Verifying DNS Hijack

sec52 · January 27, 2021, 6:05pm

As mentioned in some threads, I configured the firewall using

I tried a browser test and see that my computer (set to 8.8.8.8) is using the intercepted DNS.

When I go to

http://192.168.1.1/cgi-bin/luci/admin/status/realtime/connections

I see connections to 8.8.8.8:53 from my Chromecast and my computer. Does that mean the interception is actually working or not?


IPV4

UDP

192.168.1.185:55439

8.8.8.8:53

448 B (4 Pkts.)

vgaetera · January 27, 2021, 7:15pm

It's easy to verify by sending a DNS query from your PC to a public resolver:

nslookup openwrt.lan 8.8.8.8

It should work when DNS hijacking is enabled and fail otherwise.

slh · January 27, 2021, 9:42pm

Just be aware that browser vendors are increasingly pushing for DoH, similar things are likely to appear on your phones and entertainment devices as well, so you are pretty much on borrowed time with plain DNS hijacking.

sec52 · January 28, 2021, 12:00am

nslookup found my router name. so the udp connections that show up don't mean it is actually connecting to 8.8.8.8:53?

vgaetera · January 28, 2021, 12:13am

The LuCI connections page relies on the original unmodified IP protocol headers.
DNS hijacking uses firewall redirects to modify the destination.
You can also check the packet and traffic counters for the redirects on the firewall status page.

sec52 · January 28, 2021, 4:45pm

what can we do when doh is everywhere?

vgaetera · January 28, 2021, 5:13pm

Disable it when possible and try to avoid purchasing devices and using software that limit your freedom to choose the resolvers.

sec52 · January 29, 2021, 10:00pm

how do you disable doh?

vgaetera · January 29, 2021, 10:03pm

Typically in the browser settings.
You can google specific instructions for your browser.

sec52 · February 1, 2021, 2:24am

oh, i thought there was some way to disable for the whole network, like the dns hijack

Xtreme512 · February 2, 2021, 1:42am

Although you cannot redirect it, you can block those TCP/443 DoH servers in firewall, as many as you find, and there are lists on the internet. You can block TCP/853 DoT as well. Just make sure you don't block the server you use.

I'm doing that in my main home router (MikroTik) and it's automatically updated with a script, also dst-nat'ting port tcp/udp/53 (normal dns) to my own server.

sec52 · February 2, 2021, 6:12am

if you block all the tcp/443 doh and tcp/853 dot, that means the devices eventually fall back to regular dns?

vgaetera · February 2, 2021, 6:48am

Usually clients can failover to plain DNS, but it depends on their own DoH/DoT settings in general.

reinerotto · February 2, 2021, 7:03am

+1. Doing this on my Parental Control (under devleopment) on openwrt, too.

hugepants · February 9, 2021, 7:44pm

Here is a comprehensive and regularly updated list of DoH server IPs which draws from many sources. Ideal for use with banIP on OpenWrt:

jpgpi250 / piholemanual

dibdot · February 9, 2021, 7:53pm

banIP already includes a DoH blocklist (IPv4+Ipv6).

system · February 12, 2021, 7:04am

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.