How do I bypass dns intercept for one host

greybeard · June 30, 2022, 2:42pm

I'm using adblock with dns intercept on a snapshot with fw4. I want to allow a single host (ipv4 only) to bypass the dns intercept and access dns servers on the internet.
I am having trouble working out what type of firewall rule to use. Can anyone give me any pointers to work out how to achieve this?
I am comfortable using cli or luci to configure this.

lleachii · June 30, 2022, 2:51pm

Hope this helps.

mercygroundabyss · June 30, 2022, 3:22pm

You would need two rules. One to do the interception and another rule that is higher priority to Ignore the interception if from X client mac/ip.

Properly setup it would not matter if people manually set DNS to external services as the router will reroute them. (You need additional rules to block encrypted DNS like DOH however)

greybeard · June 30, 2022, 3:28pm

Unfortunately not. I want to bypass the dns intercept on my openwrt gateway for a single host on the lan, not configure dhcp to pass out a different dns server ip. Even if I did that the intercept would just capture the dns request.

greybeard · June 30, 2022, 3:30pm

Got it in one, but the bit I'm having trouble with is the actual ignore intercept rule. So far the intercept rule works [edit], it's what the ignore intercept rule I haven't sorted yet.

lleachii · June 30, 2022, 3:35pm

Correct, set it for the single host in question by its MAC.

Perhaps I missed something.

mercygroundabyss · June 30, 2022, 3:35pm

This thread should assist in creating your exception rule.

(edit) https://openwrt.org/docs/guide-user/firewall/firewall_configuration#rules

config rule
	option	name		'Reject LAN to WAN for custom IP'
	option	src		'lan'
	option	src_ip		'192.168.1.2'
	option	src_mac		'00:11:22:33:44:55'
	option	src_port	'80'
	option	dest		'wan'
	option	dest_ip		'194.25.2.129'
	option	dest_port	'120'
	option	proto		'tcp'
	option	target		'REJECT'

This rule blocks lan to wan but you can adapt it for dns and set the target to accept. Then ensure that rule is ABOVE the DNS Interception rule so it takes priority.

Small point here however. These are IPtables rules aka firewall3. If you are using the newer builds of OpenWrt then it uses NFT tables aka firewall4. Different method of writing rules is required.

greybeard · June 30, 2022, 3:46pm

thanks guys
I added the exception bypass by adding a source ip with negation onto the existing intercept rule ie

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        **option src_ip '!192.168.1.1'**

system · July 10, 2022, 8:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.