Separate subnet for DNS (pros and cons discussion)

maksikos · May 10, 2024, 9:42pm

In general official OpenWRT guide (link) have following recommendations:

Block DoT

uci -q delete firewall.dot_fwd
uci set firewall.dot_fwd="rule"
uci set firewall.dot_fwd.name="Deny-DoT"
uci set firewall.dot_fwd.src="lan"
uci set firewall.dot_fwd.dest="wan"
uci set firewall.dot_fwd.dest_port="853"
uci set firewall.dot_fwd.proto="tcp udp"
uci set firewall.dot_fwd.target="REJECT"
uci commit firewall
service firewall restart

Redirect DNS

# Configure firewall
uci set firewall.dns_int.name="Redirect-DNS"
uci set firewall.dns_int.dest_ip="192.168.2.2"
uci commit firewall
service firewall restart
 
# Configure network
uci add_list network.lan.ipaddr="192.168.2.1/24"
uci commit network
service network restart

So the main discussion is:

If created separate subnet for DNS will it increase stability and security?
If DoT blocked on router, can I ensure that all DNS traffic resolved on router and router pass all traffic via Wireguard (to hide DND requests from ISP)
WebRTC under question. Should (and can it?) be blocked on router to prevent IP leak?

Generally I need clients to force use my DNS which will be resolved through VPN to avoid any information leak to ISP.

SpitzAX3000 · May 11, 2024, 2:13am

What about this options? It prevents leaks as per GL developers:

admon · May 11, 2024, 7:38am

I think many people get confused between VPN using a client app on the PC and using VPN by router.

For example, WebRTC: Your PC can’t leak data by its real IP because it does not know about it. From the view of the PC, nothing changed while using the router as VPN - but there is no way to produce a leak. Leaking could be possible using a VPN app, but not by routing everything using a router.

I don’t see any reason why creating an additional subnet for DNS should be 1. a necessary and 2. a good thing. The manual you found isn’t for GL devices and does not make sense in any way. Just ignore it.

Blocking DoT does not make any sense either. Yes, it might leak your used DNS server - but it won’t leak your location. And there are plenty of ways to make DNS requests to the internet without using DoT. (By using DoH for example, which you simply can’t block)

maksikos · May 11, 2024, 7:53am

Is there any way to install DPI on router to block it too?

admon · May 11, 2024, 8:02am

No. It’s not powerful enough, nor does OpenWrt provide this feature out of the box.
There are solutions like Installing Netify on OpenWrt but for me this does not sound like a real way of getting a “real” firewall.

maksikos · May 11, 2024, 12:08pm

Ok, but what if I will use BanIP or something similar to block access to DOH servers?

Like this or this lists?

Will this help me?

admon · May 11, 2024, 12:12pm

It might help against the big ones, but tbh, banning DoH isn’t something you should do.

maksikos · May 11, 2024, 12:56pm

I mean I want to run Adguard FAMILY DOH on router and force all devices to resolve domains via router (not by themselves)

admon · May 11, 2024, 12:59pm

You can try to ban as much as possible - but as I said before, devices can freely decide if they will use your router as a DNS resolver or if they don’t.

Just enable DNS rewriting (“Override DNS Settings for All Clients”), which will take care of most things - and ignore all others since it’s lost time.

maksikos · May 11, 2024, 1:00pm

As I tested, only if request is unencrypted.

What I want to block every DNS (not only DOH) except Adguard family.

Will this work? Or I can have troubles?

admon · May 11, 2024, 1:01pm

As written above, you simply can’t.

Since DoH will use HTTPs you can’t block it.
You can try to block as much as possible but there is always a way around it. As soon as an device uses DoH it will be able to get around your AdGuard DNS.

maksikos · May 11, 2024, 6:39pm

But if it will be banned by BanIP? It will fall back to my DNS? Am I right?

admon · May 11, 2024, 6:41pm

Mostly it will just fail and the device will not have internet.

And there are way more servers than BanIP could ban. It‘s such a cat and mouse game.

maksikos · May 11, 2024, 6:50pm

Thank you for constructive feedback. So the best way just enable “override dns”? In this case will DNS pass through my VPN on router?

SpitzAX3000 · May 11, 2024, 7:01pm

I don’t think so as this is a new feature in firmware version 4.6.x. But someone might test it and confirm.

admon · May 11, 2024, 7:02pm

Plain DNS will be rewritten by the router, DoH and DoT will just flow through your VPN, if you use global routing.

maholio · May 17, 2024, 5:43pm

Purely theoretical you can use this or this list

BUT!

I don’t think it will block ALL DOH.
Blocking DOH can cause connection issues.
It is reducing security.