Forcing local DNS server resolution

Issues related to configuring your network
Post Reply
vtwin@cox.net
Posts: 38
Joined: 2017/02/16 16:41:29

Forcing local DNS server resolution

Post by vtwin@cox.net » 2018/02/26 19:50:45

What would the iptables rule be for me to redirect any DNS queries which originate on my network to resolve on external DNS servers to one of my internal DNS servers?

E.g. if I have an IOT device which uses a hard-coded DNS server, how can I redirect, on my router, any queries sent to a DNS server on the Internet (say for example one of Google's DNS servers), to my own DNS server, for resolution?

iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 53 (not sure what else would go here)...?

thanks!

Devourer
Posts: 12
Joined: 2018/01/29 10:15:59

Re: Forcing local DNS server resolution

Post by Devourer » 2018/02/26 20:23:35

I'm not the much into all firewall mangling, however I think UDP should be forwarded as well (actually it is even more important than TCP) DNS traffic will be shunted to TCP only with long answers, otherwise UDP is used.

Tobias_DE_EN_PL
Posts: 3
Joined: 2014/11/10 15:59:20

Re: Forcing local DNS server resolution

Post by Tobias_DE_EN_PL » 2018/02/27 12:43:49

Hi,

you will want a NAT redirection:

Code: Select all

iptables -t nat -A  PREROUTING -d 8.8.8.8/32 -j DNAT –to-destination <youtlocaldns>
This will rewrite the packets from your localdns to appear from Google.

Code: Select all

iptables -t nat -A POSTROUTING -s <youtlocaldns> -j SNAT –to-source 8.8.8.8/32
You coud also limit these rules to apply on for 53/tcp and 53/udp, since 8.8.8.8 is not used for anything else, I would not do that. The more complex SNAT/DNAT rules get, the harder it gets to track down any issues. With the above example all ports (1 to 65535) would be redirected.

This would lmit the NAT redirector to DNS queries. Hence there is no -p parameter these rule would apply for both tcp and udp.

Code: Select all

iptables -t nat -A  PREROUTING -d 8.8.8.8/32 --dport 53 -j DNAT –to-destination <youtlocaldns>
iptables -t nat -A POSTROUTING -s <youtlocaldns> --sport 53 -j SNAT –to-source 8.8.8.8/32
More info:
https://thewiringcloset.wordpress.com/2 ... snat-dnat/

Tobias

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Forcing local DNS server resolution

Post by jlehtone » 2018/02/27 19:27:32

1. CentOS as a router? Possible, but perhaps not the best solution. You have to be careful on the public edge and purpose-built router devices consume less too.

2. FireWallD or iptables.service? If you want persistent and consistent rules, then match your actions with the used system.

3. You have a device in LAN that attempts to connect 8.8.8.8. (from LAN-IOT; to Google)
- Before routing, the destination is changed into LAN-DNS. (from LAN-IOT; to LAN-DNS)
- The packet travels FORWARD chain of filter table. Does that allow (from LAN-IOT; to LAN-DNS)?
- The packet reaches LAN-DNS. The DNS sends a reply: (from LAN-DNS; to LAN-IOT) link-local destination, router not involved
- The IOT ignores bogus reply from LAN-DNS and waits for 8.8.8.8 in vain.

Lets say that the reply would return via the router. The PREROUTER rule sees the reply and restores "8.8.8.8" as the "from" for the reply; no additional rules required.

What to do the make that reply go via router? A SNAT rule in POSTROUTING, yes. The initial packet from LAN-IOT that is about to leave the router should change from (from LAN-IOT; to LAN-DNS) into (from router; to LAN-DNS). Now the LAN-DNS will reply to the router.

DNS queries that are going out to LAN-DNS must SNAT to router's LAN IP.

Post Reply