Help with fw4 rule configuration

tam481 · September 23, 2024, 7:02pm

Hello all,
I am trying to force all DNS requests to go to my own Adguard Home container running on 192.168.1.20 on port 53.

I know it is at least partially working because I blocked apple.com as a test and when I did an nslookup apple.com 1.1.1.1 I got 0.0.0.0 so I know that's AGH replying.

If I disable the NA5. T rule I simply get :

C:\Windows\system32>nslookup apple.com 1.1.1.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  1.1.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Also, when enabled, the request is logged against the router address i.e. 192.168.1.1 instead of my own which is 192.168.1.50.

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Redirect-lan-DNS'
        option src 'lan'
        option src_dport '53'
        option dest_ip '192.168.1.20'
        option dest_port '53'
        option src_ip '!192.168.1.20'
        option family 'ipv4'

config nat
        option name 'Prevents hardcoded DNS clients'
        list proto 'tcp'
        list proto 'udp'
        option src '*'
        option dest_ip '192.168.1.20'
        option dest_port '53'
        option target 'MASQUERADE'

config rule
        option name 'Deny_DoT_853'
        option src '*'
        option dest_port '853'
        option target 'DROP'
        list src_ip '!192.168.1.20'
        option dest 'wan'

config rule
        option name 'Deny_ipv6_DNS_53'
        option family 'ipv6'
        option src '*'
        option dest_port '53'
        option target 'DROP'

Could someone please help with the following:

Are these rules all I need to effectively force all DNS requests to my AGH?
Why does it not work when I disable the NAT rule?
Why does it show the router address instead of my address in the logs when the NAT rule is enabled? Is this something that can be corrected?
Is there a way/tool for me to sort of debug the FW rules or workout the traffic route through the FW?

Thank you in advance

AndrewZ · September 23, 2024, 7:09pm

see DNS interception on GL.iNet GL-MT6000 - #2 by AndrewZ and below

brada4 · September 23, 2024, 7:10pm

no
because agh passes same gateway
it is working according to your rule
option log '1'

tam481 · September 24, 2024, 8:56am

Thank you both

@brada4

I'm assuming this is because they can still get through with DoH and DoT right? I should have been clearer with my question and specify whether the above is enough for port 53 based DNS requests.
Please elaborate if you can. I'm reading it as "forward all traffic on port 53 incoming from the LAN to 192.168.1.20". The NAT rule was meant to trick the requesting IP into thinking that the response is coming from 1.1.1.1 or 8.8.8.8 instead of 192.168.1.20. I'm still learning
Looks like my rule is wrong. How can I change it so that it would report the correct source IP instead of the router's?
Thank you. I will give that a go.

tam481 · September 24, 2024, 8:57am

I will look at this and report back. Thank you

brada4 · September 24, 2024, 9:03am

1 no idea, ask where you got container from. If container does 2nd dhcp server your efforts on openwrt are futile.

2 ditto 1

3 redirect does not work, check log at$ached to rule.

4 yeah, kinda, you saw it or no?

tam481 · September 24, 2024, 9:54am

option log '1' Where do I add this option?

brada4 · September 24, 2024, 10:36am

https://openwrt.org/docs/guide-user/firewall/firewall_configuration