I was noticing some occasional DNS leaks on port 53 after configuring DNS over TLS, so I implemented the instructions detailed here: https://openwrt.org/docs/guide-user/services/dns/intercept to intercept and redirect DNS using a DNAT forward. The config suggested is:
# Intercept DNS traffic uci -q delete firewall.dnsint uci set firewall.dnsint="redirect" uci set firewall.dnsint.name="Intercept-DNS" uci set firewall.dnsint.src="lan" uci set firewall.dnsint.src_dport="53" uci set firewall.dnsint.family="ipv4" uci set firewall.dnsint.proto="tcpudp" uci set firewall.dnsint.target="DNAT" uci commit firewall service firewall restart
It works, but I'm not sure why.
I am confused by the UCI config as it doesn't specify a destination IP for the forward/DNAT rule, which is listed as a mandatory parameter for a DNAT config in the docs here Then I noticed that there is a note that if the DNAT dest_ip is the same as the router IP then the rule is interpreted as a DNAT+input rule rather than a DNAT+forward rule. I can only assume there is an undocumented default that if the dest_ip is omitted entirely, it is also interpreted as a DNAT+input rule, which makes some sense logically. Is this the case?
If so, when you view this rule in the LUCI UI, it displays like this:
With the 'Forward to' as 'any host, port 53 in any zone'. This seems... misleading? Does the UI need updating to display these rule types more accurately?