Help with fw4 rule configuration

Hello all,
I am trying to force all DNS requests to go to my own Adguard Home container running on 192.168.1.20 on port 53.

I know it is at least partially working because I blocked apple.com as a test and when I did an nslookup apple.com 1.1.1.1 I got 0.0.0.0 so I know that's AGH replying.

If I disable the NA5. T rule I simply get :

C:\Windows\system32>nslookup apple.com 1.1.1.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  1.1.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Also, when enabled, the request is logged against the router address i.e. 192.168.1.1 instead of my own which is 192.168.1.50.

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Redirect-lan-DNS'
        option src 'lan'
        option src_dport '53'
        option dest_ip '192.168.1.20'
        option dest_port '53'
        option src_ip '!192.168.1.20'
        option family 'ipv4'

config nat
        option name 'Prevents hardcoded DNS clients'
        list proto 'tcp'
        list proto 'udp'
        option src '*'
        option dest_ip '192.168.1.20'
        option dest_port '53'
        option target 'MASQUERADE'

config rule
        option name 'Deny_DoT_853'
        option src '*'
        option dest_port '853'
        option target 'DROP'
        list src_ip '!192.168.1.20'
        option dest 'wan'

config rule
        option name 'Deny_ipv6_DNS_53'
        option family 'ipv6'
        option src '*'
        option dest_port '53'
        option target 'DROP'

Could someone please help with the following:

  1. Are these rules all I need to effectively force all DNS requests to my AGH?
  2. Why does it not work when I disable the NAT rule?
  3. Why does it show the router address instead of my address in the logs when the NAT rule is enabled? Is this something that can be corrected?
  4. Is there a way/tool for me to sort of debug the FW rules or workout the traffic route through the FW?

Thank you in advance

see DNS interception on GL.iNet GL-MT6000 - #2 by AndrewZ and below

1 Like
  1. no
  2. because agh passes same gateway
  3. it is working according to your rule
  4. option log '1'

Thank you both

@brada4

  1. I'm assuming this is because they can still get through with DoH and DoT right? I should have been clearer with my question and specify whether the above is enough for port 53 based DNS requests.
  2. Please elaborate if you can. I'm reading it as "forward all traffic on port 53 incoming from the LAN to 192.168.1.20". The NAT rule was meant to trick the requesting IP into thinking that the response is coming from 1.1.1.1 or 8.8.8.8 instead of 192.168.1.20. I'm still learning :slight_smile:
  3. Looks like my rule is wrong. How can I change it so that it would report the correct source IP instead of the router's?
  4. Thank you. I will give that a go.

I will look at this and report back. Thank you

1 no idea, ask where you got container from. If container does 2nd dhcp server your efforts on openwrt are futile.

2 ditto 1

3 redirect does not work, check log at$ached to rule.

4 yeah, kinda, you saw it or no?

  1. option log '1' Where do I add this option?

https://openwrt.org/docs/guide-user/firewall/firewall_configuration