[SOLVED] Force all DNS queries to local DNS server

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Mon Jul 01, 2019 15:05    Post subject: Reply with quote
grc wrote:
another combination Very Happy :

in Additional Dnsmasq Options:

    no-resolv
    server=192.168.1.2


+ Firewall:

    iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)



Thanks Razz
If I put only those rules, nslookup times out but I see the request on the Pi.
(This is on br0, where the Pi and my computer is)

Code:
nslookup abc.com
;; connection timed out; no servers could be reached


Firewall:
Code:
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2


Those works though. Except, once again, if I specify static DNS on my local machine.

What could prevent the router from seeing the DNS request on port 53 made by a local machine directly? I think that maybe the router just doesn't see the request and therefore cannot redirect it. Maybe the DNS request is encrypted of some sort, https for example. (I don't use DNSSEC or anything like that) I'm just throwing this out there, I'm not really sure if it would make sense.

I've attached some screenshot of my config.
I try to redirect request to the Pi and not the router itself as I would like to see which IP made the request, but if I redirect everything to the router, the PiHole will only sees 192.168.1.1 as the requester. But that is a problem I can play with after we figured out how to make the DNS resolution locally.

EDIT:
With Wireshark, I can see the request:

Code:
6284   91.958274365   192.168.1.20   1.1.1.1   DNS   77   Standard query 0xe5a4 A cdn1.edgedatg.com

User Datagram Protocol, Src Port: 34496, Dst Port: 53
    Source Port: 34496
    Destination Port: 53
    Length: 43
    Checksum: 0xc3fa [unverified]
    [Checksum Status: Unverified]
    [Stream index: 31]
    [Timestamps]


So DDWRT should be able to intercept the request on port 53 and redirect it.
Sponsor
grc
DD-WRT User


Joined: 11 Jul 2018
Posts: 68

PostPosted: Mon Jul 01, 2019 15:48    Post subject: Reply with quote
use dnsmasq for dns should be checked if you want to try my solution
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Mon Jul 01, 2019 17:04    Post subject: Reply with quote
grc wrote:
use dnsmasq for dns should be checked if you want to try my solution


Doing so I have 200 queries to the Pi for a single request and in the router I got:
Quote:

Jul 1 12:01:20 DD-WRT daemon.warn dnsmasq[14729]: Maximum number of concurrent DNS queries reached (max: 150)


And it doesn't work: We’re having trouble finding that site.


If I try a simple:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.2


With Use DNSMasq for DNS Off

I get in wireshark:
Code:
11   0.737462563   192.168.1.20   192.168.1.2   DNS   91   Standard query 0xf77a A push.services.mozilla.com.local


I also see requests to my ISP DNS, but they do not return any results either. So my guess is it's redirecting to the PiHole but the ".local" thing mess it up or something. I don't know.

Once I try a website, it takes about 3-4 minutes for it to appear in the PiHole logs. The router CPU is 5% and there is plenty of RAM. Same for the PiHole.

Crying or Very sad

I attached 2 wireshark DNS resquests and 1 PiHole request history. I believe none of the requests had a response even though the PiHole catches the requests.

I'm sorry this is way harder than I thought it would. I guess we just need to find the right commands and config...
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5215
Location: Akershus, Norway

PostPosted: Mon Jul 01, 2019 17:28    Post subject: Reply with quote
Can the Pihole reach it's upstream dns server?

If not excluded it will be DNAT back to itself.
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Mon Jul 01, 2019 20:09    Post subject: Reply with quote
Per Yngve Berg wrote:
Can the Pihole reach it's upstream dns server?

If not excluded it will be DNAT back to itself.

Thanks for your reply.
Yes you are right I need to exclude the Pi (that was a noob move Laughing ) :
Code:
iptables -t nat -A PREROUTING -i br0 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to-destination 192.168.1.2:53
iptables -t nat -A PREROUTING -i br0 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to-destination 192.168.1.2:53


If the request is for port 53, if it's coming from br0 and not from 192.168.1.2, this should redirect the request to 192.168.1.2 port 53, right? But it does not. Embarassed I tried ROUTING instead of DNAT and it didn't work either.

I tried blocking DNS requests if it's not from 192.168.1.2 and it works. Why does rerouting the requests doesn't?
Code:

iptables -I FORWARD 1 -p tcp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -I FORWARD 2 -p udp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -I FORWARD 3 -p tcp -d 192.168.1.2 --dport 53 -j ACCEPT
iptables -I FORWARD 4 -p udp -d 192.168.1.2 --dport 53 -j ACCEPT
iptables -I FORWARD 5 -p tcp -s 192.168.1.1/24 -d ! 192.168.1.2 --dport 53 -j REJECT
iptables -I FORWARD 6 -p udp -s 192.168.1.1/24 -d ! 192.168.1.2 --dport 53 -j REJECT

My understanding: If the source or the destination is the Pi on destination port 53, accept. If it's on port 53 but not for the Pi, reject.

I added the 3rd and the 4th FORWARD rules, trying to make sure it can accept request if the destination is 192.168.1.2. I also added "-d ! 192.168.1.2" on the last 2 to make sure not to block requests going to the Pi. I think it's redundant because I already allow requests to it just before, but since it's not working I want to make sure I'm not missing anything.

It blocks all DNS queries if I set DNS to 1.1.1.1 but works perfectly when on Auto DNS.

After reading the iptable manual, I also tried adding "iptables -t nat -A POSTROUTING -j MASQUERADE" after the prerouting rules... didn't do anything, so I removed it.

The Pi can 'nslookup' and so can the router with the above iptables rules. I won't make that mistake again.

EDIT: I found this website where the only rules are:
Code:

iptables -t nat -A PREROUTING -i br0 -p udp ! --source 192.168.1.2 ! --destination 192.168.1.2 --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 192.168.1.2 ! --destination 192.168.1.2 --dport 53 -j DNAT --to 192.168.1.2


But DNS requests from static servers (1.1.1.1) are still not redirected.
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Mon Jul 01, 2019 21:26    Post subject: Reply with quote
Well, now I know what's going on Smile

It's kind of working:

Quote:
nslookup google.com
;; reply from unexpected source: 192.168.1.2#53, expected 1.1.1.1#53
;; reply from unexpected source: 192.168.1.2#53, expected 1.1.1.1#53
;; connection timed out; no servers could be reached


Is there a way to "authorize" this? I would like to avoid MASQUARADE because then all requests would be mark as if they were coming from the router, but I'd like to know which client made the request.



EDIT:
I found a way, maybe. According to this reddit post:
Quote:

As for the second solution (multiple subnets), I have no experience with OpenWRT whatsoever, so I can't provide details or examples, but the general actions that you need and should be able to google for are:

If the LAN-ports all behave like one switch on your router (=>you can't configure multiple separate ports/interfaces), find how to configure an additional IP address on the LAN-side of the router, with different subnet. (let's say 192.168.10.0/24) ===> this will allow the additional subnet

2, Make sure the router is the gateway for both the clients (->192.168.1.1) and the pihole (->192.168.10.1). This ensures both clients and pihole must go through the router to reach any subnet than their local one. ===> this will ensure the DNS reply goes through the router, allowing it to remove the DNAT on the reply packet

3, If the traffic between clients and pihole's subnet isn't implicity allowed, find how to add a firewall rule to allow this communication.

4, If the DNAT rule is still applying source-NAT, find how to disable the source-NAT-ing.

note: this is all assuming that you're implementing the DNAT rule to redirect DNS traffic of clients that refuse to use the DHCP-provided DNS server. If on the other hand the actual problem is that your DHCP server is undesirably distributing its own/other IP as the DNS server IP, then you should prioritize fixing that first (->if nothing else works, move DHCP functionality to the pihole), since that will probably fix most or all of the unwanted DNS requests to other servers.

The Pi needs to be on another subnet.
So I assigned port 3 to VLAN 3. Set static IP to 192.168.2.2 in the DHCP static leases.
In Networking I set the IP to 192.168.2.1 (Unbridged) for vlan3.
On the Pi, static ip set to 192.168.2.2... but for the gateway I'm not quite sure if it needs to remain on 192.168.1.1 but I changed it for testing.
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Mon Jul 01, 2019 22:45    Post subject: Reply with quote
IT'S WORKING! For now.

As the reddit post said:
Client request Duckduckgo.com
Received by router (192.168.1.1)
Transfered to PiHole (192.168.2.2)
PiHole response to router (192.168.2.1)
Router masquarade the IP
Deliver to client

The request must come from the router so it can change the IP. If the Pihole respond directly to the client, the client will know it's not originated from the server it made the request to.

Setup Tab:
Static DNS 1: 192.168.2.2
Use DNSMasq for DNS: Disable

VLANs tab:
Since my Raspberry Pi is connected to the 3rd port I assigned VLAN 3 to port 3. Not assigned to bridge.

Networking Tab:
VLAN 3:
Unbridged.
Masquerade / NAT: Enabled
IP: 192.168.2.1
Mask: 255.255.255.0

Services Tab:

Static Lease for the Raspberry Pi: 192.168.2.2

Dnsmasq options:
interface=br0,br1
domain=local
local=/local/
listen-address=192.168.2.2

Firewall rules:
iptables -t nat -I PREROUTING -i br0 -p tcp -s ! 192.168.2.2 --dport 53 -j DNAT --to 192.168.2.2:53
iptables -t nat -I PREROUTING -i br0 -p udp -s ! 192.168.2.2 --dport 53 -j DNAT --to 192.168.2.2:53

Inside the Raspberry Pi, the dhcpcd.conf file is set for static ip 192.168.2.2 with the gateway set for 192.168.2.1.

Thanks for all your help!
Very Happy
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4328
Location: Netherlands

PostPosted: Tue Jul 02, 2019 7:33    Post subject: Reply with quote
Glad you got it working, what you describe looks like a rebind attack

Did you Disable "No DNS Rebind" on Services/DNSMasq this is preventing a rebind attack and thus prevents the use of an other local DNS server

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum