Redirect DNS (or any port) to external IPs / Servers

Hey folks,

some simple (mayby stupid) question:

My brand new OpenWRT-Box should redirect all traffic from lan or guest to port 53 (DNS) to a self defined external IP. Is that possible? Another portion of clients should be served with DNS local via adguardhome on the usual port 53.

On pfSense this is easy going. Here you go to NAT-section and redirect internal request to any IP or port of your liking. Internal to external, external to internal, all in one place.

With OpenWRT, I can only NAT/foreward traffic from any zone to some internal IP (no external targets possible).

Idea behind this: clients that force their DNS Servers and/or NTP Servers should get their request silently forewarded to my targets. Android is a good example with it's habit to talk to 8.8.8.8.

Best would be a solution via luci, I like to have all settings readable on the gui. I'm aware that I also need to block traffic to 853 DoT and the usual DoH IPs. If I'm right informed, this could be realised with banIP?

Thanks in advance!

It's a bit confusing, but you can use the Internal IP Address tab for your needs.

Many thanks for your reply!

Tried this today as mentioned, and via Desktop Browser (not from my mobile like yesterday), and the rule could be saved with an external IP.

Will test it at home and give feedback!

FYI this is for now to redirect the children's DNS requests to family friendly providers, no matter which device was used in this zone/interface.

(You can also give them their own VLAN/WiFi that assignes the kid-friendly DNS servers subnet-wide.)

Thanks for the advice! I already deliver the desired DNS's via DHCP. The kids have own wifi setup and zone, so this part was the easier one. Just wanted to make it safe, that nobody bypass the DNS with manual entries or hard-coded stuff.

The rule from @pavelgl works like a charm in a short test with a windows client

Additional port 853 is blocked.

DoH blocking is for now not possible, because banip is not ready for 22.03.03. My Asus Rt AX53U is just supported starting with this release.

To follow up on that: I have a similar request, but I want to forward DNS requests for a single MAC address. Therefore, I have created a port forwarding rule as in the solution, and also added the MAC address under Advanced Settings -> Source MAC Address. This seems to work, yet I still have a few questions:

1. Is it not necessary to define a destination zone (as suggested in Force a specific device DNS to a specific server)?
2. Could this also be realized via a firewall traffic rule or via announcing the server for this one MAC address via DHCP?
3. What is the difference with the solution described in post 4?

No matter whether you specify a destination zone or not, the same rule will be created in the same chain depending only on the source zone:

# Chains:
# iptables
zone_<zone_name>_prerouting
# nftables
dstnat_<zone_name>

No, you need a redirect (DNAT) rule.

Yes, see:

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#client_classifying_and_individual_options

The solution suggested in post 4 relies on the good will of the users to use the DNS server(s) obtained via DHCP. The other solution intercepts all DNS requests and forwards them to the specified DNS server.

Maybe I'm wrong, but is it possible, that an installed Adguardhome with "any interface" setting already intercept this traffic and redirect it always to itself?

Strange things occur if I set ist up to listen to any interface, but want the kids to redirect to any other DNS. For some minutes it may work, but sooner or later the connection is broken and nothing works. No surfing, no DNS. And sometime the DHCP don't make its job. Very curious :S

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.