Attempt to block/redirect DNS queries to adguard.

hosts/router/default.nix

@@ -209,6 +209,58 @@
           -j DSCP --set-dscp-class cs1 \
           -m comment --comment "Bulk HTTPS downloads (>50MB)"
 
+        ##############################################################################
+        # DNS INTERCEPTION - Force all DNS through AdGuard Home
+        ##############################################################################
+        
+        # Redirect standard DNS queries (port 53) to AdGuard
+        # Skip packets from the router itself to prevent loops
+        iptables -t nat -A PREROUTING -i lan -p udp --dport 53 ! -s 192.168.0.1 \
+          -j DNAT --to-destination 192.168.0.1:53 \
+          -m comment --comment "Redirect UDP DNS to AdGuard"
+        iptables -t nat -A PREROUTING -i lan -p tcp --dport 53 ! -s 192.168.0.1 \
+          -j DNAT --to-destination 192.168.0.1:53 \
+          -m comment --comment "Redirect TCP DNS to AdGuard"
+        
+        # Block any DNS queries that try to bypass AdGuard
+        iptables -A FORWARD -i lan -p udp --dport 53 ! -d 192.168.0.1 \
+          -j REJECT --reject-with icmp-port-unreachable \
+          -m comment --comment "Block external UDP DNS"
+        iptables -A FORWARD -i lan -p tcp --dport 53 ! -d 192.168.0.1 \
+          -j REJECT --reject-with tcp-reset \
+          -m comment --comment "Block external TCP DNS"
+        
+        # Block DNS over TLS (DoT) on port 853
+        iptables -A FORWARD -i lan -p tcp --dport 853 \
+          -j REJECT --reject-with tcp-reset \
+          -m comment --comment "Block DNS over TLS"
+        
+        # Block DNS over QUIC (DoQ) on UDP port 853
+        iptables -A FORWARD -i lan -p udp --dport 853 \
+          -j REJECT --reject-with icmp-port-unreachable \
+          -m comment --comment "Block DNS over QUIC"
+        
+        # Block known DNS over HTTPS (DoH) providers
+        # Google DNS
+        iptables -A FORWARD -i lan -d 8.8.8.8 -p tcp --dport 443 -j REJECT \
+          -m comment --comment "Block Google DoH"
+        iptables -A FORWARD -i lan -d 8.8.4.4 -p tcp --dport 443 -j REJECT \
+          -m comment --comment "Block Google DoH"
+        # Cloudflare DNS
+        iptables -A FORWARD -i lan -d 1.1.1.1 -p tcp --dport 443 -j REJECT \
+          -m comment --comment "Block Cloudflare DoH"
+        iptables -A FORWARD -i lan -d 1.0.0.1 -p tcp --dport 443 -j REJECT \
+          -m comment --comment "Block Cloudflare DoH"
+        # Quad9 DNS
+        iptables -A FORWARD -i lan -d 9.9.9.9 -p tcp --dport 443 -j REJECT \
+          -m comment --comment "Block Quad9 DoH"
+        iptables -A FORWARD -i lan -d 149.112.112.112 -p tcp --dport 443 -j REJECT \
+          -m comment --comment "Block Quad9 DoH"
+        
+        # Optional: Log DNS bypass attempts for monitoring
+        # iptables -A FORWARD -i lan -p udp --dport 53 -j LOG --log-prefix "DNS-BYPASS: " --log-level warning
+        # iptables -A FORWARD -i lan -p tcp --dport 853 -j LOG --log-prefix "DoT-ATTEMPT: " --log-level warning
+
       '';
 
       # Clean up QoS rules when firewall stops
@@ -218,6 +270,10 @@
 
         # Clear mangle table rules
         iptables -t mangle -F FORWARD 2>/dev/null || true
+        
+        # Clear NAT rules for DNS interception
+        iptables -t nat -D PREROUTING -i lan -p udp --dport 53 ! -s 192.168.0.1 -j DNAT --to-destination 192.168.0.1:53 2>/dev/null || true
+        iptables -t nat -D PREROUTING -i lan -p tcp --dport 53 ! -s 192.168.0.1 -j DNAT --to-destination 192.168.0.1:53 2>/dev/null || true
       '';
     };
     useNetworkd = true;