Force all DNS (4 and 6) to OpenWrt router

Hi all,

I followed the guide:


trying to force all devices on my LAN to use OpenWRT for all DNS queries, but couple of things still not clear. The guide instructs to create this redirect rule:
config redirect
	option dest_port '53'
	option src 'wan'
	option name 'Hijack DNS'
	option src_dport '53'
	option target 'DNAT'
	option dest 'lan'

but, shouldn't src and dest be the other way around?

Also, this does not hijacks ipv6 DNS queries, does it?

I would appreciate any pointers on how to force all LAN to go to the router for their DNS queries

2 Likes

The page is last edited by @gollyjer.

It's problematic to configure using just web interface.
There's a tested and working CLI how-to:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

4 Likes

Question about the CLI solution, it requires installation of

opkg install kmod-ipt-nat6

does this mean ipv6 will be NATed? I thought ipv6 operates without NAT.

The script skips DNAT, SNAT and MASQUERADE rules and clones only REDIRECT rules.
So, it applies NAT6 for DNSv6 traffic only.

1 Like

Hi,

I'm new here and I'm having a problem with the NAT6 configuration above.

I get the following warnings when I restart the firewall:

 * Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

I researched a lot before posting here, including, I tried the configuration described in: https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6, but the warnings continue.

I've read reports that there is a bug with NAT6: https://bugs.openwrt.org/index.php?do=details&task_id=500&order=id&sort=desc

So, is there a way to get around this?

My concern is: Are the DNS6 settings working? I don't have enough experience to test this.

I appreciate any help or clarification.

It's problematic to avoid the warnings until the bug is fixed.
But you can safely ignore them.

Use the NAT6 script.

Yes, it is tested on OpenWrt 19.07.*.

2 Likes

I'm glad to know that.

Thank you for your help.

1 Like

These errors are what stopped me from implementing this solution. I was researching to see how severe these errors are or how they impact router operation. Thanks for following up on these.

@vgaetera, how do you "undo" this implementation? I understand that how-to creates a port forward, which is easy to delete if one decides to roll back, but how to remove whatever this does:

# Enable NAT6
opkg update
opkg install kmod-ipt-nat6
cat << "EOF" > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \
| ip6tables-restore -T nat
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Finally, can the above script be substituted by adding it as a custom rule (which would be easy to remove when needed):

iptables-save -t nat \| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \| ip6tables-restore -T nat
opkg --autoremove remove kmod-ipt-nat6
uci -q delete firewall.nat6
uci commit firewall
/etc/init.d/firewall restart
reboot

Yep, but you should use | instead of \| and it still requires to install kmod-ipt-nat6 which is the cause of warnings.
Anyway, you may need it only when your clients have dual-stack connectivity.

1 Like

Is there a way to monitor this issue to see when the bug get fixed?

1 Like

Register & subscribe.


Wow, grateful for your support! :smiley: :snowman_with_snow: :christmas_tree:

Just wanted to express my appreciation for your support helping us amateurs. Спасибо и с наступающим новым годом

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.