Preventing client DNS leaking on OpenWRT

A while ago I wrote an article whereby I provided an OpenDNS resolver server via DHCP to the computers, tablets and phones of my kids. (See here). This worked very well and I have been able to keep the nastiness of the web out of sight. Plus it gave me the option to block certain sites which were not captured under a certain category or, if those domains fell under a category that also included a lot of useful domains, exclude them.

As kids get smarter by the day they obviously start investigating how to circumvent the restriction their parents impose on them and so did mine. A short reading on how domain resolving works is only a google search away and thus bypassing the DNS systems by manually adding them (8.8.8.8, 9.9.9.9, whatever DNS system they’re able to find) to the IP configuration is done within 1 minute and as such all functions and features OpenDNS provides will simply be bypassed.

Now, not blissfully unaware of this, I was not born yesterday. Though quite delighted with the fact they were able to figure this out, proving their inquisitive behaviour, I still do not want them to muck around and being subjected to click-bait structures, gambling and other damaging sites and thus I had to come up with something else.

As my router runs OpenWRT there is obviously a plethora of functions avaible and one of the main features is the netfilter stack which allows you to mangle around with packetflow whichever way you like.

Utilizing this and basically doing a pre-routing rewrite of all UDP packets destined to port 53 on certain source subnets (the ones my kids use) to ensure these are all directed to the OpenDNS service ensures me that no matter what they enter in their phones, tablets, laptops etc. it will always be using the OpenDNS service.

The rule I added and runs fairly high in the PREROUTING table is:

iptables -t nat -I PREROUTING -s 192.168.x.x/24 -p udp –dport 53 -j DNAT –to 208.67.222.222:53

This ensures that all incoming UDP packets on with a source of 192.168.x.x and destination port 52 will be redirected to the OpenDNS service on 208.67.222.222.

One additional benefit is that DNS leakage is also prevented. Even if certain apps or tools are modifying DNS servers on the clients or doing direct DNS requests outside of the OS default settings, most often for tracking and redirection purposes as many malware kits do,  it will still ensure that clients will always be sent to a trusted resolver.

Hope this helps anyone in keeping the web somewhat safer for our kids.

Regards,

Erwin

Print Friendly, PDF & Email

About Erwin van Londen

Master Technical Analyst at Hitachi Data Systems
General Info , , , , ,