Redirect DNS requests with OpenWrt

Question

I've brought a wireless router to my office, because there's no free network socket near my place. Every normal computer that is connected via Ethernet cable normally gets an IP and DNS server addresses from the enterprise router by DHCP.

Our organization has some internal addresses that have their own URIs that are resolved by the local DNS server. Now I can access them by IP address, but not URI, as "the host is unknown".

In the DHCP and DNS section of LuCI (OpenWrt's webinterface) under the option DNS Forwardings I specified the addresses of enterprise DNS servers (they are static), but with no success.

How can I make OpenWrt forward all DNS requests that it can't resolve itself, to these enterprise servers, or just all DNS traffic to that servers?

score 11 · Accepted Answer · edited Feb 08 '17 at 22:12

11

Don't bother with DNS forwarding, or with OpenWrt's internal DNS server, just serve the existing DNS servers to your DHCP clients directly. You can do this by setting DHCP option 6, which will be formatted in the web interface like:

6,192.168.32.35,192.168.48.35

You can access the relevant part of the web interface in LuCI by going through Network --> Interfaces --> LAN --> Scroll down to bottom --> "Advanced Settings" tab:

LuCI DHCP configuration

I also have to remind you to do this only with the explicit knowledge and approval of your company's network admin, IT department, etc.

edited Feb 08 '17 at 22:12

user399479

3
2

answered Aug 28 '14 at 12:07

Michael Hampton

237,123
42
477
940

3

Thank you, it works like a charm! I put `dhcp-option=6, 172.22.9.10, 172.22.10.10` into `/etc/dnsmasq.conf` where IPs are DNS server addresses and now everyting is fine. – Nikolai Kim Aug 28 '14 at 12:21

Bhabba · Answer 2 · 2016-01-28T20:43:47.507

As an alternative to using DHCP option 6 you can directly change the DNS servers which OpenWrt uses. To do this navigate under the webinterface LuCI to

Network → Interfaces → WAN → Edit → Advanced Settings

and uncheck the option Use DNS servers advertised by peer. Then a new option field Use custom DNS servers should appear where you can enter the addresses of one or more DNS servers of your choice.

Screenshot: custom DNS servers in OpenWrt

Of course if your WAN interface has another name (e.g. because you're connected through IPv6) you have to change these settings for that interface instead.

This method has the general advantage that while OpenWrt uses your custom DNS servers for looking up any unknown address it still acts as a DNS server for the connected clients. That way the DNS queries of OpenWrt itself are answered by your custom DNS servers, too (might be important if your concern is privacy and therefore want to completely avoid using your internet provider's DNS servers for example).

Other advantages include that one DNS cache is being used for all clients (OpenWrt's DNS cache) and that you can still use OpenWrt's hosts file to add custom entries etc.

I've only tested this method under OpenWrt 15.05 Chaos Calmer but I guess it should work the same way in previous versions.

This method worked for me. I had tried Michael's method above, but after several reboots of computer it wasn't using the specified DNS. — lordhog, Apr 11 '18 at 09:29

m4p85r · Answer 3 · 2020-12-30T00:54:26.837

A 'foolproof' alternative is to set a firewall rule to force all DNS traffic to go to your local DNS server.

Place the following script in Network > Firewall > Custom Rules (after replacing 192.168.1.2 with the actual IP address of your DNS server)

# DNSHIJACKv4
# Log and redirect DNS Traffic
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4 "
iptables -t nat -A dnshijack -j DNAT --to-destination 192.168.1.2
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 192.168.1.2 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.2 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE

Note: I haven't punched a hole in the firewall to allow my local DNS server (adguard) to communicate with the internet. This is because it is doing so over TLS and thus using a different port. If your local DNS server is using plain-text queries you'll need to add this to your ruleset (noting to change the LOCAL_DNS_MAC_ADDRESS to your dns server's actual MAC address):

iptables -t nat -A prerouting_lan_rule -m mac --mac-source LOCAL_DNS_MAC_ADDRESS -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source LOCAL_DNS_MAC_ADDRESS -p tcp --dport 53 -j ACCEPT

Context

I'm was usng OpenWRT and trying to redirect all DNS traffic to AdGuard on a separate machine. I tried:

Setting WAN interface DNS forward to my AdGuard server
Setting DHCP with option 6 enabled to make clients use my AdGuard server
Setting OpenWRT's system DNS forward to my AdGuard server

All with no success. I then stumbled across this thread: https://forum.openwrt.org/t/redirect-all-outbound-dns-traffic-to-internal-ip/18783/11 where I found a more comprehensive ruleset:

# DNSHIJACKv4
# Log and hijack to Pihole
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4 "
iptables -t nat -A dnshijack -j DNAT --to-destination 10.0.2.2
# allow Pihole to query internet
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 00:11:22:33:44:55 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 00:11:22:33:44:55 -p tcp --dport 53 -j ACCEPT
# allow queries to OpenWrt
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -d 10.0.2.1 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -d 10.0.2.1 -j ACCEPT
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# other zones
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE

Is there an updated way to do this? Seems a bit ridiculous that a very normal feature is omitted from an open source project such as openwrt. — BitShift, Dec 31 '21 at 23:11

Redirect DNS requests with OpenWrt

3 Answers3

Context