ttl 64, id 29059, offset 0, flags [DF], proto UDP (17), length 69)
    dns.google.53 > 192.168.1.17.52376: [bad udp cksum 0xd20b -> 0xda51!] 58400 q: A? msn.com. 1/0/0 msn.com. A 204.79.197.219 (41)
03:55:55.160191 phy0-ap0 P   IP (tos 0x0, ttl 64, id 49090, offset 0, flags [none], proto UDP (17), length 53)
    192.168.1.17.44372 > dns.google.53: [udp sum ok] 14913+ AAAA? msn.com. (25)
03:55:55.160196 br-lan In  IP (tos 0x0, ttl 64, id 49090, offset 0, flags [none], proto UDP (17), length 53)
    192.168.1.17.44372 > dns.google.53: [udp sum ok] 14913+ AAAA? msn.com. (25)
03:55:55.160662 br-lan Out IP (tos 0x0, ttl 64, id 29060, offset 0, flags [DF], proto UDP (17), length 137)
    dns.google.53 > 192.168.1.17.44372: [bad udp cksum 0xd24f -> 0x9dd5!] 14913 q: AAAA? msn.com. 0/1/0 ns: msn.com. SOA ns1-204.azure-dns.com. azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 3600 (109)
03:55:55.160668 phy0-ap0 Out IP (tos 0x0, ttl 64, id 29060, offset 0, flags [DF], proto UDP (17), length 137)
    dns.google.53 > 192.168.1.17.44372: [bad udp cksum 0xd24f -> 0x9dd5!] 14913 q: AAAA? msn.com. 0/1/0 ns: msn.com. SOA ns1-204.azure-dns.com. azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 3600 (109)
03:55:55.266301 lo    In  IP (tos 0x0, ttl 64, id 32451, offset 0, flags [DF], proto UDP (17), length 66)
    localhost.38991 > localhost.53: [bad udp cksum 0xfe41 -> 0x8b95!] 50248+ PTR? 8.8.8.8.in-addr.arpa. (38)
03:55:55.266924 lo    In  IP (tos 0x0, ttl 64, id 32452, offset 0, flags [DF], proto UDP (17), length 90)
    localhost.53 > localhost.38991: [bad udp cksum 0xfe59 -> 0x8a92!] 50248 q: PTR? 8.8.8.8.in-addr.arpa. 1/0/0 8.8.8.8.in-addr.arpa. PTR dns.google. (62)
03:55:55.267201 lo    In  IP (tos 0x0, ttl 64, id 32453, offset 0, flags [DF], proto UDP (17), length 71)
    localhost.38519 > localhost.53: [bad udp cksum 0xfe46 -> 0xfdc0!] 59739+ PTR? 17.1.168.192.in-addr.arpa. (43)
03:55:55.267612 lo    In  IP (tos 0x0, ttl 64, id 32454, offset 0, flags [DF], proto UDP (17), length 155)
    localhost.53 > localhost.38519: [bad udp cksum 0xfe9a -> 0x802d!] 59739 NXDomain q: PTR? 17.1.168.192.in-addr.arpa. 0/1/0 ns: 17.1.168.192.in-addr.arpa. SOA fake-for-negative-caching.adguard.com. hostmaster.17.1.168.192.in-addr.arpa. 100500 1800 900 604800 86400 (127)
5

DNS hijacking is transparent.

Here's the rule on my test box:

config redirect
	option target 'DNAT'
	option name 'Intercept DNS'
	option family 'any'
	option src 'lan'
	option src_dport '53'

I added the following to the router to redirect a lookup of google.com (/etc/config/dhcp)

	list address '/google.com/1.2.3.4'

From a computer I ran the following tests:

% nslookup google.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: google.com
Address: 1.2.3.4

% nslookup google.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Name: google.com
Address: 1.2.3.4

% nslookup openwrt.org
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: openwrt.org
Address: 64.226.122.113

% nslookup openwrt.org 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: openwrt.org
Address: 64.226.122.113
2 Likes
6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.