Filter DoH traffic with firewall and IP sets forcing LAN clients to switch to plain DNS

Hello
I am trying to block the DOH traffic in LAN for one android streaming device following this guide.

but unfortunately i am getting these errors
I have tried this in OpenWrt 19.07.4 and the latest OpenWrt 22.03.5

Warning: Section 'doh6' defines no storage method, assuming 'hash'
Warning: Option 'doh'.family has invalid value 'ipv'
Warning: Section 'doh' has invalid options
Warning: Section 'doh' defines no storage method, assuming 'hash'
Warning: Option 'doh_fwd'.family has invalid value 'ipv'
Warning: Section 'doh_fwd' skipped due to invalid options

  • Flushing IPv4 filter table
  • Flushing IPv4 nat table
  • Flushing IPv4 mangle table
  • Flushing IPv4 raw table
  • Flushing IPv6 filter table
  • Flushing IPv6 mangle table
  • Deleting ipset doh
  • Deleting ipset doh6
  • Flushing conntrack table ...
  • Creating ipset doh
    • Loading file /var/ipset-doh
      ! Skipping due to open error: No such file or directory
  • Populating IPv4 filter table
    • Rule 'Allow-DHCP-Renew'
    • Rule 'Allow-Ping'
    • Rule 'Allow-IGMP'
    • Rule 'Allow-IPSec-ESP'
    • Rule 'Allow-ISAKMP'
    • Rule 'Deny-DoT'
    • Redirect 'Intercept-DNS'
    • Forward 'lan' -> 'wan'
    • Zone 'lan'
    • Zone 'wan'
  • Populating IPv4 nat table
    • Redirect 'Intercept-DNS'
    • Zone 'lan'
    • Zone 'wan'
  • Populating IPv4 mangle table
    • Zone 'lan'
    • Zone 'wan'
  • Populating IPv4 raw table
    • Zone 'lan'
      • Using automatic conntrack helper attachment
    • Zone 'wan'
  • Creating ipset doh6
    • Loading file /var/ipset-doh6
      ! Skipping due to open error: No such file or directory
  • Populating IPv6 filter table
    • Rule 'Allow-DHCPv6'
    • Rule 'Allow-MLD'
    • Rule 'Allow-ICMPv6-Input'
    • Rule 'Allow-ICMPv6-Forward'
    • Rule 'Allow-IPSec-ESP'
    • Rule 'Allow-ISAKMP'
    • Rule 'Deny-DoT'
    • Rule 'Deny-DoH'
    • Forward 'lan' -> 'wan'
    • Zone 'lan'
    • Zone 'wan'
  • Populating IPv6 mangle table
    • Zone 'lan'
    • Zone 'wan'
  • Set tcp_ecn to off
  • Set tcp_syncookies to on
  • Set tcp_window_scaling to on
  • Running script '/etc/firewall.user'
    Anybody has got similar error? any suggestions or solution would be greatly appreciated.
    Thank you

Guide probably won't work on an old version like 19.07.

this guide has been updated, before i had it working in Openwrt 19.07. but the commands and contents in the guide was different.I have recently upgraded openwrt to latest version, this guide didnt help, then i rolled back to my previous version. Its the same error on both latest and old Openwrt versions. I guess the guide/Instructions have changed, but there is a solution, that may be vgaetera can suggest. It seems the guide has been Last modified: 2023/05/02 21:02 by vgaetera .

You could have mentioned it in the 1st post ...

I just did the whole DNS over HTTPS part of the instruction, and it works just fine on 22.03.5.
If there's an issue, it's probably with your C&P.

1 Like

Thank you for the reply, what you you mean by C&P ?

C&P = Copy & Paste.

I tried it again, the same error. would you suggest me to type the commands instead of copy paste??

On 22.03 I assume ?

Did you remove the old entries before retrying, or was this a fresh flash ?

Okay, i have flashed to the latest Openwrt now.
I am getting only this error now
Section doh (doh) option 'family' specifies invalid value 'ipv'
Section doh (doh) skipped due to invalid options
Section doh_fwd (Deny-DoH) option 'family' specifies invalid value 'ipv'
Section doh_fwd (Deny-DoH) skipped due to invalid options

You must not be running the beginning of the script:

for IPV in 4 6
do
…
done
1 Like

i didnt run those as commands

Please post your /etc/config/firewall

that's part of the how to, what did you then run ?

Thanks for the reply Dave, here i am posting the details
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'

  • /etc/config/firewall 1/153 0%

uci -q delete firewall.doh${IPV%4}
uci set firewall.doh${IPV%4}="ipset"
uci set firewall.doh${IPV%4}.name="doh${IPV%4}"
uci set firewall.doh${IPV%4}.family="ipv${IPV}"
uci set firewall.doh${IPV%4}.match="net"
uci set firewall.doh${IPV%4}.loadfile="/var/ipset-doh${IPV%4}"
uci -q delete firewall.doh${IPV%4}_fwd
uci set firewall.doh${IPV%4}_fwd="rule"
uci set firewall.doh${IPV%4}_fwd.name="Deny-DoH"
uci set firewall.doh${IPV%4}_fwd.src="lan"
uci set firewall.doh${IPV%4}_fwd.dest="wan"
uci set firewall.doh${IPV%4}_fwd.dest_port="443"
uci set firewall.doh${IPV%4}_fwd.proto="tcp udp"
uci set firewall.doh${IPV%4}_fwd.family="ipv${IPV}"
uci set firewall.doh${IPV%4}_fwd.ipset="doh${IPV%4} dest"
uci set firewall.doh${IPV%4}_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

after the firewall restart i get the warning message

Section doh (doh) option 'family' specifies invalid value 'ipv'
Section doh (doh) skipped due to invalid options
Section doh_fwd (Deny-DoH) option 'family' specifies invalid value 'ipv'
Section doh_fwd (Deny-DoH) skipped due to invalid options

It’s incomplete. Please try:

uci show firewall | grep doh

root@OpenWrt:~# uci show firewall | grep doh
firewall.doh=ipset
firewall.doh.name='doh'
firewall.doh.family='ipv'
firewall.doh.match='net'
firewall.doh.loadfile='/var/ipset-doh'
firewall.doh_fwd=rule
firewall.doh_fwd.name='Deny-DoH'
firewall.doh_fwd.src='lan'
firewall.doh_fwd.dest='wan'
firewall.doh_fwd.dest_port='443'
firewall.doh_fwd.proto='tcp udp'
firewall.doh_fwd.family='ipv'
firewall.doh_fwd.ipset='doh dest'
firewall.doh_fwd.target='REJECT'

uci set firewall.doh.family='ipv4'
uci set firewall.doh_fwd.family='ipv4'
uci commit firewall
/etc/init.d/firewall restart

But you’re still missing the IPv6 rules because you didn’t use the for loop to repeat the commands for IPv4 and IPv6.

1 Like

Thanks Dave, its showing no errors.
I am using an Nvidia Shield for streaming. I have a smartdnsproxy sevice subscription. Enabling or using IPV 6 is not suitable because of the smartdns service. I have it disabled in the router. In the previous version of Operwrt 19.07 i had the option to add custom rules. for example
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination xx.xx.xx.xxx
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to-destination xx.xx.xx.xxx
iptables -t nat -A PREROUTING -p udp --dport 853 -j DNAT --to-destination xx.xx.xx.xxx
iptables -t nat -A PREROUTING -p tcp --dport 853 -j DNAT --to-destination xx.xx.xx.xxx

Now i have upgraded to the latest OpenWrt 22.03.5 but i dont have any more custom rules, and this latest version is not in favour of iptables so i have to use the nftables. how can i translate this iptables to nftables and load them everytime the router reboots?

I am trying to intercept the DNS traffic on OpenWrt , then combine it with the smartdnsproxy and protect the DNS traffic.

If you applied everything in the link you posted, you're already doing it.

Why not simply use smartdnsproxy as your upstream dns, in the router ?

1 Like