Joined: 28 Jun 2011 Posts: 580 Location: Vilnius, Lithuania
Posted: Mon Jan 29, 2018 20:42 Post subject:
Code:
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
FW rules to force DNS redir manually. Can`t check right now though _________________ [Ramips] Nexx WT3020F Openwrt @kernel #4.14.167 (OpenVPN server, Wireguard server, AD blocking, SQM QOS, USB)
turning this setting on completely breaks the internet for me.
I have a pihole (setup on a raspberry pi), static dns 1 is set to its IP. Then in services>additional dnsmasq options, I have:
dhcp-option=6,<pihole IP>
Joined: 14 Dec 2015 Posts: 774 Location: 127.0.0.1
Posted: Wed Jul 24, 2019 6:48 Post subject:
typesk wrote:
turning this setting on completely breaks the internet for me.
I have a pihole (setup on a raspberry pi), static dns 1 is set to its IP. Then in services>additional dnsmasq options, I have:
dhcp-option=6,<pihole IP>
but when I set the option, internet is broken.
I have All DNS set to 0.0.0.0 in the GUI, no forced redirection, two pieholes.
Try that... except of course if you have one, just remove the ,192.168.1.34 part.... Of course use whatever IP you have on the piehole. _________________ Tutorial for flashing WRT series WRT Installation,Upgrade & Basic Setup–Cliff Notes
r52242: WRT3200ACM, WRT1200ACv1 & 1 Velop in bridge mode(IoT subnet), r52242 WRT1900ACv1 AP
Velop:2 WHW0101, RE6500, RE9000(AP)
Spectrum - 1000/50
SysLog Watcher 5, New security Onion box coming soon, Fingboxes, PiHoles, NEMS, Cacti, rpisurv
turning this setting on completely breaks the internet for me.
I have a pihole (setup on a raspberry pi), static dns 1 is set to its IP. Then in services>additional dnsmasq options, I have:
dhcp-option=6,<pihole IP>
but when I set the option, internet is broken.
I have All DNS set to 0.0.0.0 in the GUI, no forced redirection, two pieholes.
Forced DNS redirection directs all DNS traffic back to the router.
Now if the router directs the DNS traffic to the Pi-hole than the Pi-Hole will send out the DNS query but on its way out it passes the router and the router will see DNS traffic and redirects that again to itself so your are toast.
So you have to manually add an IP tables rule to redirect traffic to the router (or to the Pi-Hole so that you do not have to make any other setting) but make an exception for DNS traffic coming from the Pi-hole itself:
But . . following exactly their setup instructions for years . . my router's OpenVPN client setup with ExpressVPN would not use Expvpn's encrypted DNS servers. My Expvpn apps did use Expvpn encrypted servers on Linux, Windows and Android OS's. For the router I depended on the DNSMasq and Forced DNS Redirection using input static, log-free public DNS servers. I didn't use the "recommended" Google DNS servers as, when tested, they show a potential DNS leak as well **adjusts tin foil hat** so not sure why they were recommended?? I assumed this failure to use Expvpn DNS servers was a DD-WRT firmware problem as my router was the only device not using Expvpn DNS encrypted servers with the vpn by default.
A few months ago I noticed some new DNSMasq output in the syslog. When I checked - my router's OpenVPN setup was now using Expvpn's encrypted DNS servers with no potential DNS leaks. All releases since have done the same.
Prior to this new output my entered static DNS servers were used . . always with a potential DNS leak statement. The servers are public, log free so I didn't worry about it as I preferred them to my IP's logged DNS servers. **re-adjusts tin foil hat** (OpenVPN, DNSMasq,Forced Redirection all enabled with Services/Services/Additional Dnsmasq Options - "dhcp-option=6, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx , xxx.xxx.xxx.xxx" (Entered Static DNS Servers) or "interface=tun1" Expvpn CS said either input is fine I decided on using the first but must remember to change it if I change static DNS servers. I noticed no change using either.
If I disable the OpenVPN client the router reverts to using the entered Static DNS's servers. My location is my local IP's server location. The test still indicates there is a potential DNS leak and lists my entered static servers as the source. (OpenVPN disabled, DNSMasq,Forced Redirection still enabled)
Since I had not changed my router's vpn setup (other than rarely the server address) I assume this was a result of a unmentioned firmware fix? The firmware "seems" to be prioritizing my static / vpn DNS servers using my Expvpn encrypted DNS servers when vpn is enabled and my static DNS entries when the openvpn client is disabled.
Tested for DNS leaks using this link before and after the syslog change was noticed - DNS Leak Test - https://www.expressvpn.com/dns-leak-test Would consider this a starting place and would suggest doing the DNS leak test provided by your VPN provider if possible as Expvpn will probably show ANY DNS server besides their own encrypted servers as a potential leak???
This is the new output I noticed . . it appeared when my vpn started using Expvpn encrypted DNS servers. I copied it back in Nov with the intent to post and ask if others had noticed this change but never got around to posting the question.
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain test
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain onion
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain localhost
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain local
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain invalid
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain bind
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x *The first address is the Expvpn tun1 server
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x *The next three addresses are the static DNS's I entered
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x *The last two are the ExpressVPN encrypted DNS servers
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x *which the router is now detecting and using by default for DNS
Nov 19 05:33:39 router daemon.info dnsmasq[1464]: read /etc/hosts - 2 addresses
But . . following exactly their setup instructions for years . . my router's OpenVPN client setup with ExpressVPN would not use Expvpn's encrypted DNS servers. My Expvpn apps did use Expvpn encrypted servers on Linux, Windows and Android OS's. For the router I depended on the DNSMasq and Forced DNS Redirection using input static, log-free public DNS servers. I didn't use the "recommended" Google DNS servers as, when tested, they show a potential DNS leak as well **adjusts tin foil hat** so not sure why they were recommended?? I assumed this failure to use Expvpn DNS servers was a DD-WRT firmware problem as my router was the only device not using Expvpn DNS encrypted servers with the vpn by default.
A few months ago I noticed some new DNSMasq output in the syslog. When I checked - my router's OpenVPN setup was now using Expvpn's encrypted DNS servers with no potential DNS leaks. All releases since have done the same.
Prior to this new output my entered static DNS servers were used . . always with a potential DNS leak statement. The servers are public, log free so I didn't worry about it as I preferred them to my IP's logged DNS servers. **re-adjusts tin foil hat** (OpenVPN, DNSMasq,Forced Redirection all enabled with Services/Services/Additional Dnsmasq Options - "dhcp-option=6, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx , xxx.xxx.xxx.xxx" (Entered Static DNS Servers) or "interface=tun1" Expvpn CS said either input is fine I decided on using the first but must remember to change it if I change static DNS servers. I noticed no change using either.
If I disable the OpenVPN client the router reverts to using the entered Static DNS's servers. My location is my local IP's server location. The test still indicates there is a potential DNS leak and lists my entered static servers as the source. (OpenVPN disabled, DNSMasq,Forced Redirection still enabled)
Since I had not changed my router's vpn setup (other than rarely the server address) I assume this was a result of a unmentioned firmware fix? The firmware "seems" to be prioritizing my static / vpn DNS servers using my Expvpn encrypted DNS servers when vpn is enabled and my static DNS entries when the openvpn client is disabled.
Tested for DNS leaks using this link before and after the syslog change was noticed - DNS Leak Test - https://www.expressvpn.com/dns-leak-test Would consider this a starting place and would suggest doing the DNS leak test provided by your VPN provider if possible as Expvpn will probably show ANY DNS server besides their own encrypted servers as a potential leak???
This is the new output I noticed . . it appeared when my vpn started using Expvpn encrypted DNS servers. I copied it back in Nov with the intent to post and ask if others had noticed this change but never got around to posting the question.
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain test
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain onion
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain localhost
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain local
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain invalid
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using local addresses only for domain bind
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x *The first address is the Expvpn tun1 server
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x *The next three addresses are the static DNS's I entered
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x *The last two are the ExpressVPN encrypted DNS servers
Nov 19 05:33:39 router daemon.info dnsmasq[1645]: using nameserver xxx.xxx.xxx.xxx#x *which the router is now detecting and using by default for DNS
Nov 19 05:33:39 router daemon.info dnsmasq[1464]: read /etc/hosts - 2 addresses
Forced DNS redirection directs all DNS traffic back to the router.
Now if the router directs the DNS traffic to the Pi-hole than the Pi-Hole will send out the DNS query but on its way out it passes the router and the router will see DNS traffic and redirects that again to itself so your are toast.
So you have to manually add an IP tables rule to redirect traffic to the router (or to the Pi-Hole so that you do not have to make any other setting) but make an exception for DNS traffic coming from the Pi-hole itself:
At least that is the theory, I do not use it myself
I tried this and the result was certainly that DNS requests to an incorrect/alternate DNS were redirected to my pihole which I can see in the pihole's logs, but no responses make it back to the originating requester PC; they just timeout. But I'm ok with this I guess ultimately if something is using the wrong DNS on my network it can have it's traffic killed for all I care.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Jan 08, 2020 16:52 Post subject:
I think the whole "forced DNS redirection" thing is simpler than a lot of these posts hypothesize. A DNS request is by default generally sent to port 53 of the DNS server, but "forced..." makes dd-wrt grab port 53 traffic and redirect it to the internal dd-wrt dnsmasq setup. I have "forced..." enabled here.
So if I do nslookup google-analytics.com 9.9.9.9 on my linux laptop to attempt to query Quad9 DNS directly to obtain the IP address of google-analytics.com, I obtain a response of 0.0.0.0 from the dd-wrt DNS setup, as I have that site on a block list. So even though nslookup attempted to bypass the default dd-wrt DNS system and query 9.9.9.9 directly, it was foiled by "forced..." because the query from my laptop was addressed to port 53 at 9.9.9.9, and the router saw the port number and grabbed the request. However, if I modify my query to nslookup -port=9953 google-analytics.com 9.9.9.9 to use an alternative port provided by the Quad9 people, I obtain the IP address 172.217.1.228 instead.
When forced DNS redirection is disabled, a dd-wrt client can successfully send DNS queries anywhere (with details on how to set that up being system dependendent: linux, Windows, etc.). With that option enabled, the client can attempt to send queries elsewhere, but the use of port 53 will be spotted and the request redirected to the router's DNS system. But even when "forced DNS redirection" is enabled, the client can use another DNS server if that server accepts queries on other than port 53 and the client's queries address that port. Many DNS servers provide these alternative ports as a way to get around forced DNS redirection (because it is implemented by some ISPs), though the port numbers vary from one to another. Port 5353 is fairly common.
This all makes "forced DNS redirection" not at all foolproof. It just keeps ordinary users who don't know these details from bypassing router DNS. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Posted: Fri Jul 09, 2021 16:03 Post subject: Sharing my experience
In an effort to hopefully help, and after a couple of breakthroughs myself in the realm of iptables, I thought I would share my experience with DD-WRT, DNS Forced Redirection, multiple VAPs, and Pi-Hole configurations. I started down this journey just wanting to setup the Pi-Hole to tinker, and kept going from there when I found that true IP of clients that were configured to point to the router weren't showing on the dashboard and made troubleshooting more difficult.
My setup:
Netgear R7000 as gateway
3 Networks (2 VAPs) on each band (2.4Ghz and 5Ghz)
The first SSIDs are "my" network--my devices etc..
The 2nd set of SSIDs are for a "guest" network--work, school, and guest devices.
The 3rd set of SSIDs are for an "IoT" network--doorbell, thermostat, garage door opener, etc. devices.
Pi-hole running on raspberry pi that lives on "my" network
Pi-Hole is running DNSCrypt and is configured to point to OpenDNS, with a backup service (disabled) for OpenDNS DoH if needed
Gateway config:
The R7000 has DNSMasq enabled for DNS and DHCP setup. I have OpenDNS resolvers configured on all three DNS servers on the Setup>Basic Setup tab on the Admin UI. Forced redirection is enabled here as well.
On the Services>Services tab in the I have the following config in the "Additional DNSMasq Options textbox:
Code:
# -=:=- Pi-Hole configuration
server=<pi-hole IP on "my" network>
dhcp-option=br0,6,<pi-hole IP on "my" network>
# -=:=- Guest Wifi - Pi-Hole
dhcp-option=br1,6,<pi-hole IP on "my" network>
# -=:=- IoT Wifi - Pi-Hole
dhcp-option=br2,6,<pi-hole IP on "my" network>
# -=:=- Bypass Pi-hole configuration
#server=208.67.222.222
Each VAP pair (2.4Ghz and 5Ghz for Guest Wifi and IoT Wifi are bridged together and each bridge is configured in the Basic>Networking tab to have the Pi-Hole IP on "my" network and forced DNS redirection on.
Lastly, and the latest breakthrough that I'm happy I finally figured out was the iptables portion to make this all work. I have the following rules configured in the firewall config of the Administration>Commands tab which allow all of the VAPs to utilize the Pi-Hole directly for DNS, and for the guest wifi the Pi-Hole Admin UI:
Code:
iptables -I FORWARD -i br1 -o br0 -d <pi-hole IP on "my" network> -p udp --dport dns -j ACCEPT
iptables -I FORWARD -i br2 -o br0 -d <pi-hole IP on "my" network> -p udp --dport dns -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -d <pi-hole IP on "my" network> -p tcp --dport dns -j ACCEPT
iptables -I FORWARD -i br2 -o br0 -d <pi-hole IP on "my" network> -p tcp --dport dns -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -d <pi-hole IP on "my" network> -p tcp --dport www -j ACCEPT
Summary:
Using the OpenDNS resolver IPs forces any "rogue" DNS requests not sent to my router or Pi-Hole to at least go to OpenDNS and have my policies applied while on my network. Any "rogue" DNS requests on the Guest and IoT networks will redirect to my Pi-Hole, and any requests sent to the router will be forwarded to the Pi-Hole.
Yes there are holes (different ports, DoH--hopefully not DNS over TLS as I've blocked port 853 in and out via iptables), but it covers the majority, and if someone (child, guest, etc.) really want to go through the lengths to bypass all of this, more power to them and they will do what they will do no matter what.
I view the config as a padlock. Padlocks keep honest people honest, but it won't stop someone that is determined from breaking/cutting/shooting it to get in.
Hope this helps, let me know if you have any questions and I'll try to answer your questions and help you if I can.
I really enjoy this community and the wealth of knowledge that's out there. Granted I have to sift through things that may or may not be relevant from the last 15 years, but I understand the need for it all as the breadth of devices and config vary greatly. So thank you to those the own it, those that devotedly contribute and help monitor and keep everyone and everything in line, and those that contribute when and where they can like I try to do. Have a good day, all. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
Joined: 08 May 2018 Posts: 14224 Location: Texas, USA
Posted: Fri Jul 09, 2021 16:18 Post subject:
Brewder wrote:
Can someone explain to me what this setting does? It's found on the Setup | Basic Setup tab in the DHCP section.
I'm confused what enabling/disabling does.
//Brew
Apparently, this topic has strayed away from the premise in the OP, which was what does this setting do. This setting sends all DNS requests to the router's dnsmasq daemon which then decides what to do with the request; resolve it internally, forward the request to an upstream server, etc. All of this extra information or configuration experience, while helpful and searchable now, has nothing to do with the OP.
From the firmware's internal help file system (http://x.x.x.x/help/HSetup.asp):
Quote:
Forced DNS Redirection
This setting causes all port 53 DNS requests from the LAN to external DNS servers to be redirected to DD-WRT's internal DNSmasq server.
which I can see in the pihole's logs, but no responses make it back to the originating requester PC; they just timeout. But I'm ok with this I guess ultimately if something is using the wrong DNS on my network it can have it's traffic killed for all I care.