Solved iptables question: How to make a custom interface get DNS response?

[Yota]

Forgive me, I am a newbie to iptables. I have tried to do this all week alone, but I can't so I need a help.

I have a custom interface ci01 that was created by another program. I now need this interface to get the DNS response from the router.

Here is what I did:
Allow access to the router:

iptables -I INPUT -i ci+ -j ACCEPT

Allow access to the internet:

iptables -I FORWARD -i ci+ -j ACCEPT

Allow access to my home subnet

iptables -I FORWARD -i ci+ -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o ci+ -j ACCEPT

What I did successfully:
Any device under the custom interface can ping the router, and vice versa.
Any device under the custom interface can use 8.8.8.8 DNS or other public DNS.
Without using NAT rules, custom interface using public DNS can access the Internet normally.

Needs I can't achieve:
None of the devices under the custom interface can use the router's 192.168.50.1 as the DNS server, and there is no response.
But I can use other DNS servers in my home subnet, such as 192.168.50.2 (hosted by another router). This proves that the custom interface can normally access my home subnet.

I used the command below to intercept DNS requests to my router, but after using it, I still did not get any DNS response.

iptables -t nat -I PREROUTING -i ci+ -p udp --dport 53 -j DNAT --to 192.168.50.1
iptables -t nat -I PREROUTING -i ci+ -p tcp --dport 53 -j DNAT --to 192.168.50.1

I just found that there is a DNS server on my VPN interface, so I tried to use the NAT command below to reset the DNS request to the VPN client. This command works normally. But I hope that DNS requests through the router.

iptables -t nat -I PREROUTING -i ci+ -p udp --dport 53 -j DNAT --to 10.8.0.1

This confirms that the syntax of the command is correct, but I can't make it working for my router DNS server.


The current state is

The custom interface:
Can access Internal: OK
Can ping the router and vice versa: OK
Can access Internet: OK
Can get public DNS response: OK
Can get the DNS response from the router: NO

So, what should I do so that the custom interface can get the router's DNS response?


Background Information:
I enabled DNS over TLS, And the DNSFilter is enabled (it has been tested to close the DNSFilter is still not working)
My router's RT-AC86U runs 386.2_4 firmware.
I will restart the firewall after each test, so there is no iptables rule conflict.

 

[Yota]

In the test I found that the new Guest Network used by Aimesh 2.0 have a separate subnet, and the subnet's devices can bypass the Router rules of DNSFilter.

Just add this command to prevent it:

iptables -t nat -I PREROUTING -i br+ -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -I PREROUTING -i br+ -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

@RMerlin

 

[ColinTaylor]

I just found that there is a DNS server on my VPN interface, so I tried to use the NAT command below to reset the DNS request to the VPN client. This command works normally. But I hope that DNS requests through the router.

iptables -t nat -I PREROUTING -i ci+ -p udp --dport 53 -j DNAT --to 10.8.0.1

This confirms that the syntax of the command is correct, but I can't make it working for my router DNS server.

10.8.0.1 is your router's DNS server. But you don't need to do any DNAT, just add the ci interface (ci0 or ci*) to /etc/dnsmasq.conf.

 

[Yota]

10.8.0.1 is your router's DNS server. But you don't need to do any DNAT, just add the ci interface (ci0?) to /etc/dnsmasq.conf.

Thank you, but what should I do?

In addition, I can get DNS response through VPN, but this is not my purpose. My purpose is to get DNS response through router, which is 192.168.50.1.

 

[ColinTaylor]

Thank you, but what should I do?

I just told you. Add the ci interface to your dnsmasq.conf file. Look at your current dnsmasq.conf to see how it's done for br0.

See my edit to my previous post. You can either name a specific interface (e.g. ci0) or use a wildcard (e.g. ci*), whatever is most appropriate for you.

 

[Yota]

I just told you. Add the ci interface to your dnsmasq.conf file. Look at your current dnsmasq.conf to see how it's done for br0.

See my edit to my previous post. You can either name a specific interface (e.g. ci0) or use a wildcard (e.g. ci*), whatever is most appropriate for you.

Thanks you,

My custom interface can even access the router GUI and ping 192.168.50.1 (router), but when I use 192.168.50.1 as the DNS server, my resolution result is timed out and nothing is returned. So I think there must be something blocking the request. Maybe I can add ci01 to /etc/dnsmasq.conf, what should I do?

/etc/dnsmasq.conf

interface=br0

Should it be like this?

interface=ci*

 

[ColinTaylor]

Should it be like this?

interface=ci*

Yes. Add this to the file (don't replace the existing line).

 

[Yota]

Yes. Add this to the file (don't replace the existing line).

Thank you very much, let me give it a try.

Edit: I have confirmed that this works, I thought this would be an iptables problem, but I didn't expect it to be that simple, thanks again.

 

[RMerlin]

In the test I found that the new Guest Network used by Aimesh 2.0 have a separate subnet, and the subnet's devices can bypass the Router rules of DNSFilter.

Just add this command to prevent it:

iptables -t nat -I PREROUTING -i br+ -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -I PREROUTING -i br+ -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"

@RMerlin

Thanks, fixed.