Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Dec 31, 2023 20:20 Post subject: Status of "Forced DNS Redirection DoT"?
What is the status of the "Forced DNS Redirection DoT" feature one can enable in the Basic Setup? My experimenting (build 54544, as I'm waiting for the kernel 6.x builds to better stabilize) found that it appears only to add iptables br0 udp and tcp rules to the nat table's PREROUTING chain to forward port 853 packets to the usual port 53 at the router's IP address, i.e., to dnsmasq.
I tested briefly with Windows 10 Stubby (followed instructions at quad9.net and noting that Windows 11 seems to have dropped DoT in favor of DoH) and found that Stubby complained that it could not establish a proper DoT connection, leaving the machine with no DNS until I switched Stubby off completely. I did not find this surprising, as I would expect the DoT process to involve more than the question of where a standard DNS query goes! (FWIW, only the TCP rule was hit, some 150 packets worth in my brief testing.)
So the question is, have I missed something? Is there actually some value in adding these iptables rules? (It's clearly not enough to do it for br0, but I can script up adding similar rules for my other interfaces.) Or is this a dead/dying experimental feature on its way out? _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Jan 01, 2024 17:01 Post subject:
ho1Aetoo wrote:
If there is no fallback to normal DNS, the setting block DoT from the clients but only on the standard port
My point is that it appears to break client DoT DNS without replacing it with router DNS. It does not "Force" at all.
Or again, am I missing something? _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
the setting blocks DoT (but only port 853)
You can use any port for DoT (there are also various public servers that use other ports)
The setting is for example intended for clients that like to use their own DNS settings instead of the system/network settings
And if DoT is blocked, they fall back to normal DNS...
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Jan 01, 2024 19:50 Post subject:
ho1Aetoo wrote:
If you have stubby installed on your Windows PC and have only DoT configured then that's your problem and then I wonder what you want with a forced redirection.
I don't use Windows and only installed Stubby on my wife's old machine to test "Force DoT." Force DoT would only be relevant in this household for guests who might have DoT setup -- so low priority -- as here dd-wrt is set up to have dnsmasq use three dnscrypt-proxy processes contacting three servers over three different VPNs. All those VPNs exist for other purposes, but as long as they are there, why not DNS also? Crazy-ass redundancy. Quad9 is my primary provider, for whatever increment of malware protection it can add. All this insanity is effectively duplicated on four other family routers around the country, and I keep things on them mostly the same so a makefile here can propagate most changes automagically to them all over ssh. Some of those households have regular Windows users and need all the help they can get to nudge their DNS activity towards a stronger system with ad blocking (in the router) and malware screening (at the upstream DNS servers).
Engineers don't always need a reason beyond curiosity to see whether it can be done. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Jan 05, 2024 17:21 Post subject:
Thanks, @egc, for the heads-up re the canary. I checked /tmp/dnsmasq.conf and saw that Forced DNS Redirection DoT had added
Code:
address=/use-application-dns.net/
so in my Force DoT experiment below, I added it to Additional dnsmasq options explicitly.
With that in mind, my Force DoT experiment--I thought you guys might find it interesting--is to have it apply not just to br0, which is what the Forced DNS Redirection DoT checkbox does, but to all interfaces for which I have Forced DNS Redirection checked. For my main router, there are six of them, but I wanted a general approach that would work without change in four other family routers with varying numbers of interfaces.
To do this, I unchecked the Forced DNS Redirection DoT box, added the canary tweak of the first paragraph above, and added this to the firewall commands:
Code:
#Get the 'Force DNS' rules and create from them new 'Force DoT' rules.
iptables -t nat -S PREROUTING \
| sed -E '/ --dport 53 /!d
s/ -m (tcp|udp) / /
s/^-A /iptables -t nat -I /
s/ --dport 53 / --dport 853 /
s/--to-destination [^ ]*/&:53/' \
| while read c; do eval $c; done
This must precede the addition of any custom firewall rules having --dport 53, and the s/ -m (tcp|udp) / / line is strictly optional. Re the latter, the removed iptables arguments are harmless but appear unnecessary.
Much to my surprise, after a reboot and a few hours of normal morning operation, three of the new tcp rules had been hit (are the UDP rules even necessary for DoT?), for three different interfaces, with 4, 4, and 10 packets counted. The usual spectrum of interfaces used by specific devices tells me that at least three devices, and maybe as many as five, are guilty of this silent DoT action. I say silent because no one in this household has configured any device to use DoT. This has to be about apps phoning home. And of course I'd like any phoning attempts to use dnsmasq DNS and the adblocker I have set up there! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.