DNS Filter DoT Support

[AndreiGuru]

Hello,

I was wondering if a checkbox can be added in the DNS Filter page, to also redirect port 853 instead of dropping packets if they're not for the same filter IP? Pretty much all of the preconfigured DNS services now support DoT and DoH, and I run a pihole VPS which I forward my DNS through. Since redirecting DoH isn't an option, I was wondering if you could add a simple DoT checkbox on the page, and change the rule to forward instead of drop. I know it can be done manually, but it would be nice to have a gui option and not have to hack around the reject rule added in DNSFILTER_DOT. For example, when I enable it in the GUI, I see these rules added:

# iptables -t filter -nvL DNSFILTER_DOT
Chain DNSFILTER_DOT (1 references)
 pkts bytes target     prot opt in     out     source               destination       
    0     0 REJECT     all  --  *      *       0.0.0.0/0           !dns.filter.ip        reject-with icmp-port-unreachable
# iptables -t filter -nvL FORWARD 11
    0     0 DNSFILTER_DOT  tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
# iptables -t nat -nvL DNSFILTER
Chain DNSFILTER (2 references)
 pkts bytes target     prot opt in     out     source               destination       
 5492  394K DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:dns.filter.ip
# iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 10027 packets, 2213K bytes)
 pkts bytes target     prot opt in     out     source               destination       
 1326 81062 VSERVER    all  --  *      *       0.0.0.0/0            wan.ip   
 5459  392K DNSFILTER  udp  --  *      *       192.168.1.0/24       0.0.0.0/0            udp dpt:53
   34  2040 DNSFILTER  tcp  --  *      *       192.168.1.0/24       0.0.0.0/0            tcp dpt:53

 

[RMerlin]

Redirecting doesn't work, because the protocol used by DNS is different from DoT. So, you cannot redirect traffic directed at port 53 toward port 853.

The drop rule is only created if the DNSFilter server is not known to also support DoT. So if you have DNSFilter set to Quad9, then the drop rule won't be created.

 

[AndreiGuru]

Redirecting doesn't work, because the protocol used by DNS is different from DoT. So, you cannot redirect traffic directed at port 53 toward port 853.

The drop rule is only created if the DNSFilter server is not known to also support DoT. So if you have DNSFilter set to Quad9, then the drop rule won't be created.

I know the protocol is different, I wasn't asking to redirect outbound 53 to 853. I want the option to redirect outbound 853 to my DNS server. The DNS server I run supports both DoT and DoH, just like the ones in the list of options. What I'm asking is to add a checkbox, asking if DoT (requests to 853) should also be redirected to the DNS Filter server(s) configured

 

[dave14305]

I know the protocol is different, I wasn't asking to redirect outbound 53 to 853. I want the option to redirect outbound 853 to my DNS server. The DNS server I run supports both DoT and DoH, just like the ones in the list of options. What I'm asking is to add a checkbox, asking if DoT (requests to 853) should also be redirected to the DNS Filter server(s) configured

Won’t the DoT client reject the connection because your DNS server cannot provide a valid TLS certificate for the original DoT destination? You want to Man-in-the-Middle DoT.

 

[RMerlin]

Won’t the DoT client reject the connection because your DNS server cannot provide a valid TLS certificate for the original DoT destination?

Exactly. The PKI will be different, and the connection will be rejected. This is part of what DoT is about - to ensure your DNS queries don't get hijacked by a different server.

 

[AndreiGuru]

Ah, thanks, I wasn't aware. You could have just said that in the beginning instead of taking it as redirecting 853 to 53 lol