How to set up dns 176.103.130.130 correctly in DD-WRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
drdedus
DD-WRT User


Joined: 31 Dec 2013
Posts: 141
Location: Greece

PostPosted: Fri May 22, 2020 17:24    Post subject: Reply with quote
@SurprisedItWorks i gave the commands without luck

@Alozaros
When i am doing the standard leak test
https://www.dnsleaktest.com/
or the Adguard Test https://adguard.com/en/test.html
i can not see the numbers or at least the dns provider i have put in static DNS section under Setup > Basic Setup > Network Setup or with iptables for a specific ips
Even if i see the correct dns in wifi/ip-status in my mobile phone when i am doing the dns leak tests i am getting some dns numbers belong to Google .

I have tried a lot of combination in the tplink 841n with 34311 and the tplink 842nd with one of the latest versions without luck.

I read in the other thread for 1.1.1.1
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1126762 a user to say that is correct to put the dns we need and leave enabled
DNSMasq for Dhcp, DNSMasq for DNS and Dhcp Authoritative but it is not working for me.


Then i read you to say
"add 1.1.1.1 to your DNS settings
Use DNSMasq for DNS
Forced DNS redirection
Use Local DNS Enabled
No DNS Rebind
Strict Order

and in additional DNSmasq paste:

domain-needed
bogus-priv
no-negcache
no-resolv
server=1.1.1.1"

Also i found the wiki for OpenDns
https://wiki.dd-wrt.com/wiki/index.php/OpenDNS

But even so it is not working for me.

Do you think of something?
Does the mode i am working the routers have to do with that?
Can i try something different?

I am thinking that maybe because i am back of a Mikrotik router the Administrator has to do something like we do here, to redirect port 53 to his choice of dns but I do not want to take for granted.
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3573
Location: UK, London, just across the river..

PostPosted: Fri May 22, 2020 20:08    Post subject: Reply with quote
hmm some devices have preset DNS to 8.8.8.8 ggl...like your phone or smart TVs and so on than your best bet is if your ruter has USB than you can run stubby which encrypts DNS with TLS encryption...
or can try to trick, that device on router level with, IPtables rules...

iptables -t nat -I PREROUTING -i br0 -s 192.168.1.xxx -p udp --dport 53 -j DNAT --to 1.1.1.1

set that IP to your device that you try if this rule doesnt work than you'd need stubby...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 43261 BS WAP/Switch
TP-Link WR740Nv4 ------DD-WRT 43028 BS AP,NAT
TP-Link WR1043NDv2 ----DD-WRT 42287 BS AP,NAT,AD Block,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 43261 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 43290 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 43290 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
drdedus
DD-WRT User


Joined: 31 Dec 2013
Posts: 141
Location: Greece

PostPosted: Fri May 22, 2020 20:36    Post subject: Reply with quote
it is not working. i tried before i think.
is it hard to install stubby?
I have only a mobile phone here.
Is it enough the tp-link 842nd with 8MB ram and a USB port?

i was thinking two other ways if it is possible.
To check if the Adblock dns provider have some alternative port Except the 53.
if there is such an option will you help to find a solution?

And if we can set another dd-wrt router i have in another house working like PPPoe client to accept DNS requests from here.
Probably i will have more delay but if it is easy i can try.
The only problem for this tjat is none there to do something if something goes wrong in that dd-wrt PPPoe router
drdedus
DD-WRT User


Joined: 31 Dec 2013
Posts: 141
Location: Greece

PostPosted: Fri May 22, 2020 20:41    Post subject: Reply with quote
I found that.
"AdGuard DNS uses default port 53. In case port 53 is blocked or unavailable, use port 5353 instead"

How i will redirect everything goes to 53 to 5353 and how i have to tick the boxes in setup..
Use DNSMasq for DHCP
Use DNSMasq for DNS
DHCP-Authoritative
Forced DNS Redirection
And in Services?
drdedus
DD-WRT User


Joined: 31 Dec 2013
Posts: 141
Location: Greece

PostPosted: Fri May 22, 2020 21:04    Post subject: Reply with quote
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 176.103.130.130:5353

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 176.103.130.131:5353

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 176.103.130.130:5353

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 176.103.130.130:5353

i am trying with this. I found it in the internet. The Adguard dns test page says that is ok.

I will try to force the rule to work only for 192.168.1.3/29 but i do not know how the rule have to be.

Edit
I have made this and looks ok

iptables -t nat -I PREROUTING -i br0 -s 192.168.1.3/29 -p udp --dport 53 -j DNAT --to 8.8.8.8

iptables -t nat -I PREROUTING -i br0 -s 192.168.1.3/29 -p tcp --dport 53 -j DNAT --to 8.8.8.8

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 176.103.130.130:5353

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 176.103.130.131:5353

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 176.103.130.130:5353

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 176.103.130.130:5353

But for sure i want help if you can and answer if it is easy and if i can with this cheap router and the mobile phone to install stubby
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 743
Location: Appalachian mountains, USA

PostPosted: Fri May 22, 2020 22:40    Post subject: Reply with quote
Your last two rules are identical. One of them needs a slightly different destination address.
_________________
Six Linksys WRT1900ACSv2 (40009/41954/42926):
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.
drdedus
DD-WRT User


Joined: 31 Dec 2013
Posts: 141
Location: Greece

PostPosted: Sat May 23, 2020 4:23    Post subject: Reply with quote
Thank you.

Just for the conversation, as i understand the Mikrotik Administrator have blocked someone to use dns of his choice.

When i am using the normal roule without the Redirection for 5353 port it is not working
When the Redirection for 5353 is enabled is working.

About the fields in setup, is it better to enable or disable the option in setup..
Use DNSMasq for DHCP
Use DNSMasq for DNS
DHCP-Authoritative
Forced DNS Redirection

And in Services the
DNSMasq
Cache DNSSEC data
Local DNS
No DNS Rebind
Query DNS in Strict Order
Add Requestor MAC to DNS Query

Or to put something more in
Additional DNSMasq Options
motherboard
DD-WRT Novice


Joined: 11 Oct 2015
Posts: 14
Location: Stockholm, Sweden

PostPosted: Sat May 23, 2020 8:08    Post subject: Reply with quote
Little off-topic, I take a gamble just to give some hints: outsource your dns/dhcp from the router.

It's alot easier if you have advanced dns issues and configuration to put your dns service on another server.

Example from my setup:

For my main network (ex. 192.168.1.x) I have disabled DHCP on the router and compiled a configured dnsmasq running on a Raspberry Pi. It also serves as a DHCP-server for my main network. On the routers firewall outbound DNS is blocked except for specified dns-servers.

For my guest network (ex. 192.168.2.x) DHCP is enabled on dd-wrt router (see below).

In the router gui [Services>Services: Dnsmasq] I have added:

Code:
interface=ath1.1 (my guest wifi)
except-interface=br0
dhcp-option=ath1.1,6,IP-address-to-dns-server,IP-address-to-dns-server2


And in the router firewall:

Code:
iptables -I FORWARD -p udp --dport 53 -j logdrop
iptables -I FORWARD -p tcp --dport 53 -j logdrop
iptables -I FORWARD -p udp -d isp-dns-server --dport 53 -j ACCEPT
iptables -I FORWARD -p udp -d isp-dns-server2 --dport 53 -j ACCEPT
iptables -I FORWARD -p udp -d raspberry-dns-server --dport 53 -j ACCEPT


In this way guests get access to it's own DNS-configuration and my main network has another. For example, I use an adblocker on my raspberry to serve my main network. But for guests there is no adblocking. And if I get some issues due to adblocking I could quickly test if that's the case by changing networks.

_________________
Build: DD-WRT v3.0-r43055 std (05/05/20)
Router: Netgear AC2600 X4S R7800NE-100PES
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

========= Wireless Config R7800 =========
ath0/5G: AP, AC/N-Mixed, VHT80, Channel: Auto, Auto
ath1/2.4G: AP, NG-Mixed, Wide HT40, Channel: 11 - 2462, Lower
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3573
Location: UK, London, just across the river..

PostPosted: Sat May 23, 2020 8:56    Post subject: Reply with quote
too many advisors, it will get messy, just wait and watch... Twisted Evil Twisted Evil Twisted Evil
_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 43261 BS WAP/Switch
TP-Link WR740Nv4 ------DD-WRT 43028 BS AP,NAT
TP-Link WR1043NDv2 ----DD-WRT 42287 BS AP,NAT,AD Block,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 43261 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 43290 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 43290 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum