DNS hijacking - how to

Inspired by this guide https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns, I wish I could do the same thing on kresd and Turris OS 5.x.
My intent is to intercept all the DNS traffic of the LAN and force it to use the DNS server that I set in reForis, in my case Cloudflare (DoT).
I have several Google devices in my home network, which have hard-coded Google DNS servers and ignore router settings. Maybe @vcunat can help me.

Redirecting port-53 traffic is purely firewall thing. I can’t see any relation to what kind of DNS runs on the router itself. You redirect to the port on the router*, it’s just served by a different daemon but the redirection should be the same. (I don’t know firewall stuff well, so hopefully the guide applies well or someone else can help with that.)

* I assume that’s what you want, and then you can configure kresd to forward to Cloudflare or anything, independently of the redirection itself. I think it is perhaps also possible to redirect the port directly to

Ok, the OpenWrt guide I follow it well. The part where I have trouble understanding, and which makes the router KO for DNS, is the final part of the guide: DNS forwarding and DNS redirection. What should I do there?

I can’t see a problem, though I’ve never tried anything like it (and I’m not a firewall expert anyway). I assume you replaced by the real address (.1 usually). I’d expect that the MAC address in the previous step doesn’t matter; their case was with the DNS server being inside LAN (i.e. it had to get an exception), here you have it on the router itself.

1 Like

It worked by changing the address to I ignored DNS forwarding. Thanks.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.