Can you "intercept DNS" in DD-WRT?

Discussion in 'DD-WRT Firmware' started by WireSharp, Apr 3, 2008.

  1. WireSharp

    WireSharp Addicted to LI Member

    I have been using the "intercept DNS" feature in Tomato to force DNS requests to openDNS for content filtering purposes. Can this be done on DD-WRT? I don't see an option in the "Services Management" tab of DD-WRT. I also looked in the Tutorial section on the wiki but didn't see anything. Can a newbie like me do this on DD-WRT? Thanks! What a great firmware! I really want to check out SIPatH!
  2. LLigetfa

    LLigetfa LI Guru Member

    I'm sure the WebGUI in Tomato just creates an iptables entry. Unfortunately, I don't know what that entry looks like.
  3. WireSharp

    WireSharp Addicted to LI Member

    Ya, that's what I was afraid of.

    <puts on surgical gloves>

    I hope I don't hit an artery! They'll be red everywhere!

    I'm not used to stepping outside the GUI. But let me give it a try and see what happens. Thanks.
  4. mstombs

    mstombs Network Guru Member

    I haven't looked at the code, but an equivalent command to what Tomato uses is

    iptables -t nat -I PREROUTING -p udp -s -d ! --dport 53 -j DNAT --to
    where the router in this example is and the LAN

    If you don't have other DNS servers on your LAN you could drop the "-d ! " bit.

    You'd probably put this in the firewall script. Tomato puts it low down in the list I assume for optimal performance, "-I" puts it at the top
  5. WireSharp

    WireSharp Addicted to LI Member

    Thanks! I don't have any other DNS servers. I do have some other vlans though on .1 .2 and .3. So would I just use /16 instead of /24? Would that exclude a downstream 10.x.x.x IP if one got created (there's a hotspot on there, lord!)

    I also read that I should redirect udp AND tcp traffic - would I use "-p all"?

    Can smtp traffic be redirected the same way? My ISP blocks all smtp traffic that goes anywhere except their server, so maybe I could redirect to them?

    iptables -t nat -I PREROUTING -p tdp -s --dport 25 -j DNAT --to

    I'm not sure about putting the dns name in there but it resolves to a bunch of different IPs!

    Newbies like me have so many questions!
  6. mstombs

    mstombs Network Guru Member

    To be honest I don't know, it all looks sensible, but you should log in via ssh/telnet and try the commands in immediate mode in your setup. There's a chance putting a name rather than IP will be looked up when you add the rule, not when it is applied? To check the rules that are there use

    iptables -L -vn -t nat
    To delete a rule you have just added use "up arrow" and change the "-I" to "-D". If it all goes pear shaped just reboot the router, these rules are not saved in nvram untill you add them to a script.

    To follow the opendns link you can probably use "-i br0", the lan bridge interface is usually "br0", the simplest rules will be easiest to test, and most efficient in operation - The router has to check every packet that passes through. I didn't know dns used tcp, but doubt if anything else would use that port?

    And older hands forget where they started - if this wasn't in the wiki, why not add it when you've learnt?
  7. WireSharp

    WireSharp Addicted to LI Member

  8. jkarcz

    jkarcz Guest

    intercept DNS options

    Is there a way to only intercept DNS for certain MAC or IP addresses?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice