iptables / DNS redirection

jpgview

New Member
Credits
0
my Raspbian (raspberry pi) has the primary IP address 192.168.2.57, dnsmasq is running and listening on port 53. dnsmasq forwards dns requests to unbound, running on 127.10.10.2 port 5552. When I nslookup a domain, dnsmasq either replies with the configured reply (usually 0.0.0.0, dnsmasq is used for adblocking) or, if nothing is configured for the domain, forwards the query to unbound. Unbound than resolves the domain name and sends the reply to dnsmasq, which sends the result to the client that initiated the lookup.

This works perfectly. the result is of course the client using DNS server 192.168.2.57 is actually getting filtered results.

I now need to a device configured with unfiltered DNS.

This is what I want to try
- I added a secondary IP address on the raspberry pi, I already achieved this, using the command sudo ip -4 addr add 192.168.2.47/27 dev eth0 (I know it will not survive a reboot)
- I changed the DNS assignment for the specific device to 192.168.2.47, everything still works, because dnsmasq is configured to listen on interface eth0
- I now want to use iptables to redirect all incoming requests on 192.168.2.47, port 53 (the secondary IP address) directly to 127.10.10.2, port 5552, thus bypassing dnsmasq and the filtering. Of course, as far as the client is concerned, the reply should appear to come from 192.168.2.47.

To achieve this, I've tried the following:
sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.2.47 --dport 53 -j DNAT --to-destination 127.10.10.2:5552
sudo iptables -t nat -A PREROUTING -p udp -d 192.168.2.47 --dport 53 -j DNAT --to-destination 127.10.10.2:5552
sudo iptables -t nat -A POSTROUTING -p tcp -d 127.10.10.2 --dport 53 -j SNAT --to-source 192.168.2.47
sudo iptables -t nat -A POSTROUTING -p udp -d 127.10.10.2 --dport 53 -j SNAT --to-source 192.168.2.47

but since the the nslookup request simply times out, this is obviously not correct.

any suggestions?
 


jpgview

New Member
Credits
0
found a solution (pihole + unbound)
primary IP address = DNS adblocker (pihole)
secondary IP address = unfiltered DNS (unbound)
read here...
 


Members online


Latest posts

Top