AGH setup doesn't enable DNS hijacking as stated in installer + ipv6 DNS hijacking does not work.

[browntownington]

Hi again

Not sure if this issue has been flagged previous. Couldn't find anything on quick search.

I'm using a -d install so I can keep DHCP on the modem inorder to maintain guest network. Leaving dnsmaq as default.

For the Cobraxh devices. I noticed I had had to enable DNS hijacking manually after install.

However, when ipv4 DNS hijacking is enabled, it sets the DNS for the local network devices for the ipv4 DHCP pool

But when setting DNS hijacking for the the ipv6, it does not update in the local devices DHCP pool. Workaround is to custom set it to ::1

Took me a whiles to figure this out but now guest wifi works with agh. And both ipv4 and ipv6 traffic on any network ends up at agh :)

[seud0nym]

I have updated the README so that it now shows that DNS hijacking is optional. Thanks for letting me know.

But when setting DNS hijacking for the the ipv6, it does not update in the local devices DHCP pool. Workaround is to custom set it to ::1

Can you post a screen shot showing where you entered this? Thanks.

[browntownington]

Sure, follow steps 3-6 below, but i'll do one better since I appreciate all your efforts to this community ;) For anyone wishing to get AGH working on multiple lan/wifi networks (e.g guest or other) for ipv4 and/or ipv6. The instructions are as follows:

1. assuming you have two or more lan and/or wifi networks as pre req
2. run agh-setup with '-d' to keep DHCP on router but dnsmaq moved to agh.
3. DNS hijacking will fail, so select the DNS card and then select DNS hijacking
4. enable ipv4 if you're using it. enable ipv6 if you're using it BUT where it says DNS Server Address enter '::1" this is the localhost address for ipv6
5. now go back and select the 'local network' card, note you will have the LAN interface selected.
6. per the screenshot now ipv4 and ipv6 DNS should be hard set since DNS hijacking was enabled (and ipv6 address was previously entered.)
7. to get additional lan/wifi network working (e.g guest) select the secondary network
8. (if using ipv6 ) you will need to get your ipv6 mac address of the router. To do this go to the setup guide (http://x.x.x.x:8008/#guide) and copy the address that is associated with %eth or %br-Guest but be sure to omit there interface references from the mac address. then go back to where you were in 'local network' under the secondary network
9. for ipv4 select the local host address for ipv4 if not selected already. For ipv6 enter the ipv6 mac address you just copied in step 9 in as a custom ipv6 dns server
10. Done.. now profit :)

[seud0nym]

Are you sure you are actually using IPv6? According to your screenshots in steps 6, 8, and 9, you only have link local addresses (i.e. starting with fe80). You don't have WAN IPv6 address or a prefix so that you delegate WAN IPv6 addresses to your LAN clients.

3. DNS hijacking will fail,

What do you mean it will fail? What error does it give you?

It will not set up DNS Hijacking unless you speciify the -j option. As I said, I changed this a while ago and forgot to update the instructions, but I have fixed it now.

4. enable ipv6 if you're using it BUT where it says DNS Server Address enter '::1" this is the localhost address for ipv6

This will not work at all. This is the DNS IP address will be sent out to LAN clients, and it is in fact telling them to use their own IPv6 loopback address (::1) for DNS resolution, as it clearly shows in your screenshot in step 6.

::1 is the equivalent of 127.0.0.1 in IPv4 and is not accessible outside of the host itself. I will add some validation so that it will fail unless you enter a valid, accessible address.

The default when you leave it empty should be the IPv6 address of the router, but your router doesn't have an IPv6 address.

What tests did you run that led you to believe it wasn't working?

8. (if using ipv6 ) you will need to get your ipv6 mac address of the router.

You would get the IPv6 address of the router from the Local Network screen, where it says CobraXh IPv6 Address. It doesn't show link local addresses, because they only have very specialised uses (and this isn't one of them).

EDIT: I have had a look at the code around IPv6 in DNS Hijacking, and it does look like it might not be set correctly in some circumstances. I will review the code further and do some testing. It is a pain to setup an environment for testing this :-(

[seud0nym]

I have fixed some issues with the hijack-dns script and the DNS Hijacking tab, mainly so that you can't enable IPv6 DNS hijacking if there is no IPv6 LAN address assigned to the device.

I have also fixed a bug in the Local Network screen that allowed you to change the IPv6 DNS servers, even if IPv6 DNS hijacking was enabled, which you should not be able to do in that case.

If you want to try the changes yourself, you can update to the latest testing version of tch-gui-unhide with this command:

./tch-gui-unhide -u && ./tch-gui-unhide -y

You can update the hijack-dns script with:

./hijack-dns -U

[browntownington]

Appologies for the delayed response! I appreciated the comprehensive feedback on this topic!

I had reset and rebuilt these units previously many times testing different configurations, and as you pointed out, the last configurations were not working as I thought.

It's awesome you've made some adjustments in the scripts etc. I'll test these out, and look into what's going on with my ipv6 addresses. Then provide some feedback.

[browntownington]

root@CobraXh-18D3E4:~# ./hijack-dns -U % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 29292 100 29292 0 0 238k 0 --:--:-- --:--:-- --:--:-- 240k [hijack-dns] Successfully downloaded hijack-dns. [hijack-dns] ERROR! https://raw.githubusercontent.com/seud0nym/tch-gui-unhide/master/build/lua/additional/common/firewall/usr/sbin/doh-ipsets-maintain was not found??? [hijack-dns] ERROR! https://raw.githubusercontent.com/seud0nym/tch-gui-unhide/master/build/lua/additional/common/firewall/usr/sbin/ipsets-restore was not found??? [hijack-dns] ERROR! https://raw.githubusercontent.com/seud0nym/tch-gui-unhide/master/build/lua/additional/common/firewall/usr/sbin/tproxy-firewall was not found??? [hijack-dns] ERROR! https://raw.githubusercontent.com/seud0nym/tch-gui-unhide/master/build/lua/additional/common/firewall/usr/sbin/tproxy-go was not found??? [hijack-dns] ERROR! https://raw.githubusercontent.com/seud0nym/tch-gui-unhide/master/build/lua/additional/common/firewall/etc/init.d/tproxy was not found??? [hijack-dns] ERROR! https://raw.githubusercontent.com/seud0nym/tch-gui-unhide/master/build/lua/additional/common/firewall/etc/hotplug.d/iface/60-add-IPv6-DNS-intercept-exceptions was not found???

Is this expected behavior from running the hijack-dns script?

[seud0nym]

No, definitely not.

I will have a look.

[seud0nym]

If you aren't actually using the hijack-dns script, and you are just using the GUI, you can ignore those errors. It has downloaded the script correctly, but not the the dependencies, because the download paths are incorrect. But with tch-gui-unhide installed, the files are there anyway, so the errors don't matter.

You don't need the hijack-dns script. It isn't used by the GUI. It exists because that was the original way to apply DNS hijacking until I added it to the GUI.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.