Custom IPTables Rules for DNS Redirect

[AdrianH]

I want to add some rules into iptables so that my Google/Nest smart devices stop calling Google DNS directly, and the Google DNS calls they do are redirected to my AdGuard Home DNS server which will reply with the appropriate DNS records. I know I can probably use DNSFiltering, but want to experiment with IPTable rules.

I originally just blocked the DNS calls as follows:

iptables -I FORWARD -d 8.8.8.8 -j REJECT
iptables -I FORWARD -d 8.8.4.4 -j REJECT

These are my rules to redirect Google DNS to my AGH server (192.168.10.14). I put them together after reading various posts about doing this, they look correct to me?

iptables -t nat -A PREROUTING -p udp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p udp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A POSTROUTING -j MASQUERADE

Also wanting to know which script should I add these rules into.

According to User scripts · RMerl/asuswrt-merlin.ng Wiki · GitHub I could likely use

firewall-start
nat-start

and I am thinking

firewall-start
nat-start

is the correct one.

Any comments or advice will be appreciated

 

[ColinTaylor]

NAT rules go in nat-start. There is no need for the MASQUERADE rule as there is already one.

 

[AdrianH]

NAT rules go in nat-start. There is no need for the MASQUERADE rule as there is already one.

Sweet, thanks

 

[eibgrad]

The following ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.8.4 --dport 53 -j DNAT --to 192.168.10.14

... should be ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14

 

[AdrianH]

The following ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.8.4 --dport 53 -j DNAT --to 192.168.10.14

... should be ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14

ah, thanks for picking up my typo. Updated the post.

 

[AdrianH]

The above rules for redirection is working, the DNS queries are being sent to my AdGuard Home server.

BUT....the issue is that the source of the DNS queries is now the router, and not the device actually doing the DNS query.

iptables -t nat -A PREROUTING -p udp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p udp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14

As well as with and without this

iptables -t nat -A POSTROUTING -j MASQUERADE

Is there a way to specify in the rule to keep the source IP when redirecting the query to the AGH server?

 

[ColinTaylor]

Is there a way to specify in the rule to keep the source IP when redirecting the query to the AGH server?

I don't believe so as that would break the DNAT.

 

[AdrianH]

I don't believe so as that would break the DNAT.

Yeah, makes sense.

If the source IP gets sent to the AGH server and not the router IP, the server would reply to the source IP who wouldn't be expecting anything from the AGH server.