-
-
Notifications
You must be signed in to change notification settings - Fork 544
DNS Configuration
Sometimes some applications or programs may not follow the system's DNS settings, for example, they may have hardcoded their specified DNS server address into their program and bypass the system's name server resolution flow. In this case, DNS hijacking can be used to solve this kind of problem.
Please note that this method only applies to UDP-based DNS resolution, some TCP-based or DNS-over-HTTPS (DOH) resolutions can never be hijacked due to their security protections.
Using iptables to redirect all DNS query to 8.8.8.8
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 8.8.8.8:53;
iptables -t nat -A POSTROUTING -p udp -d 8.8.8.8 --dport 53 -o eth3 -j MASQUERADE;For example, we can redirect only cloudflare DNS query to 8.8.8.8
iptables -t nat -A PREROUTING -p udp -d 1.1.1.1,1.0.0.1 --dport 53 -j DNAT --to 8.8.8.8:53;
iptables -t nat -A POSTROUTING -p udp -d 8.8.8.8 --dport 53 -o eth3 -j MASQUERADE;Since the above two systems do not have iproute2 support, DNS hijacking is relatively complicated on such systems. In macOS, Packet Filter (pf) could be used as an alternative, but I have not tested it yet.
Therefore, it is recommended to use mitm-based or customized proxy servers to implement proxy server-side DNS hijacking.
V2ray project can easily be adopted for this purpose, see this discussion: v2fly/v2ray-core#2441