Having trouble executing the right command to display DNS (or DNS over HTTPS) traffic

Exeleration-G · October 27, 2020, 2:44pm

Hello,

I'm using OpenWrt 19.07 on an Archer C6 device.

For a different topic, I need to properly display all DNS (or DNS over HTTPS) traffic to and from my Android phone (assigned 192.168.1.136). I'm using tcpdump for this, but it fails to display this traffic properly. Right now, I'm using the command:

# tcpdump -nn -i any "src Telefoon.lan and (port 53 or port 443)"

However, I'm not so certain that all DNS requests are displayed. If I try to ping a local device on my network, nothing shows up.

Remote addresses do seem to work correctly:

(Trying to ping dns.google from my phone)
15:43:02.535493 ethertype IPv4, IP 192.168.1.136.2518 > 192.168.1.1.53: 2714+ PTR? 4.4.8.8.in-addr.arpa. (38)
15:43:02.535493 IP 192.168.1.136.2518 > 192.168.1.1.53: 2714+ PTR? 4.4.8.8.in-addr.arpa. (38)
15:43:02.535493 IP 192.168.1.136.2518 > 192.168.1.1.53: 2714+ PTR? 4.4.8.8.in-addr.arpa. (38)

Is my command constructed well?

vgaetera · October 27, 2020, 4:59pm

Probably you should include DoT:

Most likely it doesn't cover both IPv4 and IPv6.

pwned · October 27, 2020, 7:18pm

Beside that what @vgaetera has written I would not try to dig deeper for this Android s***. I would just verify if my intercept rules for 53 and my reject rules for 853 and 5353 are working. If anything is going over 443 you would have to use dpi on firewall to see and block. If the App has implmented its own "thing" you will not see anything nor be able to block anything.

This may give you an idea how difficult it is in reality. There are Apps nowdays running partially on cloud servers. You will never be able to analyse anything without reverse engineering.

I would avoid applications which are not able to work on a simple LAN. If you want to use it anyway just work with static IP's if this is supported instead of name resolution.

lleachii · October 29, 2020, 1:43pm

It helps to cross-reference - for others to read and gain context:

No, I think I have one that can cover more...but note:

I have no clue what port/protocol your app/phone is using DNS on
Neither do you

tcpdump -vvvn -i <bridge_or_WiFi_interface> ether src <MAC_Addess> and ........

Also, if the OP's running:

VPNs (e.g. Wireguard, OpenVPN, etc.)
Ad/Survey/Usage/Rewards Trackers
Tor (e.g. via Orbot app)
any app that employs the Android VPN icon

The traffic is being tunneled.

Next...a lot of people keep saying that Android does "this and that" with DNS...from my network analysis (at least on an IPv6 enabled network), my Android devices use the advertised ULA IPv6 DNS address to query my OpenWrt router at 53/udp. I run AdBlock...so I would notice if my Android devices didn't work as intended in regards to my DNS services.

Exeleration-G · October 29, 2020, 1:43pm

Thank you for looking at the command. I tried your command and that one is definitely better, I saw that this one captured IPv6 traffic as well apart from just IPv4 traffic. In this case, that's important because it turned out that DNS traffic was happening on the IPv6 address.

vgaetera · October 29, 2020, 3:32pm

Pretty sure it depends on the Android version and available connectivity.
I have an old 6.0, so there's neither DoH nor DoT, just plain DNS.

lleachii · October 29, 2020, 5:09pm

Oh, I just quoted you to note the IPv6 part; but cool!

And @Exeleration-G, glad everything worked out!

system · November 8, 2020, 5:09pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.