Iptables rules with 'redir' on the openwrt

Question

Iptables rules with 'redir' on the openwrt

dgp970 opened this issue 4 months ago · 4 comments

For naive:
"listen": "redir://0.0.0.0:1080"

For iptables:
iptables -t nat -A PREROUTING -p udp -j REDIRECT --to-ports 1080
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1080

With the above configuration, there is a DNS leak.
Seeking a help for configuring correct rules, thank you.

Answer 1 · 2024-07-08T23:33:07.000Z

What do you mean DNS leak?

What is the expected? The actual?

Answer 2 · 2024-07-09T01:01:16.000Z

There is DNS resolution for both ISP and server, and while accessing the website, the ISP's DNS resolution is used firstly.

How to correctly configure iptables rules to enable DNS resolution through the server?

Answer 3 · 2024-07-13T14:26:37.000Z

After enabling https-dns-proxy, while maintaining the above configuration, you can access google.com normally, but accessing youtube is extremely slow.

[INFO:redirect_resolver.cc] Malformed DNS query from 192.168.1.138:54798
[INFO:redirect_resolver.cc] OnRecv: ignoring error ERR_INVALID_ARGUMENT
[INFO:redirect_resolver.cc] OnRecv: ignoring error ERR_MSG_TOO_BIG

Answer 4 · 2024-07-15T14:59:04.000Z

I recommend not using the fakeip resolver at all as it pollutes DNS cache all around.

You can redirect tcp port 53 to port 1080 and use this as a proxied remote DNS server and cache it for latency performance. This way you resolve host names remotely and save RTT.