diff --git a/hosts/router/default.nix b/hosts/router/default.nix index acdcfa7..f08ad22 100644 --- a/hosts/router/default.nix +++ b/hosts/router/default.nix @@ -209,6 +209,58 @@ -j DSCP --set-dscp-class cs1 \ -m comment --comment "Bulk HTTPS downloads (>50MB)" + ############################################################################## + # DNS INTERCEPTION - Force all DNS through AdGuard Home + ############################################################################## + + # Redirect standard DNS queries (port 53) to AdGuard + # Skip packets from the router itself to prevent loops + iptables -t nat -A PREROUTING -i lan -p udp --dport 53 ! -s 192.168.0.1 \ + -j DNAT --to-destination 192.168.0.1:53 \ + -m comment --comment "Redirect UDP DNS to AdGuard" + iptables -t nat -A PREROUTING -i lan -p tcp --dport 53 ! -s 192.168.0.1 \ + -j DNAT --to-destination 192.168.0.1:53 \ + -m comment --comment "Redirect TCP DNS to AdGuard" + + # Block any DNS queries that try to bypass AdGuard + iptables -A FORWARD -i lan -p udp --dport 53 ! -d 192.168.0.1 \ + -j REJECT --reject-with icmp-port-unreachable \ + -m comment --comment "Block external UDP DNS" + iptables -A FORWARD -i lan -p tcp --dport 53 ! -d 192.168.0.1 \ + -j REJECT --reject-with tcp-reset \ + -m comment --comment "Block external TCP DNS" + + # Block DNS over TLS (DoT) on port 853 + iptables -A FORWARD -i lan -p tcp --dport 853 \ + -j REJECT --reject-with tcp-reset \ + -m comment --comment "Block DNS over TLS" + + # Block DNS over QUIC (DoQ) on UDP port 853 + iptables -A FORWARD -i lan -p udp --dport 853 \ + -j REJECT --reject-with icmp-port-unreachable \ + -m comment --comment "Block DNS over QUIC" + + # Block known DNS over HTTPS (DoH) providers + # Google DNS + iptables -A FORWARD -i lan -d 8.8.8.8 -p tcp --dport 443 -j REJECT \ + -m comment --comment "Block Google DoH" + iptables -A FORWARD -i lan -d 8.8.4.4 -p tcp --dport 443 -j REJECT \ + -m comment --comment "Block Google DoH" + # Cloudflare DNS + iptables -A FORWARD -i lan -d 1.1.1.1 -p tcp --dport 443 -j REJECT \ + -m comment --comment "Block Cloudflare DoH" + iptables -A FORWARD -i lan -d 1.0.0.1 -p tcp --dport 443 -j REJECT \ + -m comment --comment "Block Cloudflare DoH" + # Quad9 DNS + iptables -A FORWARD -i lan -d 9.9.9.9 -p tcp --dport 443 -j REJECT \ + -m comment --comment "Block Quad9 DoH" + iptables -A FORWARD -i lan -d 149.112.112.112 -p tcp --dport 443 -j REJECT \ + -m comment --comment "Block Quad9 DoH" + + # Optional: Log DNS bypass attempts for monitoring + # iptables -A FORWARD -i lan -p udp --dport 53 -j LOG --log-prefix "DNS-BYPASS: " --log-level warning + # iptables -A FORWARD -i lan -p tcp --dport 853 -j LOG --log-prefix "DoT-ATTEMPT: " --log-level warning + ''; # Clean up QoS rules when firewall stops @@ -218,6 +270,10 @@ # Clear mangle table rules iptables -t mangle -F FORWARD 2>/dev/null || true + + # Clear NAT rules for DNS interception + iptables -t nat -D PREROUTING -i lan -p udp --dport 53 ! -s 192.168.0.1 -j DNAT --to-destination 192.168.0.1:53 2>/dev/null || true + iptables -t nat -D PREROUTING -i lan -p tcp --dport 53 ! -s 192.168.0.1 -j DNAT --to-destination 192.168.0.1:53 2>/dev/null || true ''; }; useNetworkd = true;