How to DNAT on LuCI? No option to rewrite Destination IP

I want to redirect DNS53

In redirects (DNATs) the internal IP address is the destination rewrite address.

2 Likes

If I understand correctly that you want to forward all DNS requests from local clients to 1.1.1.1:

uci add firewall redirect
uci set firewall.@redirect[-1]=redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='DNS-Redirect'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].src_dport='53'
uci set firewall.@redirect[-1].dest_ip='1.1.1.1'
uci set firewall.@redirect[-1].dest_port='53'
uci set firewall.@redirect[-1].reflection='0'
uci add_list firewall.@redirect[-1].proto='tcp' 
uci add_list firewall.@redirect[-1].proto='udp'
uci commit firewall
/etc/init.d/firewall restart

or

image

1 Like

It is highly unlikely that you will see 1.1.1.1 or 8.8.8.8 during a DNS leak test.
Look for the ISP name (Cloudflare or Google).

Check the DNS traffic on the wan interface using tcpdump.

opkg update; opkg install tcpdump; \
if=$(ifstatus wan | grep \"device | awk '{ print $2 }' | sed 's/[",]//g'); \
tcpdump -ennqti "$if" port 53
1 Like

Hi RSHARM,
open Network => DHCP and DNS.

Under "DNS forwardings" enter your DNS server(s). Save settings.

After that create a firewall rule to route all dns traffic to your local dns server (dnsmasq) like this:

# This will thwart manual DNS client settings and hardcoded DNS servers like in Google devices
config redirect
    option name 'Divert-DNS, port 53'
    option src 'lan'
    option proto 'tcp udp'
    option src_dport '53'
    option dest_port '53'
    option target 'DNAT'

Optional disable all DNS server from your ISP in /etc/config/network

config interface 'wan'    # or 'wan6'
    option peerdns '0'

Restart device or all related services.

(from wiki of dnscrypt-proxy ) which provides more useful information about dns.

hth

Hard to say w/o any information. Maybe you're missing a IPv6 server for DNS?

Go to "Network => Diagnostics"
Run IPv4Ping, IPv6Ping and dnslookup and see what works.

If it's still not working we might need the config files:

/etc/config/network
/etc/config/dhcp
/etc/config/firewall

Ummm...open the files and copy/paste.

(BTW, they would be in your backup file if you don't know how to use SSH/CLI.)

Providing your config as asked would be very helpful. Your screenshots do not have all information needed.

This is unnecessary.

On the Internet.

@pavelgl @lleachii @jow @ChanL


dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name ''
	option mac ''
	option ip '192.168.1.2'

config host
	option mac ''
	option ip '192.168.1.3'
	option name ''
	option dns '1'

config host
	option name ''
	option mac ''
	option ip '192.168.1.4'

config host
	option name ''
	option dns '1'
	option ip '192.168.1.5'
	option mac ''

config host
	option name ''
	option dns '1'
	option mac ''
	option ip '192.168.1.6'

config host
	option name ''
	option dns '1'
	option mac ''
	option ip '192.168.1.7'

config host
	option name ''
	option mac ''
	option ip '192.168.1.8'

config host
	option name ''
	option mac ''
	option ip '192.168.1.9'

config host
	option mac ''
	option ip ''
	option dns '1'
	option name ''

config host
	option ip '192.168.1.11'
	option mac ''
	option name ''
	option dns '1'

config host
	option mac '00:00:00:00:00:12'
	option ip '192.168.1.12'

config host
	option mac '00:00:00:00:00:13'
	option ip '192.168.1.13'

config dhcp 'Guest'
	option interface 'Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Private'
	option interface 'Private'
	option start '100'
	option limit '150'
	option leasetime '12h'

firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '68'
	list src_ip '192.168.100.1'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config zone
	option name 'Guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'DROP'
	list network 'Guest'

config rule
	option name 'Router Extender Allow'
	option target 'ACCEPT'
	option src '*'
	option dest '*'
	list src_ip '192.168.1.2'
	list src_ip '192.168.2.1'

config rule
	option direction 'in'
	option device 'eth0.2'
	option target 'DROP'
	option src 'wan'
	option name 'Block Inbound'
	list proto 'all'

config rule
	option name 'IPv6 Block'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	option family 'ipv6'
	list proto 'all'

config rule
	option name 'QUIC'
	option dest 'wan'
	option target 'REJECT'
	list proto 'udp'
	option src 'lan'
	option dest_port '80 443'

config rule
	option name 'Private DHCP'
	option dest_port '67 68'
	option target 'ACCEPT'
	option src 'Private'

config rule
	option src 'Guest'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '67 68'
	option name 'Guest DHCP'

config rule
	list dest_ip '10.0.0.1'
	list dest_ip '192.168.1.1'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'Guest DNS'
	option src 'Guest'

config rule
	option src 'Guest'
	option dest 'wan'
	option target 'ACCEPT'
	option dest_port '80 443'
	option name 'Guest Port Allow'
	list proto 'tcp'

config rule
	option src 'Guest'
	option dest 'wan'
	option target 'REJECT'
	option name 'Guest Block All'
	list proto 'all'

config rule
	option name 'ICMP'
	list proto 'icmp'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option dest 'wan'
	option src 'lan'
	option name 'Allow My DNS'
	list dest_ip '45.*.*.*'
	list dest_ip '45.*.*.*'
	list dest_ip '192.168.1.1'
	list dest_ip '45.*.*.*'
	list dest_ip '45.*.*.*'
	option dest_port '53'

config rule
	option name 'DNS Block Other'
	option src 'lan'
	option dest 'wan'
	option dest_port '53'
	option target 'REJECT'

config rule
	option name 'NTP'
	list proto 'udp'
	option src 'lan'
	option dest 'wan'
	option dest_port '123 '
	option target 'ACCEPT'
	option limit '10/second'

config rule
	option name 'Allow Ports'
	option dest 'wan'
	option target 'ACCEPT'
	option src 'lan'
	list proto 'tcp'
	option dest_port '80 443 853'

config rule
	list src_ip '192.168.1.3'
	list src_ip '192.168.1.4'
	list src_ip '192.168.1.5'
	list src_ip '192.168.1.6'
	list src_ip '192.168.1.7'
	option dest_port '51820'
	option name 'PortAllow Exception Wireguard'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'wan'

config rule
	option dest_port '5000'
	option target 'ACCEPT'
	option dest 'wan'
	option name 'PortAllow Exception * Website'
	list src_mac ''
	option src 'lan'

config rule
	option target 'ACCEPT'
	option dest 'wan'
	option dest_port '5551'
	option name 'PortAllow Exception * Mobile'
	list src_mac ''
	option src 'lan'

config rule
	option name 'VoWiFi'
	list proto 'udp'
	option src 'lan'
	list src_ip '192.168.1.8'
	list src_ip '192.168.1.9'
	list src_ip '192.168.1.10'
	list src_ip '192.168.1.11'
	list src_ip '192.168.1.12'
	option dest 'wan'
	option dest_port '500 4500'
	option target 'ACCEPT'

config rule
	option name 'VoWiFi'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '143'
	option target 'ACCEPT'
	list src_ip '192.168.1.8'
	list src_ip '192.168.1.9'
	list src_ip '192.168.1.10'
	list src_ip '192.168.1.11'
	list src_ip '192.168.1.12'

config forwarding
	option src 'Guest'
	option dest 'wan'

config zone
	option name 'Private'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'Private'

config rule
	option name 'WhatsApp'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	list src_ip '192.168.1.8'
	list src_ip '192.168.1.9'
	list src_ip '192.168.1.10'
	list src_ip '192.168.1.11'
	list src_ip '192.168.1.12'
	list src_ip '192.168.1.13'
	list proto 'tcp'
	option dest_port '4244 5222 5223 5228 5242'

config rule
	option name 'WhatsApp'
	option dest_port '50318 59234'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'WhatsApp'
	list proto 'udp'
	option dest_port '3478 45395'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'ALL'
	option target 'REJECT'
	list proto 'all'
	option src 'lan'
	option dest 'wan'

config redirect
	option target 'DNAT'
	option name 'DNS Rewrite'
	option src 'lan'
	option src_dport '53'
	option dest_ip '8.8.8.8'
	option dest_port '53'
	option enabled '0'

Network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb1:be1c:1ca6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option macaddr '*'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option ip6assign '60'
	option netmask '255.255.255.240'
	list dns '45.*.*.*'

config device
	option name 'eth0.2'
	option macaddr '*'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '45.*'
	list dns '45.*'
	option hostname '*'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option clientid '1F'
	list dns '45.*'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'Guest'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.248'

config interface 'Private'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.248'

have you read this https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns ?

1 Like

Yes
Sometime it works sometimes it doesn't. Mostly it doesn't.

@jow @pavelgl @lleachii @ChanL

It works when I redirect to gateway (192.168.1.1) but not when I redirect to 9.9.9.9 or 8.8.8.8 or 1.1.1.1

It's not appropriate to mark everyone here to gather attention. One time might be ok, not twice. If I can contribute something useful, I will do so.

3 Likes

that's a strange observation.

as you did not share what you configured not sure what is not working for you. if i apply the following firewall rules

1)
config redirect
        option target 'DNAT'
        option src 'lan'
        option src_dport '53'
        option dest_port '53'
        option name 'hijack DNS lan'
        option dest 'wan'
        option dest_ip '8.8.8.8'

2)
config redirect
        option target 'DNAT'
        option src 'lan'
        option src_dport '53'
        option dest_port '53'
        option name 'hijack DNS lan'
        option dest 'lan'
        option dest_ip '192.168.1.1'

they do the work. rule 1) redirects DNS traffic to 8.8.8.8; rule 2) redirects DNS traffic to local resolver listening on 192.168.1.1. only one of them is needed.

@grrr2 Here is my config
I have replied to my own post with config

have you tried with my working rule 1) ? is it working for you too? or still not?

This is working -
Here destination is "this device"

config redirect
	option target 'DNAT'
	option name 'DNS Rewrite'
	option src 'lan'
	option src_dport '53'
	option dest_ip '192.168.1.1'
	option dest_port '53'

Also in "Your Rule 2" Why are you using option dest 'lan' and option src 'lan' both lan ?

But the same with option dest_ip '8.8.8.8' is not working that is "Your Rule 1" isn't working for me.

yes this works because this device means the router itself and the ip address is known to the router as it is an interface address, existing on the router. but 8.8.8.8 is not known. by specifying destination zone you tell the firewall where to look, i.e. in which kind of traffic it should modify. in your case you want to modify the traffic from lan forwarded to wan. so please use the dest zone and it will be ok.

  1. This is not working. DNS is not redirected.
    RE: This Work.
    image

  2. Unspecified and WAN shows this device


    image image

i cannot follow you ... why WAN zone is used as source? and why 9.9.9.9 in LAN zone?
you seem to mix the directions.

you want you LAN clients (=source zone) when try to reach any ip:53 on WAN for DNS service to be forced instead to 8.8.8.8:53 (=destination zone WAN).

my examples rule 1) does exactly. can you try exactly that rule without modification and report back if it works or not?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.