Firewall custom rules DNS rewrite

DoubleU · October 18, 2025, 6:39pm

Hi,

At this time I've got AdGuard Home running on my OpenWRT, but I wish to migrate it to a different machine. For devices not using the DNS server provided by option 6 of DHCP I implemented the following custom rules in the firewall (to make sure that Google DNS is intercepted and ads are blocked):

iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.1.1:53

I altered the destination IP address to new machine, but it caused a DNS loop.
How can I redirect/rewrite all DNS queries destined for other DNS servers (like Google DNS) to my new device (192.168.1.10) and just allow/forward all DNS queries coming from 192.168.1.10?

Thanks in advance!

Kind regards

brada4 · October 18, 2025, 7:24pm

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option family 'any'
        option target 'DNAT'
        option enabled '0'

Add this fragment to /etc/config/firewall then find (desactivated) rule in luci/network/firewall/port forwards.

If you want ip4 and ip6 on other host than this router you need 2 rules.

Slight optimization for generated rule https://github.com/openwrt/firewall4/pull/77

frollic · October 18, 2025, 7:28pm

The line with the ! is the important one

brada4 · October 18, 2025, 8:04pm

Thanks for the pointer, added to PR

DoubleU · October 20, 2025, 6:51am

Thanks! That dit it!

system · October 30, 2025, 6:51am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.