IPFW Is DNS hijacking possible on FreeBSD + IPFW?

[Dux0voY]

Hi All!

I need to redirect all dns queries to local dns server (unbound) on router with FreeBSD 11 amd + ipfw nat.

re0 - intranet [192.168.0.1]
alias on re0 for unbound [10.0.0.1]
re1 - internet [a.b.c.d]

I try in various ways:

${FW} fwd 10.0.0.1,53 all from 192.168.0.0/24 to not 10.0.0.1 53 via re0

In that case if client sends query to 8.8.8.8 for example, forwarding rules works and unbound processed queries (incoming from client ip), but because client waits reply from 8.8.8.8, but receive from 10.0.0.1 it is not works.

Trying with nat:

${FW} nat 1 config log if ${extIF} unreg_only reset same_ports 

${FW} nat 2 config log if ${intIF} unreg_only reset same_ports \
        redirect_port   tcp     10.0.0.1:53 53 \
        redirect_port   udp     10.0.0.1:53 53

# For redirect dns queries to external dns servers
${FW} add nat 2 log all from any to not 10.0.0.1 53 via ${intIF}
${FW} add nat 2 log all from 10.0.0.1 53 to any via ${intIF}

# LAN to Internet NAT
${FW} add nat 1 ip from any to me in via ${extIF}
${FW} add nat 1 ip from table\(1\) to any out via ${extIF}

In that case rule "from any to not 10.0.0.1 53" works but unbound not receipt request because NAT redirect not working. Because dst-ip not 192.168.0.1, but 8.8.8.8 and redirect not activates.

Please tell me how can I do that? As I understand I need change dst-ip for packets with that conditions: "from any to not 10.0.0.1 53 via ${intIF}" and after that will receive it and reply, and after that change dst-ip back.

It looks like I need reversed NAT

 

[Jeckt]

This is almost exactly the same problem I've been trying to solve when I had time, but still haven't gotten the pieces working. In my case however it's complicated by bridging which is part of why I give up after a little while. You're correct that you don't want forwarding. The IPFW man page states the "reverse" keyword "Reverse the way libalias handles aliasing" but I haven't found an example on how it works. I might have time to give it a shot again this weekend and see if I can figure it out.

Also I don't think this rule does what you intend:

${FW} add nat 2 log all from any to not 10.0.0.1 53 via ${intIF}

This redirects all traffic (tcp/udp, all addresses and ports) not going to 10.0.0.1 53 into the nat instance, not just DNS related traffic.

-- Update --

Due to my situation using a network bridge, I couldn't translate in coming and outgoing on the same bridge interface. Because I only have one device trying to circumvent my configuration (Roku) and because it's only going to two DNS servers, my solution was to set unbound to listen to all interfaces, then I aliased 8.8.8.8 to the loop-back. It's a pretty sloppy solution, but vacuums up stray queries well enough.