1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can you "intercept DNS" in DD-WRT?

Discussion in 'DD-WRT Firmware' started by WireSharp, Apr 3, 2008.

  1. WireSharp

    WireSharp Addicted to LI Member

    I have been using the "intercept DNS" feature in Tomato to force DNS requests to openDNS for content filtering purposes. Can this be done on DD-WRT? I don't see an option in the "Services Management" tab of DD-WRT. I also looked in the Tutorial section on the wiki but didn't see anything. Can a newbie like me do this on DD-WRT? Thanks! What a great firmware! I really want to check out SIPatH!
  2. LLigetfa

    LLigetfa LI Guru Member

    I'm sure the WebGUI in Tomato just creates an iptables entry. Unfortunately, I don't know what that entry looks like.
  3. WireSharp

    WireSharp Addicted to LI Member

    Ya, that's what I was afraid of.

    <puts on surgical gloves>

    I hope I don't hit an artery! They'll be red everywhere!

    I'm not used to stepping outside the GUI. But let me give it a try and see what happens. Thanks.
  4. mstombs

    mstombs Network Guru Member

    I haven't looked at the code, but an equivalent command to what Tomato uses is

    iptables -t nat -I PREROUTING -p udp -s -d ! --dport 53 -j DNAT --to
    where the router in this example is and the LAN

    If you don't have other DNS servers on your LAN you could drop the "-d ! " bit.

    You'd probably put this in the firewall script. Tomato puts it low down in the list I assume for optimal performance, "-I" puts it at the top
  5. WireSharp

    WireSharp Addicted to LI Member

    Thanks! I don't have any other DNS servers. I do have some other vlans though on .1 .2 and .3. So would I just use /16 instead of /24? Would that exclude a downstream 10.x.x.x IP if one got created (there's a hotspot on there, lord!)

    I also read that I should redirect udp AND tcp traffic - would I use "-p all"?

    Can smtp traffic be redirected the same way? My ISP blocks all smtp traffic that goes anywhere except their server, so maybe I could redirect to them?

    iptables -t nat -I PREROUTING -p tdp -s --dport 25 -j DNAT --to smtp1.sympatico.ca

    I'm not sure about putting the dns name in there but it resolves to a bunch of different IPs!

    Newbies like me have so many questions!
  6. mstombs

    mstombs Network Guru Member

    To be honest I don't know, it all looks sensible, but you should log in via ssh/telnet and try the commands in immediate mode in your setup. There's a chance putting a name rather than IP will be looked up when you add the rule, not when it is applied? To check the rules that are there use

    iptables -L -vn -t nat
    To delete a rule you have just added use "up arrow" and change the "-I" to "-D". If it all goes pear shaped just reboot the router, these rules are not saved in nvram untill you add them to a script.

    To follow the opendns link you can probably use "-i br0", the lan bridge interface is usually "br0", the simplest rules will be easiest to test, and most efficient in operation - The router has to check every packet that passes through. I didn't know dns used tcp, but doubt if anything else would use that port?

    And older hands forget where they started - if this wasn't in the wiki, why not add it when you've learnt?
  7. WireSharp

    WireSharp Addicted to LI Member

  8. jkarcz

    jkarcz Guest

    intercept DNS options

    Is there a way to only intercept DNS for certain MAC or IP addresses?

Share This Page