Firewall rules to redirect outgoing traffic

My ISP spoof dns queries. I want to "fix" this. For this I want to redirect all DNS queries to specified IP:PORT. Now my configuration works for lan but not for direct quries from my router terminal.

My config.

config redirect
	option name 'Redirect DNS'
	option src 'lan'
	option dest 'wan'
	option src_dport '53'
	option proto 'tcp udp'
	option dest_ip '77.88.8.88'
	option dest_port '1253'
	option target 'DNAT'
	option reflection '0'

Seems direct quries from router do not use lan zone and I don't know how to create zone for router itself. I tried to create zone for loopback and add redirect rule for it.

config zone
	option name 'loopback'
	option network 'lo'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config redirect
	option name 'Redirect LO DNS'
	option src 'loopback'
	option dest 'wan'
	option src_dport '53'
	option proto 'tcp udp'
	option dest_ip '77.88.8.88'
	option dest_port '1253'
	option target 'DNAT'
	option reflection '0'

But it doesn't work. I checked generated nft rules.

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
        }

        chain dstnat_lan {
                meta nfproto ipv4 tcp dport 53 counter packets 0 bytes 0 dnat ip to 77.88.8.88:1253 comment "!fw4: Redirect DNS"
                meta nfproto ipv4 udp dport 53 counter packets 0 bytes 0 dnat ip to 77.88.8.88:1253 comment "!fw4: Redirect DNS"
        }

        chain dstnat_loopback {
                meta nfproto ipv4 tcp dport 53 counter packets 0 bytes 0 dnat ip to 77.88.8.88:1253 comment "!fw4: Redirect LO DNS"
                meta nfproto ipv4 udp dport 53 counter packets 0 bytes 0 dnat ip to 77.88.8.88:1253 comment "!fw4: Redirect LO DNS"
        }

Here no iifname "lo" record in chain dstnat.

No I stacked and don't know what to do next.

So I need rule to redirect DNS queries from my router itself.

why not simply install https-dns-proxy ?
or configure the router's dnsmasq to use 77.88.8.88:1253 as upstream DNS ?

2 Likes

You cannot forward loopback.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "ASUS RT-AX53U",
        "board_name": "asus,rt-ax53u",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

Use dnsmasq to feed loopback. Mawk?

With installed https-dns-proxy. In second case it shows wrong result.

root@OpenWrt:~# dig rutracker.org

; <<>> DiG 9.18.27 <<>> rutracker.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49674
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;rutracker.org.                 IN      A

;; ANSWER SECTION:
rutracker.org.          300     IN      A       104.21.32.39
rutracker.org.          300     IN      A       172.67.182.196

;; Query time: 60 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Aug 21 13:09:22 +05 2024
;; MSG SIZE  rcvd: 74

root@OpenWrt:~# dig @8.8.8.8 rutracker.org

; <<>> DiG 9.18.27 <<>> @8.8.8.8 rutracker.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48713
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rutracker.org.                 IN      A

;; ANSWER SECTION:
rutracker.org.          600     IN      A       188.186.146.207

;; Query time: 0 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Aug 21 13:09:30 +05 2024
;; MSG SIZE  rcvd: 47

it's not wrong, it's different
are you blaming openwrt for showing the wrong result, when you query 8.8.8.8 ?

this could be one of the cases when your ISP would intercept your query.

By this reason I want to redirect ALL 53 port packages to 77.88.8.88:1253. My goal is to avoid youtube DPI with https://github.com/bol-van/zapret. It checks dns with

dig -p 53 @77.88.8.88 rutracker.org
dig -p 1253 @77.88.8.88 rutracker.org

My ISP spoof DNS-queries. So I need special settings to "fix" this DNS problems. To pass zapret dns checking. As I understand dnsmasq can't change direct request to 77.88.8.88:53. So I want to use redirect rules to solve this problem.

you understand incorrectly, how do you think your ISP's DNS IPs got there, came hardcoded with the openwrt image ?

but you'll probably need https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns anyway.

but you'll probably need https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns anyway.

It was applied before. See my first post. I show my redirect rules. Now it works for lan.

dig from my PC

[taurus@lix ~]$ dig -p 53 @77.88.8.88 rutracker.org

; <<>> DiG 9.18.28 <<>> -p 53 @77.88.8.88 rutracker.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58890
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rutracker.org. IN A

;; ANSWER SECTION:
rutracker.org. 191 IN A 104.21.32.39
rutracker.org. 191 IN A 172.67.182.196

;; Query time: 41 msec
;; SERVER: 77.88.8.88#53(77.88.8.88) (UDP)
;; WHEN: Wed Aug 21 13:30:18 +05 2024
;; MSG SIZE rcvd: 74

[taurus@lix ~]$ dig -p 1253 @77.88.8.88 rutracker.org

; <<>> DiG 9.18.28 <<>> -p 1253 @77.88.8.88 rutracker.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42978
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rutracker.org. IN A

;; ANSWER SECTION:
rutracker.org. 153 IN A 172.67.182.196
rutracker.org. 127 IN A 104.21.32.39

;; Query time: 71 msec
;; SERVER: 77.88.8.88#1253(77.88.8.88) (UDP)
;; WHEN: Wed Aug 21 13:30:19 +05 2024
;; MSG SIZE rcvd: 74

dig from OpenWRT router

root@OpenWrt:~# dig -p 53 @77.88.8.88 rutracker.org

; <<>> DiG 9.18.27 <<>> -p 53 @77.88.8.88 rutracker.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37981
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rutracker.org. IN A

;; ANSWER SECTION:
rutracker.org. 600 IN A 188.186.146.207

;; Query time: 10 msec
;; SERVER: 77.88.8.88#53(77.88.8.88) (UDP)
;; WHEN: Wed Aug 21 13:30:31 +05 2024
;; MSG SIZE rcvd: 47

root@OpenWrt:~# dig -p 1253 @77.88.8.88 rutracker.org

; <<>> DiG 9.18.27 <<>> -p 1253 @77.88.8.88 rutracker.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51382
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rutracker.org. IN A

;; ANSWER SECTION:
rutracker.org. 27 IN A 172.67.182.196
rutracker.org. 25 IN A 104.21.32.39

;; Query time: 80 msec
;; SERVER: 77.88.8.88#1253(77.88.8.88) (UDP)
;; WHEN: Wed Aug 21 13:30:33 +05 2024
;; MSG SIZE rcvd: 74

I fail to understand the issue, is it the router itself uses the upstream DNS instead of the local one ?
it has nothing to do with the firewall rules.

I can use any DNS-server. But my ISP spoof answer from Google DNS server for example and put own IP-address. But it works only for requests to 53 port. If I use DNS server on 1253 port ISP doesn't change answer.

it was a yes/no question ...

change the DNS IP to 127.0.0.1 on your wan port, and tell openwrt to ignore the upstream DNS IPs provided by your ISP.

Actually this solve my problem. Need to apply this with firewall.

Summary

root@OpenWrt:~# nft add table inet my_table
root@OpenWrt:~# nft add chain inet my_table my_chain { type nat hook output priority 0; policy accept; }
root@OpenWrt:~# nft add rule inet my_table my_chain ip saddr 109.xxx.xxx.xxx udp dport 53 dnat to 77.88.8.88:1253
root@OpenWrt:~# nft add rule inet my_table my_chain ip saddr 109.xxx.xxx.xxx tcp dport 53 dnat to 77.88.8.88:1253
root@OpenWrt:~# dig dig -p 53 @77.88.8.88 rutracker.org

; <<>> DiG 9.18.27 <<>> dig -p 53 @77.88.8.88 rutracker.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18211
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dig. IN A

;; AUTHORITY SECTION:
. 3285 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024082100 1800 900 604800 86400

;; Query time: 150 msec
;; SERVER: 77.88.8.88#53(77.88.8.88) (UDP)
;; WHEN: Wed Aug 21 13:43:18 +05 2024
;; MSG SIZE rcvd: 107

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19485
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;rutracker.org. IN A

;; ANSWER SECTION:
rutracker.org. 205 IN A 172.67.182.196
rutracker.org. 205 IN A 104.21.32.39

;; Query time: 40 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Aug 21 13:43:18 +05 2024
;; MSG SIZE rcvd: 74

Found final solution. Need to write own .nft file which will be applied with fw4.

/etc/nftables.d/10-custom-filter-chains.nft

chain user_pre_input {
    type nat hook output priority 0; policy accept;
    ip saddr 109.xxx.xxx.xxx udp dport 53 dnat to 77.88.8.88:1253
    ip saddr 109.xxx.xxx.xxx tcp dport 53 dnat to 77.88.8.88:1253
}

Yet another option would be to add something like the below to dnsmasq.

server=/rutracker.org/77.88.8.88#1235

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.