Skip to content

Instantly share code, notes, and snippets.

@rohan-molloy
Last active June 18, 2017 18:09
Show Gist options
  • Save rohan-molloy/7f4fd16ccbd2150e03f7f2a25254f734 to your computer and use it in GitHub Desktop.
Save rohan-molloy/7f4fd16ccbd2150e03f7f2a25254f734 to your computer and use it in GitHub Desktop.
Forcing all vpn clients to use a particular dns

Hijacking dns traffic with iptables nat

We put this on the vpn server (which functions much like a home router, doing NAT and dns resolving)

  iptables -t nat -A PREROUTING -i tun0 -p udp -m udp --dport 53 ! -d 10.53.1.53 -j DNAT --to-destination 10.53.1.53
  iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 53 ! -d 10.53.1.53 -j DNAT --to-destination 10.53.1.53

So for connections entering via tun0 (the internal side), that leave to an external destination on the DNS,

we redirect them to our dns server (10.53.1.53), although we could pick an external server if we wanted to.

Don't forget the ! -d 10.53.1.53 part is important, because without it, you end up in a loop

The server it's natting to has an adblock dnsbl so it makes it easy to check if its working

  dig +short @8.8.8.8 ad.doubleclick.net
  0.0.0.0

It's quite handy for devices like chromecasts, phone, etc that can be quite stubborn when it comes to using anything that isn't the google recursive dns server (8.8.8.8 8.8.4.4)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment