Hijack dns

[hcr2020]

Hello I have a DGA4130 modem that has a iptables-mod-tproxy kmod-ipt-tproxy in opkg repository, I want to not use tproxy-go as it is heavy on ram 777m on VSZ,. Could you help me how to change /etc/init.d/tproxy to achieve that? Thank you in advance.

[seud0nym]

Run these commands via SSH (e.g. PuTTY):

uci set tproxy.config.enabled='0'
uci commit tproxy
/etc/init.d/tproxy stop
/etc/init.d/tproxy disable

[hcr2020]

Hi Thanks for the quick response. I know how to disable tproxy, but my question it is possible to do the same as tproxy-go with ipables-mod-tproxy, that listening on port 8053 and filtering based on ipset ?

[seud0nym]

Ah, sorry, I misunderstood.

No, it is not possible. iptables-mod-tproxy, along with kmod-ipt-tproxy, are the underlying glue that allows tproxy-go to actually work.

Tproxy has to have a destination listener to do the proxying of the connection. Those mod packages allow the packets to be rerouted from their original destination to the listener, and the listener has to do the actual proxying to connect to the alternate destination and send the response back. In this case the listener is tproxy-go, so it doesn't work without it.

Also, you have to be careful to distinguish between virtual memory (VSZ) and real resident (RSS) memory. It doesn't take up anywhere near that amount of real memory. This is from my test DJA0230:

root@DJA0230:~# grep '^Vm\(Size\|RSS\)' /proc/$(pgrep tproxy)/status
VmSize:   669352 kB
VmRSS:      3008 kB
root@DJA0230:~#

So, less than 3MB of resident memory.

[hcr2020]

I understand, are there any alternative like tinyproxy or squid proxy ? Also Is it possible to implement/add core dump server as I have my router crashing every day and I disabled every modification, Is there any possible way to watch and record the reason for the crash ? I suspected tproxy but it is not the reason. I added a rsyslog server in my pc and logread doesn't send log before the crash happens.

[seud0nym]

I think you can configure squid proxy as a tproxy end point, but I have never done it.

You can use:

./reboot-on-coredump -off

That will prevent it from rebooting.

In any event, there will be a core dump file in /root. The name of the file will tell you which executable core dumped.

[hcr2020]

Thanks But after executing it says Already disabled!! As I have already installed Ansuel's GUI. Bur crash is the reason for warmboot but no file in the /root directory.

[seud0nym]

I am not sure what the Ansuel GUI does, or if it somehow breaks core dump handling.

You can have a look at what the following command shows:

root@CobraXh:~# uci show system | grep 'kernel\|coredump'
system.@coredump[0]=coredump
system.@coredump[0].reboot='1'
system.@coredump[0].reboot_exceptions='dnsmasq' 'dig' 'dpiclass' 'iperf' 'iperf3' 'rsync' 'wireguard-go' 'wg-go' 'tproxy-go'
system.@coredump[0].action='compress'
system.@coredump[0].path='/root'
system.@kernel_crash[0]=kernel_crash
system.@kernel_crash[0].action='compress'
system.@kernel_crash[0].path='/root'
root@CobraXh:~#

Your exceptions may be different.

[hcr2020]

Here is my config

root@modemtim:~# uci show system | grep 'kernel\|coredump' system.@coredump[0]=coredump system.@coredump[0].path='/root' system.@coredump[0].url='https://internal-core.tgwfd.org:5443/' system.@coredump[0].action='ignore' system.@coredump[0].reboot='0'

So I want to enable exception for everything, what can I do?

[seud0nym]

Hmm. I don't really know, but I suspect the action='ignore' isn't helping you. I would personally also get rid of the url (because I would guess you are maybe uploading your core dumps to that server?? again, I don't know).

So, something like this:

uci set system.@coredump[0].action='compress'
uci set system.@coredump[0].url=''
uci commit system
/etc/init.d/system reload

I don't really know if the reload is necessary.

[hcr2020]

Thanks for helping. I had wifi problem related to attack on my AP. It was the cause of crashing my modem and my wireless driver. I have seen dmesg errors that no google search finds. I have question related to hijack dns, how is is possible to whitelist a dns server, for exemple, adguard public dns. If I add it in firewall.dns_xcptn it will not resolve saying it accepts only numbers. So i need to nslookup adguard dns and add it manually to this file, is it possible to add an intermediate file where I write the whitelisted dns server and it resolves and writes it in firewall.dns_xcptn. I have another question, does unlocking DJA0231 unlocks the maximum speed of 6mb download/ 1mb upload on sim (for example another internet provider) ? Thank you very much

[seud0nym]

Whitelisting is only for local devices to allow them to bypass the hijacking. If you want to use AdGuard DNS, then set it as the upstream provider in whatever DNS server you are using (e.g. your DGA4130).

The speed restrictions on SIMs are for included Telstra SIMs only. I have an aldiMobile SIM in mine, and it is not speed limited.

[hcr2020]

Thank you for the quick response and clarification concerning DJA0231 .

I have 2 networks; lan (192.168.1.0) and guest (192.168.168.0) For the hijack whitelisting, it did't work. this is /etc/firewall.ipset.dns_xcptn

add dns_xcptn 192.168.1.1

add dns_xcptn 192.168.168.126

add dns_xcptn 4459ef.dns.nextdns.io

add dns_xcptn 192.168.168.76/32

add dns_xcptn 192.168.168.77

but after firewall restart

root@modemtim:~# ipset list -s dns_xcptn

Name: dns_xcptn

Type: hash:ip

Revision: 0

Header: family inet hashsize 1024 maxelem 65536

Size in memory: 8284

References: 6

Members:

192.168.168.77

192.168.168.76

and dns over tls/https doesn't work, no dns resolving

I think because of this applying to one network at a time in the firewall configuration

config rule 'dot_fwd_xcptn'

option name 'Allow-DoT'

option src 'lan'

option dest 'wan'

option dest_port '853'

when I tried to duplicate the rules :

config rule 'dot_fwd_xcptn'

option name 'Allow-DoT-guest'

option src 'guest'

option dest 'wan'

option dest_port '853'

option proto 'tcp udp'

option target 'ACCEPT'

option family 'ipv4'

option ipset 'dns_xcptn src'

config rule 'dot_fwd_xcptn'

option name 'Allow-DoT-lan'

option src 'lan'

option dest 'wan'

option dest_port '853'

option proto 'tcp udp'

option target 'ACCEPT'

option family 'ipv4'

option ipset 'dns_xcptn src'

when I changed them like this, only the latter works. Is it possible to correct the rule for the guest network ?

[seud0nym]

I guess you manually added these?

add dns_xcptn 4459ef.dns.nextdns.io

add dns_xcptn 192.168.168.76/32

They got removed because they don't conform to the type of the ipset:

Type: hash:ip

Only single IPv4 addresses can be added to the ipset.

dns over tls/https doesn't work, no dns resolving

Well, this is what hijacking is supposed to do. It prevents both DoT and DoH to stop anyone bypassing the hijack.

when I changed them like this, only the latter works.

That is because the real name of the rule is dot_fwd_xcptn in both cases, so only the last one is applied. The name option is really a description more than a name. Your rule name for your first one would have to be something like dot_fwd_xcptn_guest.

Also, the src and dest options refer to firewall zones, not network interfaces. You can see the zone names and their associated interfaces in the Firewall Zones tab.

For the DJA0231, there are 2 guest zones: 1 for each of the Guest networks, because there is a separate network for the 2.4GHz and 5GHz SSIDs. So to apply the hijacking to guest, you would need 2 rules (e.g. dot_fwd_xcptn_guest and dot_fwd_xcptn_guest_5ghz) and have the correct zone listed in src for each.

[hcr2020]

Thank you very much Yes I added them manually. I will try and report back.

[hcr2020]

Working like a charm. :100:

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.