Verifying DNS Hijack

As mentioned in some threads, I configured the firewall using

I tried a browser test and see that my computer (set to 8.8.8.8) is using the intercepted DNS.

When I go to

http://192.168.1.1/cgi-bin/luci/admin/status/realtime/connections

I see connections to 8.8.8.8:53 from my Chromecast and my computer. Does that mean the interception is actually working or not?


IPV4

UDP

192.168.1.185:55439

8.8.8.8:53

448 B (4 Pkts.)


1 Like

It's easy to verify by sending a DNS query from your PC to a public resolver:

nslookup openwrt.lan 8.8.8.8

It should work when DNS hijacking is enabled and fail otherwise.

1 Like

Just be aware that browser vendors are increasingly pushing for DoH, similar things are likely to appear on your phones and entertainment devices as well, so you are pretty much on borrowed time with plain DNS hijacking.

1 Like

nslookup found my router name. so the udp connections that show up don't mean it is actually connecting to 8.8.8.8:53?

1 Like

The LuCI connections page relies on the original unmodified IP protocol headers.
DNS hijacking uses firewall redirects to modify the destination.
You can also check the packet and traffic counters for the redirects on the firewall status page.

what can we do when doh is everywhere?

Disable it when possible and try to avoid purchasing devices and using software that limit your freedom to choose the resolvers.

how do you disable doh?

Typically in the browser settings.
You can google specific instructions for your browser.

oh, i thought there was some way to disable for the whole network, like the dns hijack

Although you cannot redirect it, you can block those TCP/443 DoH servers in firewall, as many as you find, and there are lists on the internet. You can block TCP/853 DoT as well. Just make sure you don't block the server you use.

I'm doing that in my main home router (MikroTik) and it's automatically updated with a script, also dst-nat'ting port tcp/udp/53 (normal dns) to my own server.

1 Like

if you block all the tcp/443 doh and tcp/853 dot, that means the devices eventually fall back to regular dns?

Usually clients can failover to plain DNS, but it depends on their own DoH/DoT settings in general.

+1. Doing this on my Parental Control (under devleopment) on openwrt, too.

Here is a comprehensive and regularly updated list of DoH server IPs which draws from many sources. Ideal for use with banIP on OpenWrt:

banIP already includes a DoH blocklist (IPv4+Ipv6).

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.