[Dnsmasq-discuss] dnsmaq on OpenWRT, configuration question

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Sun Jul 28 15:41:35 BST 2019



> On 27 Jul 2019, at 16:34, Art Greenberg <art at artg.tv> wrote:
> 
> I had been running dnsmasq on a machine on my network and using addn-hosts for ad blocking. My router was configured with my ISP's DNS servers.
> 
> I used "net:red" to assign the router as DNS server for certain devices (Roku streamers, notably) to avoid the ad blocking, because some of the apps on the router would not work properly with the ad blocking in place. This told those devices to go directly to the router for DNS services.
> 
> router/gateway 192.168.2.1
> dnsmasq machine 192.168.2.11
> 
> ## dnsmasq.conf fragment
> 
> domain-needed
> bogus-priv
> no-resolv
> local=/artg.tv/
> interface=eth0
> domain=artg.tv
> server=8.8.8.8,8.8.4.4
> 
> dhcp-option=option:dns-server,192.168.2.11                                         ## use dnsmasq machine for DNS
> dhcp-option=net:red,option:dns-server,192.168.2.1
> 
> dhcp-host=00:01:03:27:84:95,192.168.2.15,martha                                ## typical of computer assignments
> dhcp-host=d8:31:34:36:d0:18,192.168.2.135,ROKU-1-WIFI,net:red    ## typical of ad blocking avoidance
> 
> ## end dnsmasq.conf fragment
> 
> This all worked fine.
> 
> Then I obtained a newer router and installed OpenWRT on it. This, too, worked fine until I moved dnsmasq onto the router. The configuration now looks like this:
> 
> router/gateway 192.168.2.1
> dnsmasq machine 192.168.2.1
> 
> ## dnsmasq.conf fragment
> 
> domain-needed
> bogus-priv
> no-resolv
> local=/artg.tv/
> interface=br-lan
> domain=artg.tv
> server=8.8.8.8,8.8.4.4
> 
> dhcp-option=option:dns-server,192.168.2.1                                            ## use dnsmasq on the router for DNS
> dhcp-option=net:red,option:dns-server,8.8.8.8,8.8.4.4                        ## Google public DNS servers
> 
> dhcp-host=00:01:03:27:84:95,192.168.2.15,martha                                ## typical of computer assignments
> dhcp-host=d8:31:34:36:d0:18,192.168.2.135,ROKU-1-WIFI,net:red    ## typical of ad blocking avoidance
> 
> Now the Roku streamers and some of the apps on them aren't so happy. Despite the "net:red" tag, dnsmasq is intercepting all DNS requests and it is returning 0.0.0.0 when the host being looked up is in one of the addn-hosts files.

dnsmasq won’t be intercepting requests, it will answer requests that are sent to it.  It doesn’t snoop on the wire looking for requests to hijack.

That sort of behaviour can be configured with firewall rules, ie. redirect any packets sent to port 53 on this host to another host/port combination.  Indeed adblock itself has this exact option to do so, it’s called 'option adb_forcedns’.  It would be worth checking this is set to ‘0’.

Also it would be worth checking on the router that something else hasn’t done this sort of redirection.

adblock implements it with the following rules:

iptables -v -t nat -L | grep -i adblock
    0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere             tcp dpt:domain /* !fw3: Adblock DNS, port 53 */ redir ports 53
   30  2164 REDIRECT   udp  --  any    any     anywhere             anywhere             udp dpt:domain /* !fw3: Adblock DNS, port 53 */ redir ports 53
    0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere             tcp dpt:853 /* !fw3: Adblock DNS, port 853 */ redir ports 853
    0     0 REDIRECT   udp  --  any    any     anywhere             anywhere             udp dpt:853 /* !fw3: Adblock DNS, port 853 */ redir ports 853
    0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere             tcp dpt:mdns /* !fw3: Adblock DNS, port 5353 */ redir ports 5353
   32  9171 REDIRECT   udp  --  any    any     anywhere             anywhere             udp dpt:mdns /* !fw3: Adblock DNS, port 5353 */ redir ports 5353



Cheers,

Kevin D-B

gpg: 012C ACB2 28C6 C53E 9775  9123 B3A2 389B 9DE2 334A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20190728/f485917f/attachment.sig>


More information about the Dnsmasq-discuss mailing list