Help with DNS FILTERING

[yelo3]

Hello, I'm using the AI PROTECTION DNS FILTERING option, to use Open DNS Family.
By default this rule is created:

Chain DNSFILTER (2 references)
DNAT       all  --  anywhere             anywhere             to:208.67.222.123

Unfortunately my ISP also does DNS FILTERING, so I need to change the traffic from port 53 to port 5353 to skip its filtering (I've tried and it works).

I'd like to insert/append an iptables rule somewhere, that forces to use the port 5353 if 208.67.222.123 is used (without touching that line in the DNSFILTER chain).
I've tried this but it doesn't work

iptables -t nat -A OUTPUT -p udp -d 208.67.222.123 --dport 53 -j DNAT --to-destination :5353

Any help?

thanks

 

[amigohd]

iptables -t nat -A PREROUTING -i br0 -p udp --dport 5353 -j DNAT --to 208.67.222.123 should do the trick I guess

 

[yelo3]

Unfortunately it doesn't work.

Maybe PREROUTING is executed before DNSFILTER?

The steps should be:
- client asks for dns resolution on 192.168.2.1 port 53
- server uses dnsfilter to force the address to 208.67.222.123
- a rule should change port 53 to port 5353

 

[amigohd]

what about the chain POSTROUTING? this should be the last chain in the flow. did you try that?

 

[szpunk]

Use `iptables -nvL --line-number | grep 208.67.222.123 | | awk {'print $1'}` to find and delete 208.67.222.123 chian in DNSFILTER, then append a new chian, just replace 208.67.222.123 to 208.67.222.123:5353