Newbie :redirecting hardcoded DNS to Adguards DNS

I am running openwrt snapshot from last week on GT MT6000 with adguard home. Having read the forums and official guide on DNS hijacking : https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
have both ip4 and ip6

I made a firewall rule to prevent hard coded devices to redirect as below:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option name 'AdGuardHome DNS Interception'
	option src_ip '!192.168.1.1'
	option dest_ip '192.168.1.1'
	option dest_port '53'

But the android tablets still access the 8.8.8.8 dns despite it not being the upstream server

as I am not familiar with writing firewall rules, can somebody share a prepared rules that can redirect both ip4, ip6 protocols and to be inserted directly.

the https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#command-line_instructions should work for you, if you run the commands from ssh, instead of using your rule.

image1022×392 11.9 KB

is this how to do it? but there is an error

was the file edited, manually ?

yes previously, I edited the firewall file to insert first rule manually but then reverted it to original after reading your response

I managed to run it from ssh and no errors but DNS is still not redirected to adguard. Still going to hardcoded dns

I came across this script that may work but don't know how to put it in the router?

this conclusion is based on ... ?

please don't post screen shots, but text, use the </> button to wrap it.

I did dns leak test after restarting router and also android tablet

if the leak test was done via browser, I assume you had disabled DoH in it before you ran the test, or implemented the additional DoH and DoT rules, to block encrypted DNS traffic from clients, as described in the link you posted earlier ?

yes, that correct . I did disable DOH in the browser. Configured browser to use the local DNS but it still goes to 8.8.8.8. Is there anything else I could try as above solution hasn't worked...
When I block 8.8.8.8 and other ip4 and IP6 addresses that it is blocked and doesn't have the access but that is not the solution, i would like to work on
redirection

(on Android) DoT on OS level ?

how are you seeing this ?

the android tablest I have only have plane gogl dns both for ip4 and ip6. As above, if i block ip4 and ip6 addresses than they dont use gogl dns.
But with the redirect rule as in adguard wiki, it has not worked so far

you're not answering the question ....

also there is not Dot in my android on os level. Only in plain numerical form DNS hardcoded.

I give up,hope you find someone else at the forum, who likes tarot or crystal balls ...

via dns leak test...

This code hijacks dns traffic coming from the LAN and sends it to the local dns running on openwrt for resolution. Therefore, on the WAN only DNS traffic generated by OpenWRT is displayed.

firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='lan'
firewall.@redirect[0].src_dport='53'
firewall.@redirect[0].dest_ip='192.168.14.1'
firewall.@redirect[0].dest_port='53'
firewall.@redirect[0].src_dip='!192.168.14.1'
firewall.@redirect[0].reflection='0'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].family='ipv4'
firewall.@redirect[0].name='Force-DNS-Redirect'

Local DNS in my case is 192.168.14.1

In the UI

imagen1156×382 20.2 KB

imagen1069×670 29.5 KB

Tested on 22.03.5

On top of that

• IPv6 is fully blocked via a firewall rule
• DoT is blocked by blocking the port TCP 853
• DoH is blocked by using an adblock list. Currently considering to expand the idea to the firewall rules too.

I manged to get the redirection of plain dns. However, Is there a way to address redirection of harcoded DoH as well?.