0

I'm attempting to force all hosts on my LAN to use a specific DNS server to filter certain material, however I'm running into problems.

I've had problems in the past trying to configure my router's DHCP to assign the desired DNS server to hosts because some users have simply learned to set their own DNS server (Google's 8.8.8.8, for example) on computer.

Currently, I have an ARP poisoning script to redirect all traffic from the gateway router to my machine. Meanwhile, I have a second python script listening for Port 53 traffic so I can intercept the DNS lookup packets, modify the destination IP from the original DNS server to the desired DNS server, then send them on towards the new DNS server.

Am I thinking about this the right way?

Is there an easier way to force users onto a certain DNS server?

It seems like I'm not even getting any traffic on my machine for port 53, even though the firewall for that port is open, so I don't even have the chance to view the DNS request packets when a user is trying to resolve a dns lookup, let alone modify the packet.

I would really appreciate any feedback or help. Thanks!

Kody_06
  • 1
  • 1
    Some router software has a feature to force clients to use the router's DNS using firewall rules. You could also do this manually if you can add arbitrary firewall rules to the router. – multithr3at3d Sep 22 '18 at 18:17
  • 2
    Why hack your own network with ARP spoofing? A proper setup would filter everything at the gateway, i.e. either redirect all DNS traffic to your own server or block any DNS traffic which is not destined for your own DNS server. Of course, your gateway must support this and it is unclear if it does (a simple self-made Linux system would support this). Anyway, whatever you do to filter DNS it can be bypassed with DNS over HTTPS (as available in Firefox). – Steffen Ullrich Sep 22 '18 at 18:24
  • I've tried setting up firewall rules and setting the default DNS server in my DHCP settings on the router, but haven't had success. Also, this may be implemented in other LAN's that use different types of routers, so this needs to be router agnostic. I am trying to achieve something similar to what Circle does. https://support.meetcircle.com/hc/en-us/articles/115001381932-How-Does-Circle-Work- – Kody_06 Sep 22 '18 at 18:26
  • @user6374022 Steffen's answer is the correct one. If you are looking for a way to do this no matter how cheap the router is, and if you are looking for a way to re-craft your networking traffic by using arp poisoning, then this is not really a security question anymore. This is starting to look more like networking question. – schroeder Sep 22 '18 at 22:00

1 Answers1

1

You are close, but there are a couple issues. Even though traffic may be redirected to your machine as a result of ARP poisoning, your socket on port 53 will not receive any packets that aren't addressed to your system, which will not be the case if clients have specified their own DNS server (i.e. your machine is on 192.168.1.x, but the packet is destined for 8.8.8.8. It will likely be forwarded and not processed by your network stack.).

To remedy this, you can use some firewall rules. You don't even need your listener on port 53 to accomplish this. Here's an example firewall rule to add to your MitM machine (or router if possible):

iptables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to-destination <your DNS server's IP address>

This will rewrite any DNS packets passing through your machine to have a destination address of your DNS server, assuming you have no other firewall rules preventing this.

Also, @SteffenUllrich is right; it is a hack to ARP-spoof your own network, and blocking or intercepting DNS is not a foolproof solution. Other protocols will still work, such as DNS-over-HTTPS or DNScrypt. The users could tunnel their traffic over a VPN or use a proxy server, or many other techniques.

Another more in-depth solution may be to restrict all outbound traffic on your network, and force users to use an HTTP proxy that you control. You'd also have to intercept TLS traffic as well, meaning you'd need to install certs on all devices.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • When I add the firewall rule to the MitM machine, it doesn't force all traffic through that DNS server. Instead, it sends it through the default DNS servers, and sometimes makes an attempt to route it through my given DNS server, although in the wireshark log it says: "Destination unreachable (Port unreachable)". Also, the device I'm using does use Mozilla Firefox. Could this be an example of DNS-over-HTTP not allowing me to modify the IP Destination? – Kody_06 Sep 22 '18 at 19:58
  • Another thing that's confusing is the dns lookup goes to the MitM device, but it's allowing it through with the original DNS server as the destination. – Kody_06 Sep 22 '18 at 20:05
  • I mean, if you are seeing DNS packets in Wireshark, they are not over HTTPS. – multithr3at3d Sep 23 '18 at 13:24