DNS Hijacking on Wi-Fi

DylanE · May 15, 2024, 8:55pm

I am using a Flint 2 on the last release 4.5.8.

I am running AdGuard on my router and I want to force every device through it.

Some of my devices use custom DNS,
I followed this guide:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

But it doesn’t do anything more than the “Override DNS settings for all clients” setting in the GL-iNet UI, as far as I know.
This works great for devices connected through cable, but I also would like to be able to override my DNS settings for devices on the Wi-Fi, like my phone.

I have a hard time finding anything about DNS Hijacking on Wi-Fi.
Are there any guides for this? Has anyone done it successfully?

Thanks
Dylan

Renato · May 15, 2024, 9:50pm

On your phone (Android):

Settings → Network and Internet → Private DNS → OFF

Now your phone will get the DNS from your router.

DylanE · May 15, 2024, 9:54pm

I am trying to hijack the DNS from router side for Wi-Fi devices.

I am not trying to change the DNS settings on my Wi-Fi devices.

admon · May 16, 2024, 4:21am

Hijacking isn’t possible if the device does not use plain DNS.

So the advice of @Renato is indeed correct.

DylanE · May 16, 2024, 7:11am

Hi Admon,
The phone is just an example of one of the devices.

So for my own understanding, if I understand your message correctly.

The DNS over TLS firewall configuration:
"Configure firewall to filter DoT traffic forcing LAN clients to switch to plain DNS."
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

Is impossible to pull off for Wi-Fi?

I haven't tried installing banIP through LuCi, the OpenWrt documentation says:
DNS over HTTPS
Utilize banIP to filter DoH traffic forcing LAN clients to switch to plain DNS.

Is that still worth the try, or is that also impossible to force devices with to use my DNS?

Thank you
Dylan

admon · May 16, 2024, 7:15am

In my opinion, it's a waste of time because there is DoH for example.
Trying to ban all IPs of all DNS servers ... isn't a real way either.

I would just accept that and live with it. A game of cat and mouse doesn't make much sense.

DylanE · May 16, 2024, 7:22am

That is unfortunate.

But thanks a lot for your quick response.

hecatae · May 16, 2024, 10:30am

There's a detailed thread on using IP sets over on the Openwrt forum:

It builds from the Wiki page and is successful in blocking DoH

admon · May 16, 2024, 10:52am

Please keep in mind that blocking based on IPs have disadvantages and isn't really reliable.

hecatae · May 16, 2024, 11:07am

Oh agreed, especially when there's things like iCloud Private Relay that people like to enable and then complain that stuff does not work.

DylanE · May 16, 2024, 11:41am

Thank you, @hecatae and @admon for your help!

It indeed looks like that if you block the DoH providers, the devices won't automatically switch to the routers DNS.

It is unfortunate, but also better for security reasons.

hecatae · May 16, 2024, 12:34pm

Yes, that's why I gave up with doing so as I have family members who enable iCloud Private Relay and I'm tired of the tech queries.

slesar · May 16, 2024, 3:28pm

I used Tasker app on my android. When I am at home and does match name ssid then auto turn off private dns setting on my phone. Reason I made hostname for local domains which I need to access LAN devices.
When does not match any WiFi ssid then turn on private dns setting on my phone.

maholio · May 17, 2024, 5:45pm

Is I wrote here, it is just not good idea.