Hijacking not fully avoided when clients use own DNS?

Friedrich · October 10, 2024, 9:21pm

Hi everybody!

I have a question concerning DNS hijacking when clients use their own private DNS configuration (e.g. my phone). On my phone, when checking with dnsleak, the OpenWRT's DNS resolvers from stubby do not appear. This still applies when I use a Intercept-DNS rule that forwards all IPv4/6 traffic to the router port 53 which is then sent to stubby. Also, adblock's blacklist does not work properly. Is there a solution without the need of an extra Pi running Pihole oder Adguard Home? This seems especially important for the possibility of parental control.
Thanks in advance!

Cthulhu88 · October 10, 2024, 9:52pm

brada4 · October 10, 2024, 10:11pm

Phones fall back to DoH , you need canary domains to convince them int port53

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

anomeome · October 10, 2024, 10:16pm

DoT on 853, so should be easy enough
DoH on 443, is problematic

Cthulhu88 · October 10, 2024, 10:36pm

You need a blacklist for DNS over HTTPS, which is what Chromium-based browsers tend to use.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#dns_over_https

With that being said, nothing prevents an application from doing DNS, DoT, DoH, DoQ, DNSCrypt, etc to a different address over a non-standard port.

anomeome · October 10, 2024, 10:47pm

No, nothing to stop someone from offering their service on a non-standard port. Got any examples of DoT or DoH on some other port, very doubtful on existence.

Cthulhu88 · October 10, 2024, 11:47pm

A proprietary closed-source application may implement its own resolver, and they may choose to only do name resolutions from their servers. If they are smart enough, they may also predict hijacking and blocking, choosing a non standard port.

Assuming DNS over UDP, at layer 2 or 3 you may capture these and redirect them to your local server (TCP works too, but requires more work, and you probably can't prevent the 3-way handshake with the remote server from happening).
Encrypted traffic is a no go, unless you can predict these exchanges are DNS, and block them.

Sechorda · October 10, 2024, 11:59pm

My Roku's danced around DoH and int to google's DNS. I had this same problem. It was just hard coded.

reinerotto · October 11, 2024, 4:25am

DoH plus private DNS-server/recursor on the web will do the job. However, such a special environment needs quite some effort to be set up. Against such a smart installation you might still be able to fight using DPI. Or even just using wireshark and a lot of patience to examine destination IPs and their correlation
But for standard usage case, DNS intercept, blockage of the well-known DoH-servers and dest port 853 plus blockage of well known VPN-IPs (and blockage of QUIC) should be sufficient. Thats what I am doing in my hobby project for parental control.

Friedrich · October 11, 2024, 7:32am

Thanks for the replies. Have to digest some of the ideas. Here's my configuration.
Do I get right, that if I block the encrypted DoH and DoT, clients try to use unencrypted ways and can be filtered again?

ubus call system board
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "AVM FRITZ!Box 4040",
	"board_name": "avm,fritzbox-4040",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd2:xxxxxxxxxxxxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option dns_metric '20'
	list dns '94.140.14.14'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '94.140.14.14'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option peerdns '0'
	option reqaddress 'try'
	option reqprefix '64'
	list dns '2a10:50c0::ad1:ff'

config interface 'WIFI'
	option proto 'dhcp'
	option peerdns '0'
	list dns '127.0.0.1'
	list dns '0::1'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'Gast'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'
	list dns '94.140.14.14'

config interface 'IoT'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option device 'br-iot'

config device
	option type 'bridge'
	option name 'br-iot'
	option bridge_empty '1'

cat /etc/config/firewall

config defaults
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option family 'any'
	option src 'lan'
	option src_dport '53'

config zone
	option name 'Gast'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'Gast'

config forwarding
	option src 'Gast'
	option dest 'wan'

config rule
	option name 'Guest DHCP DNS'
	option src 'Gast'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config zone
	option name 'IoT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'IoT'

config forwarding
	option src 'lan'
	option dest 'IoT'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_wan53'
	option name 'Adblock DNS (wan, 53)'
	option src 'wan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config rule
	option name 'DNS Leaks'
	option src '*'
	option dest 'wan'
	option dest_port '53'
	option target 'REJECT'
	option enabled '0'

brada4 · October 11, 2024, 7:43am

Disable this rule. You do not want to run public DNS server.

egc · October 11, 2024, 8:54am

As already remarked by other you need a DNS hijacking rule for port 53 and for 853 (which nowadays amounts to blocking port 853)

Furthermore you need to set the canary domains for Apple and Google/Firefox

The hard part is blocking DoH servers for that you need e.g. a banip blocklist

I am traveling, so do not have the specific instructions handy but the HTTPS-DNS proxy actually has a setting which does just that (safe the blocking of DoH)

lleachii · October 11, 2024, 10:14am

Just to be clear to both posters with DNS concerns.

A DNS Leak site will show the [Public] IP of the machine that actually did the DNS lookup.

You can configure OpenWrt in one of 2 ways:

your DNS softwware can be configured to use other DNS server (caching DNS)
you configured the OpenWrt to perform the recursive lookup itself (this is a "true" DNS server")

If you configure your machine to do the latter, DNS Leak Tests will show you or your ISP as the nameserver. This is particularly true if you are behind carrier-grade NAT.

I just wanted to note that.

Cthulhu88 · October 11, 2024, 3:38pm

If the resolver implemented by the client is implemented with a fallback to standard DNS, yes.

anomeome · October 11, 2024, 5:04pm

Ya think, well colour me surprised, But, what does that have to do with well known providers, providing well known services, on well known IPs/Ports, Quad9, Google, Cloudflare... Again DoT should not present an issue, DoH on the other hand is problematic, CONTRARY to the post to which I responded.

config rule
	option name 'Block-Public-DNS'
	option enabled '1'
	option src 'lan'
	option dest 'wan'
	option dest_port '53 853 5353'
	option proto 'tcpudp'
	option family 'any'
	option target 'REJECT'

Cthulhu88 · October 11, 2024, 5:42pm

You do not want to block dst port 53, at all. You want to redirect traffic targeting port 53 to your local DNS server. If you block all of these ports and an application/system isn't using your local DNS server, you just broke name resolution.
The blocking approach won't work if the application's resolver doesn't have a fallback to standard DNS at port 53. In this case, you've also broke name resolution.
You asked "Got any examples of DoT or DoH on some other port", and I gave you a practical example that is actually employed in some applications. You didn't make any demand that the DNS server had to be hosted by a well-known/big company.
Well-known services have nothing to do with the possibility of DNS leaks. Applications CAN leak DNS on their own, if programmed in such a way.

'network.rrdns' @7747377c
        "lookup":{"addrs":"Array","timeout":"Integer","server":"String","port":"(unknown)","limit":"Integer"}

As an example, this reverse DNS ubus call employed by LuCI uses its own resolver, accepting a server + port pair, and as such, can leak DNS.

Friedrich · October 11, 2024, 9:23pm

Okay thanks again. I am not sure about practical implication from all these aspects. Am I right that it is pretty tricky to filter all DoT/DoH possibilities in order to reach full avoidance of DNS leakage? And is it correct that from a privacy perspective this filtering is not so much of an issue as large companies are not (yet) using it to get their info about "customers"/people?
In fact I think I can try having the phone itself set up as safe for kids and accept its DoT activity. Meanwhile I use the OpenWRT functionality mainly for stationary appliances and hope they stick with unencrypted DNS? Does this make sense? Or is leak to be expected?

Friedrich · October 11, 2024, 10:01pm

Thanks for the guidance! What are these well-know DoH-servers and VPN-IPs? And how to block QUIC? Cheers for some extra help.

Cthulhu88 · October 11, 2024, 10:35pm

Is this just to prevent your kids from accessing adult content and such? If so, I wouldn't worry to much about theoretical DNS leaks.

Set up port 53 redirection to local host, block 853 (DoT) and follow this guide to block DoH addresses: https://openwrt.org/docs/guide-user/services/banip#blocking_doh
DNS over QUIC is port 853 UDP, while DoT is TCP, so just block 853 TCP and UDP.

If something breaks after that, remove the blocks and leave just the port 53 redirection.

Friedrich · October 13, 2024, 12:44pm

One last question. What about the option "Force DNS" in Adblock? Does it help here? Is it even necessary or is it already implemented with the mentioned firewall rule that blocks ports 53 and 853?