5

I have an Ubuntu server running openvpn, and iptables is used to push all incoming traffic through the vpn server. The IP tables config is very basic, and generated with the following series of commands:

sudo iptables --flush
sudo iptables --table nat --flush
sudo iptables --delete-chain
sudo iptables --table nat --delete-chain
sudo iptables --table nat --append POSTROUTING --out-interface tun0 -j MASQUERADE
sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT

I have been trying to rewrite traffic to force the use of a specific dns server by adding the following two lines:

sudo iptables --table nat --append PREROUTING -i eth0 -p tcp --sport 53 -j DNAT --to-destination 146.148.119.121:53
sudo iptables --table nat --append PREROUTING -i eth0 -p udp --sport 53 -j DNAT --to-destination 146.148.119.121:53

but it's not working as I had hoped (the output of nslookup www.netflix.com and nslookup www.netflix.com 8.8.8.8 are different).

Any advice for how to achieve this?

Johan
  • 51
  • 3

2 Answers2

5

not --sport 53, use --dport 53

Ipor Sircer
  • 14,376
  • 1
  • 27
  • 34
1

Are they both saying they are authoritative responses?

Netflix would be using load balancing, so you would be directed to whatever server is closest and not busy. But firewall rules have nothing to do with what DNS service is used, only in blocking or allowing ports for them to talk with.

Your dns service used for looking up names is in the /etc/resolve.conf file. No mater what network you ask for an address on, it will hop around the internet to get to that host to lookup name. The file is updated when you use dhcpc, the dns server is sent along with your ip number, and gateway address. You will need to edit the scripts to stop it from using the one sent to you. If you know the one you want to use, put it in the file and turn off the write bit so it can't be changed if you can't find the script updating it. system logs might show you what script is failing in writing to the file then. Don't forget to flush the tables to clear any old addresses.

I always just run my own named services to make talking to my machines easier. My dhcpd gives them ip, and my dns server, and gateway box.

grochmal
  • 8,489
  • 4
  • 30
  • 60
Robert
  • 11
  • 1
  • *No mater what network you ask for an address on, it will hop around the internet* - That is not completely accurate. A SOCKS proxy can be used to direct DNS queries. And one more thing: `nslookup www.netflix.com 8.8.8.8` selects the DNS server explicitly, without looking inside `resolv.conf`. Yet, it is a pretty decent first post nevertheless. – grochmal Sep 24 '16 at 21:33