IPFW Is DNS hijacking possible on FreeBSD + IPFW?


New Member

Messages: 1

Hi All!

I need to redirect all dns queries to local dns server (unbound) on router with FreeBSD 11 amd + ipfw nat.

re0 - intranet []
alias on re0 for unbound []
re1 - internet [a.b.c.d]
I try in various ways:
${FW} fwd,53 all from to not 53 via re0
In that case if client sends query to for example, forwarding rules works and unbound processed queries (incoming from client ip), but because client waits reply from, but receive from it is not works.

Trying with nat:
${FW} nat 1 config log if ${extIF} unreg_only reset same_ports 

${FW} nat 2 config log if ${intIF} unreg_only reset same_ports \
        redirect_port   tcp 53 \
        redirect_port   udp 53

# For redirect dns queries to external dns servers
${FW} add nat 2 log all from any to not 53 via ${intIF}
${FW} add nat 2 log all from 53 to any via ${intIF}

# LAN to Internet NAT
${FW} add nat 1 ip from any to me in via ${extIF}
${FW} add nat 1 ip from table\(1\) to any out via ${extIF}
In that case rule "from any to not 53" works but unbound not receipt request because NAT redirect not working. Because dst-ip not, but and redirect not activates.

Please tell me how can I do that? As I understand I need change dst-ip for packets with that conditions: "from any to not 53 via ${intIF}" and after that will receive it and reply, and after that change dst-ip back.

It looks like I need reversed NAT :)



Reaction score: 17
Messages: 71

This is almost exactly the same problem I've been trying to solve when I had time, but still haven't gotten the pieces working. In my case however it's complicated by bridging which is part of why I give up after a little while. You're correct that you don't want forwarding. The IPFW man page states the "reverse" keyword "Reverse the way libalias handles aliasing" but I haven't found an example on how it works. I might have time to give it a shot again this weekend and see if I can figure it out.

Also I don't think this rule does what you intend:

${FW} add nat 2 log all from any to not 53 via ${intIF}
This redirects all traffic (tcp/udp, all addresses and ports) not going to 53 into the nat instance, not just DNS related traffic.

-- Update --

Due to my situation using a network bridge, I couldn't translate in coming and outgoing on the same bridge interface. Because I only have one device trying to circumvent my configuration (Roku) and because it's only going to two DNS servers, my solution was to set unbound to listen to all interfaces, then I aliased to the loop-back. It's a pretty sloppy solution, but vacuums up stray queries well enough.
Last edited: