Author
Message
mfigrs DD-WRT Novice Joined: 26 Apr 2019 Posts: 16
Posted: Fri Jun 07, 2019 19:04 Post subject: Redirect IPv6 DNS queries to Pihole
I am using a ddwrt 33555 on Netgear wnr3500Lv1, with a Pihole for network-wide filtering.
I have this iptables code to force redirect ipv4 requests:
Code: iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.10
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.10
The 192.168.1.10 is my pihole.
Anyway, I tried to do something similar for ipv6 requests with `ip6tables`, but I get an error. Looks like the ip6tables in build 33555 do not have the 'nat' table.
Does anyone have a suggestion on how to work around it?
Back to top
Sponsor
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Back to top
mfigrs DD-WRT Novice Joined: 26 Apr 2019 Posts: 16
Posted: Mon Jun 10, 2019 12:42 Post subject:
egc wrote: You can try to use the mangle table to do prerouting things
Oops... It turns out build 33555 does not have 'mangle' table either. The only table available is 'filter'. Too bad.
On second thought - perhaps 'filter' will do - perhaps I could just drop all ipv6 DNS packets not going to my pihole? How do I accomplish this?
Back to top
mfigrs DD-WRT Novice Joined: 26 Apr 2019 Posts: 16
Posted: Tue Jun 11, 2019 13:26 Post subject:
Another update:
I tried to simply REJECT all traffic to port 53 that is not coming from my Pihole. However, ip6tables complained that is an unknown option...
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6870 Location: Romerike, Norway
Posted: Tue Jun 11, 2019 14:21 Post subject:
Did you specify the protocol (-p udp)?
Back to top
mfigrs DD-WRT Novice Joined: 26 Apr 2019 Posts: 16
Posted: Tue Jun 25, 2019 17:41 Post subject:
No, I did not! Had no idea this would make difference.
I was able to run this command:
Code: ip6tables -I FORWARD 1 -p udp --dport 53 -d \! xx:yy:zz -j DROP
where "xx:yy:zz" is IPv6 address of my DNS server.
This has effectively blocked DNS resolution via IPv6 - not perfect, but works.
Thanks for all the advices!
Back to top