8.8.8.8 is just my own example of when I set a client to use 8.8.8.8 and I am expecting it to get hijacked and ultimately directed to my router set DNS:
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option ip4table 'wan'
option peerdns '0'
list dns '185.228.168.168'
list dns '185.228.169.168'
But I understand client still thinks it got response from 8.8.8.8, right?
Ah, so WireGuard doesn't actually have a facility for advertising DNS?
I find it confusing to think about how this would work. So device connects to OpenWrt via DHCP and gets sent 192.168.1.1 as DNS. How would the VPN DNS enter into this equation, if that makes sense?
Is it same as WAN only router sends DNS request through VPN interface? Or do those replace or add to the DNS servers set in WAN?
The packet is hijacked to the process listening to 53 on the router, typically dnsmasq. Then dnsmasq is resolving this query with its own rules and forwarders before sending back the reply to the lan host with the original address on the source field, so the lan host won't feel the packet was hijacked.
lol I find it confusing too...tbh, if I wanted to ensure a particular DNS server went up a particular tunnel, I'd make a /32 static route for it to take that tunnel.
The WAN is the interface that is allowed to make outbound requests...your allow traffic from LAN to WAN, remember (not related more so after the hijack tho)
Now you see where people have "DNS leaks" and they're so confused.
Only if you mean to hijack clients still making requests on 53/udp - then the OpenWrt uses DoT, then yes.
Otherwise, I think you're suggesting a man-in-the-middle attack for DoT...which the protocol is designed to prevent. Otherwise you [should] enable DoT on each client - at least, that's the point after all...
I also wondered about sending everything to destination DNS IPs through VPN, but I think when I last tried that I got funky results (have TV's that need to bypass VPN) and it didn't work so well.
DoT and DoH cannot be hijacked, in the sense that the handshake will fail.
What you can do is to deny access to the DoT port or DoH servers on the wan and force the clients to roll back to using your own resources.
Ah, crap. I thought I could hijack as usual, sending either normal requests to my CleanBrowsing DNS or requests from televisions to CloudFlare DNS, but at the point of the router sending the request to either it includes the extra step of encrypting and sending via DNS over TLS. It sounds like that is not possible?
What would be the best way to achieve such selective DNS use depending on MAC address but in combination with encryption?