iptables to catch hardcoded DNS with client identification

#1

pi-hole is set up on 192.168.1.103 with the router on 192.168.1.1. DHCP on the pi-hole is enabled, and the router simply acts as a DHCP forwarder so I am able to see individual devices with IP addresses and host names as they make requests.

My phone and Chromecast appear to be using Google’s 8.8.x.x hard-coded DNS, so I made the following iptables rules in my DD-WRT router settings, under Firewall.

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -I PREROUTING ! -s 192.168.1.103 -p udp --dport 53 -j DNAT --to 192.168.1.103:53
iptables -t nat -I PREROUTING ! -s 192.168.1.103 -p tcp --dport 53 -j DNAT --to 192.168.1.103:53

The rule appears to work correctly as I see the following command in pi-hole (web interface / tcpdump) but my computer still believes it was answered via 8.8.8.8

$ dig @8.8.8.8 google.com
<<>> DiG 9.10.6 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44465
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. XX A
;; ANSWER SECTION:
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: XXX XXX XX XX:XX:XXX XXX XXX
;; MSG SIZE rcvd: 135

Expected Behaviour:

Requests originating from all devices should continue to be visible as earlier on the admin interface, with IPs and host names unchanged.

Actual Behaviour:

Requests originating from my phone and Chromecast (both with hardcoded DNS) now appear to originate from the router. Removing the MASQUERADE line from iptables fixes it, but that will throw other problems citing “reply from unexpected source.”

$ dig @8.8.8.8 google.com
;; reply from unexpected source: 192.168.1.103#53, expected 8.8.8.8#53
<<>> DiG 9.10.6 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44465
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. XX A
;; ANSWER SECTION:
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
google.com. 160 XX A XX.XXX.XXX.XXX
;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: XXX XXX XX XX:XX:XXX XXX XXX
;; MSG SIZE rcvd: 135

So, my question boils down to asking if it is possible to use iptables (or other DD-WRT features) to catch port 53 requests and have them appear to be originating from the correct device, rather than the router. Thank you.

Debug Token:

7zdoa88co1

0 Likes

#2

This is not a Pi-hole feature, so you may get more feedback on a forum dedicated to IP tables and network routing.

0 Likes

closed #3

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

0 Likes