Hi,
I have installed OpenWrt on x86 server.
The setup includes
multiple interfaces (with VLAN): iot, dmz, lan
AdGuard Home
Unbound
Now I want to configure DNS interception / hijacking.
There are guides in OpenWrt documentation here and here.
However the instructions are not 100% consistent.
Currently I have this relevant firewall setting (for zone iot):
[...]
config rule
option name 'IoT: Block-DNS-other-networks'
list proto 'tcp'
list proto 'udp'
option src 'iot'
option dest '*'
option dest_port '53'
option target 'REJECT'
[...]
config redirect
option target 'DNAT'
option name 'IoT: Intercept-DNS'
option src 'iot'
option src_dport '53'
[...]
Is there any other firewall rule required to intercept and redirect DNS queries?
I searched in internet and found another guide with different instructios:
Create a port forward rule that intercepts all traffic destined for the Internet on port 53 and redirect it to the PiHole
Create a NAT rule that rewrites the source of the DNS response (the PiHole) to match the intended source (the hardcoded DNS)
You could also add a rule blocking port 853 for devices using hardcoded DNS over TLS. The idea being that they'll fall back to plain dns and get intercepted by AGH.
Here's my rules:
config redirect 'dns_int'
option name 'Intercept-DNS'
option family 'ipv4'
option proto 'tcp udp'
option src 'lan'
option src_dport '53'
option target 'DNAT'
option dest_ip 'YOUR_DNS_SERVER_IP'
list src_mac '!xx:xx:xx:xx:xx:xx' # change to your DNS mac address
list src_mac '!xx:xx:xx:xx:xx:xx' # change to your agh mac
list src_mac '!xx:xx:xx:xx:xx:xx' # change to your unbound mac
list src_mac '!xx:xx:xx:xx:xx:xx' # change to your router mac
config rule 'dot_fwd'
option name 'Deny-DoT'
option src 'lan'
option dest 'wan'
option dest_port '853'
option proto 'tcp udp'
option target 'REJECT'
list src_ip '!YOUR_DNS_IP'
list src_ip '!AGH_IP'
list src_ip '!UNBOUND_IP'
list src_ip '!ROUTER_IP'
I use ! to hijack everything but the devices listed in the rules