DNS interception fw rule blocks DNS requests over ipv6

I'm trying to configure openwrt to intercept all lan DNS requests and redirect them to local DNS.

I'm using the configuration documented in https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#command-line_instructions

This is my /etc/config/firewall:

config redirect 'dns_int'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option proto 'tcp udp'
	option target 'DNAT'
	option family 'any'

With this configuration it seems using ipv4 DNS requests both to local DNS server and external DNS server are properly handled and external ones are redirected to local one.

❯ dig +short www.google.com @

❯ dig +short www.google.com @

On the other hand, DNS requests over ipv6 seem to fail:

❯ dig +short www.google.com @fdb7:ff**:****::1            # Lan dns
;; connection timed out; no servers could be reached

❯ dig +short www.google.com @2606:4700:4700::1111        # External dns
;; connection timed out; no servers could be reached

If I disable the dns_int firewall rule, DNS requests over ipv6 work with no problem:

❯ dig +short www.google.com @fdb7:ff**:****::1

❯ dig +short www.google.com @2606:4700:4700::1111

Of course, if I disable firewall rule, DNS requests are not intercepted nor redirected to local one.

What could I do to debug and fix the problem? Isn't this documented configuration supposed to work with both ipv4 and ipv6?

Ok I discovered the problem.
Given my devices have GUA ipv6 addresses they are seding DNS requests through the address related to WAN6 interface (GUA).

The problem is that the firewall rule in the documentation is not specifying any dest_ip, so, by default nftables redirects the request to local device through same interface that the packet was received, in this case WAN6 interface (althought it was received from LAN, but in case of ipv6 local network devices have an external address related to WAN network).

According to nftables documentation:


There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.

It seems in this case, even option src 'lan' is specified, incoming interface for computing DNAT destination would be wan6 according to source ipv6 address of received packet (GUA ipv6 address).

My DNS server in the device it's bind and listening request from WAN6 interface (and I want to remain like that). So it was being ignored.

Adding a local dest_ip of device in the rule fixed the problem.

Eg, some ULA ipv6 address:

option dest_ip 'fd00::::1'

Be careful, it seems using loopback ipv6 address ::1 for redirecting the package also doesn't work because according to https://www.rfc-editor.org/rfc/rfc4291#section-2.5.3

A packet
received on an interface with a destination address of loopback must
be dropped.
1 Like