Dns – Reroute direct DNS requests on OpenWRT

adblockdnsopenwrtrouter

On my router with OpenWRT, I use dnsmasq for DNS poisoning to block ads. If the host is on the list, the router replies to the DNS request with 192.168.99.99, which only and always serves a 1×1 transparent gif (the pixelserv method).

However, local devices can bypass this by directly using their own DNS server. How can I reroute these DNS requests so the ads are blocked?.

I tried commands like these (8.8.8.8 and 8.8.4.4 being the DNS servers, 192.168.1.102 the source device, 192.168.1.1 the IP of my router):

iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A PREROUTING -d 8.8.4.4 -j DNAT --to-destination 192.168.1.1

# or:
iptables -t nat -A PREROUTING -i wlan0 -s 192.168.1.102 -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -A PREROUTING -i wlan0 -s 192.168.1.102 -p tcp --dport 53 -j REDIRECT --to-post 53

I tried adding adding a traffic rule through the OpenWrt admin panel -> Source NAT, matching "Any TCP, UDP From IP 192.168.1.102 in lan To any host, port 53 in lan", with action "Rewrite to source IP 192.168.1.1, port 53". I believe this is effectuated in iptables as well either way.

But I find the DNS queries are still resolving:

root@OpenWrt:~# tcpdump -vvv -i wlan0 port 53

Chromecast.lan.42591 > google-public-dns-a.google.com.domain: [udp sum ok] 57897+ A? pubads.g.doubleclick.net. (42)
google-public-dns-a.google.com.domain > Chromecast.lan.42591: [udp sum ok] 57897 q: A? pubads.g.doubleclick.net. 5/0/0 pubads.g.doubleclick.net. [5h59m59s] CNAME partnerad.l.doubleclick.net., partnerad.l.doubleclick.net. [4m59s] A 74.125.136.157, partnerad.l.doubleclick.net. [4m59s] A 74.125.136.156, partnerad.l.doubleclick.net. [4m59s] A 74.125.136.155, partnerad.l.doubleclick.net. [4m59s] A 74.125.136.154 (132)

Maybe a completely different method, for example through dnsmasq, would work? I could not find this, however.

(I've found some explanation on how to reroute to another remote DNS server, but that won't help me here. It's mostly for unblocking regions or for Tomato or DD-WRT. Also, this is closely related to my previous question)

Best Answer

Use iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.1.1

Explanation iptables uses chains to route traffic. We use iptables -t nat -A PREROUTING to select the chain which we want to add the new rule. Then we narrow down the selection to include only traffic going out to the internet by selecting the interface -i br-lan which is OpenWRT's LAN interface. Since we're only redirecting DNS udp 53 we add -p udp --dport 53. Now that we only get DNS packets, we redirect them to the local DNS server using -j DNAT --to 192.168.1.1. You can replace the destination with any DNS server.

Hope this helps.

Related Question