Hi, i require some help here.
I have a Private Network on 192.168.1.0/24
with 2 DNS Servers in that range for this example we are going to use 192.168.1.15
and 192.168.1.16
and i have a Guest Network (Isolated on AP's) on 10.0.2.0/24
.
Now on the Private Network DHCP is set to use 6,192.168.1.15,192.168.1.16
and it works as it should however i would like the Guest Network to be able to use the same IP's.
Now Guest network can connect to the internet currently fine however i would like it to go though the DNS Servers (Ablock + anonymize via Dnscrypt etc).
Both networks have their own DHCP Server but if i place 6,192.168.1.15,192.168.1.16
into the DHCP option on guest network the internet stops working.
So is there anyway i can DNS Hijack or DNS Forward from Guest to Lan then to WAN?
I did have it working before using Custom Rules which worked but i forgot to make a backup thus lost the coding.
If anyone could help i'd be grateful.
trendy
January 26, 2021, 4:54pm
2
Do you allow it on the firewall?
You are right! I tried the masquerade rules (initially I thought you were saying about the wan postrouting masquerade) and now replies back to clients seem to come from the legitimate nameserver.
Regarding IPv6 why are you trying to masquerade on the wan? Any host contacting some other host on the internet should use the GUA, not the LUA.
I also fixed the reply from unexpected source for ipv6 just with this: ip6tables -t nat -A POSTROUTING -d fd00:bbbb::2 -p udp -m udp --dport 53 -m comment --…
1 Like
I have firewall set to like
Source Guest
Source Port 53
Destination This Device
Port 53
Not sure if thats correct like. As for the Other links in will have a look.
Thanks for your reply.
trendy
January 26, 2021, 5:10pm
4
Source port must not be used.
Source zone guest to destination zone lan, destination IPs, destination port 53, udp.
2 Likes
Then i use the DNS Highjack on top?
@trendy Could you please take a look i think i get it now
# DNSHIJACKv4
# Log and redirect DNS Traffic
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4 "
iptables -t nat -A dnshijack -j DNAT --to-destination 192.168.1.15
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p tcp --dport 53 -j ACCEPT
Edit: Its working now used same rule twice with the different IP's and Mac addresses.
The next question is do i make another for 192.168.1.16 (DNS2)
trendy
January 27, 2021, 6:45am
7
DNS hijack is in a different file.
It doesn't look right. You are missing some lines (allow queries to OpenWrt) and you have changed the line sequence (rules with mac).
It won't hijack to a second, but you can surely allow a second Pihole in the masquerade rules and the rules with mac address.
Yes i changed the IP and mac address.
I have it set to
# DNSHIJACKv4 (DNS1)
# Log and redirect DNS Traffic
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dns1 "
iptables -t nat -A dnshijack -j DNAT --to-destination 192.168.1.25
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dns1
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dns1
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS1 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS1 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i br-guest ! -s 192.168.1.15 -p udp --dport 80 -j DNAT --to 192.168.1.15
iptables -t filter -A FORWARD -i br-guest -o br-lan -p udp --dport 80 -d 192.168.1.15 -j ACCEPT
# DNSHIJACKv4 (DNS2)
# Log and redirect DNS Traffic
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dns2 "
iptables -t nat -A dnshijack -j DNAT --to-destination 192.168.1.16
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dns2
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dns2
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 192.168.1.16 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS2 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.16 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS2 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:18 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:18 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i br-guest ! -s 192.168.1.16 -p udp --dport 80 -j DNAT --to 192.168.1.16
iptables -t filter -A FORWARD -i br-guest -o br-lan -p udp --dport 80 -d 192.168.1.16 -j ACCEPT
The Guest network has internet and ads are blocked however with you saying it wont hijack on the second one only in masquerade maybe the firewall rule should be
# DNSHIJACKv4 (DNS)
# Log and redirect DNS Traffic
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dns1 "
iptables -t nat -A dnshijack -j DNAT --to-destination 192.168.1.25
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dns1
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dns1
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS1 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS1 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.16 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS2 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.16 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS2 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:18 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:18 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i br-guest ! -s 192.168.1.15 -p udp --dport 80 -j DNAT --to 192.168.1.15
iptables -t filter -A FORWARD -i br-guest -o br-lan -p udp --dport 80 -d 192.168.1.15 -j ACCEPT
iptables -t nat -A PREROUTING -i br-guest ! -s 192.168.1.16 -p udp --dport 80 -j DNAT --to 192.168.1.16
iptables -t filter -A FORWARD -i br-guest -o br-lan -p udp --dport 80 -d 192.168.1.16 -j ACCEPT
trendy
January 27, 2021, 1:53pm
9
Again you have altered the sequence of the commands and you are causing a loop.
solidus1983:
-j dns1
-j dns2
These targets is not defined.
The second rule for masquerade will never be matched and you are using the wrong destination port 80 instead of 53.
Sorry for being stupid.
Ok so far i have recopied from the forum thread you link
# DNSHIJACKv4
# Log and hijack to Pihole
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4 "
iptables -t nat -A dnshijack -j DNAT --to-destination 10.0.2.2
# allow Pihole to query internet
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p tcp --dport 53 -j ACCEPT
# allow queries to OpenWrt
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -d 10.0.2.1 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -d 10.0.2.1 -j ACCEPT
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# other zones
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
Is the IP 10. ip's ment to be the LAN IP? If so i take its the logic of .1 being router and .2 being the dns server.
Is there a way to do it via LUCI GUI?
trendy
January 27, 2021, 4:03pm
12
That is correct.
Copy the following lines for the second DNS.
add two more lines with the tcp/udp:53 mac address of the second DNS.
Also here add two more lines for the second DNS in case you have a guest or iot zone.
I am not sure, most likely no.
There's multiple different methods.
It's possible to use exclusively UCI syntax to redirect IPv4 DNS with no custom rules:
Hijacked DNS timeouts - #6 by vgaetera
Though redirecting IPv6 DNS is more difficult.
Another method:
Then configure Pi-hole to use DNS encryption, e.g. DoT.
And specify Pi-hole as the only upstream resolver for Dnsmasq.
It works for both IPv4 and IPv6 DNS.
1 Like
Thanks for the reply.
So i have DNS working on Guest with just the following
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
Network doesn't use IPv6 at all due to the ISP being IPV4 only.
No matter what i tried nothing worked, it kept thinking there was a captive portal, so simply removed the Guest Network outright (Not like i will need it for awhile with whats going on in the world).
Thanks for your help @trendy though i am very grateful for it.
1 Like
trendy
January 28, 2021, 8:57am
16
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
1 Like
tmomas
Closed
February 7, 2021, 8:57am
17
This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.