DNS redirect to local DNS server

[slytho]

Hi!

Some of my devices use an hard-coded DNS server, i.e. 8.8.8.8. I like to re-direct this DNS traffic to my local unbound DNS server by using the firewall script of my AC86 router. I use the following IPTABLES commands. The rule is added correctly to iptables.

Are these rules correct and how can I check if it works?

iptables -t nat -A PREROUTING -p udp -d 8.8.8.8 --dport 53 -j DNAT --to $(nvram get dhcp_dns1_x):53
iptables -t nat -A PREROUTING -p tcp -d 8.8.8.8 --dport 53 -j DNAT --to $(nvram get dhcp_dns1_x):53

"$(nvram get dhcp_dns1_x)" simply reads my local DNS server's IP address from the according system variable. This works, the rule is correctly added to iptables.

After adding the rule, iptables says:

Chain PREROUTING (policy ACCEPT 37 packets, 2693 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            224.0.0.0/4
2       12   930 GAME_VSERVER  all  --  *      *    0.0.0.0/0            xxx.xxx.xxx.xxx
3       12   930 VSERVER    all  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx
4        0     0 DNAT       udp  --  *      *       0.0.0.0/0            8.8.8.8              udp dpt:53 to:192.168.1.53:53
5        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            8.8.8.8              tcp dpt:53 to:192.168.1.53:53

 

[bbunge]

If you are using Merlin, why not use its DNS Filter?

 

[MaziahBebop]

how can I check if it works?

I check mine by visiting dnsleaktest.com (or tap "dns leak test" into a search engine and visit a few of them). If the result shows 8.8.8.8 then you can be sure your iptables didn't work. If the leak-test result shows your WAN IP then your iptables might be working, because unbound will not get a cache hit on the leak test, and the request will come from your WAN ip address (assuming that your local unbound server accesses the net via your main WAN ip).

P.S., instead of iptables, I forward to unbound using the Asus-Merlin webgui:

Thats from the LAN -> DHCP Server tab. However I haven't tested my setup on devices that have hard-coded DNS entries, so YMMV, but the testing method I've mentioned for you will still be valid.

 

[dave14305]

As @bbunge says, enable DNSFilter on the LAN tab. Set global mode to “router” which will enforce your DHCP DNS 1 server for all clients. Then in the Client List add a rule to set your Unbound DNS device MAC to “no filtering” to avoid a loop.

 

[slytho]

Thank you, thank you. I really forgot this feaure of Merlin.

It works.

And I also found a way to test it (just for other readers of this thread):

• The command line tool "dig". By using dig a-ads.com and dig @8.8.4.4 a-ads.com in comparison you can check what server is being used to resolve the DNS query. If both commands show the IP of your DNS device, the redirect works.
• However, you need to run dig from another device than your local DNS device because its IP is excluded of redirects in DNSFilter in order to prevent DNS lookup loops. To run dig on a windows machine, you have to download the BIND tools (a zip archive), extract it to a folder and run "dig" from there. On Debian Linuxes, you can try apt install dnsutils to install dig.

 

[WRobertE]

As @bbunge says, enable DNSFilter on the LAN tab. Set global mode to “router” which will enforce your DHCP DNS 1 server for all clients. Then in the Client List add a rule to set your Unbound DNS device MAC to “no filtering” to avoid a loop.

I use Pihole in my DNS setup but my Amazon Kindle Fire HD10 bypasses my DNS configuration and goes to Google. How do I prevent this?

10.4.58.4 is the IP address for my RaspberryPI4 running Pihole.

 

[dave14305]

I use Pihole in my DNS setup but my Amazon Kindle Fire HD10 bypasses my DNS configuration and goes to Google. How do I prevent this?

10.4.58.4 is the IP address for my RaspberryPI4 running Pihole.

View attachment 26197

View attachment 26198

This setup will do that. BTW, you don’t need the Custom (user-defined) DNS 1 filled in on the DNSFilter tab. Make sure the Android private DNS setting isn’t enabled on the Fire.

 

[WRobertE]

This setup will do that. BTW, you don’t need the Custom (user-defined) DNS 1 filled in on the DNSFilter tab. Make sure the Android private DNS setting isn’t enabled on the Fire.

Unfortunately no matter what I do on the Fire, the Google DNS 8.8.8.8 is always inserted as an extra DNS server and Leaktest shows it uses Google instead of my Pihole. I suppose this is how they enforce ads on the device. Quick internet search shows others seeing this same behavior.

Also, the Private DNS setting isn't exposed on the UI.

Maybe I could redirect traffic to 8.8.8.8 and 8.8 4.4 over port 53 to my Pihole using firewall rules?

 

[dave14305]

Unfortunately no matter what I do on the Fire, the Google DNS 8.8.8.8 is always inserted as an extra DNS server and Leaktest shows it uses Google instead of my Pihole. I suppose this is how they enforce ads on the device. Quick internet search shows others seeing this same behavior.

Also, the Private DNS setting isn't exposed on the UI.

Maybe I could redirect traffic to 8.8.8.8 and 8.8 4.4 over port 53 to my Pihole using firewall rules?

DNSFilter does this port 53 redirection automatically. So if 8.8.8.8 is still getting through, it must be via DoT or DoH.

 

[WRobertE]

Figured it out. You were right about the Private DNS setting. Had to figure out how to turn that off since that setting isn't exposed on the UI. You have to enable Developer options and then enable USB debugging. Then use adb (android debug bridge) to send the following command from a PC to the Fire connected with a USB cable:

adb shell settings put global private_dns_mode off

... and bingo ... no more 8.8.8.8 added to DNS and now it goes thru my Pihole.

Thanks for your help.

 

[slytho]

DNSFilter does this port 53 redirection automatically. So if 8.8.8.8 is still getting through, it must be via DoT or DoH.

Good point. I guess simply redirecting DoT (port 853) to the local DNS device wouldn't work, right? And DoH (port 443) would be difficult to grab.