In a world where DNS privacy and security are critical, network administrators often need to ensure that all DNS traffic flows through a trusted resolver. If your Debian box is acting as a router or firewall, you may want to prevent users from bypassing your DNS settings by enforcing a local DNS server (dnsmasq) and blocking encrypted DNS (DoT).

In this guide, we’ll use NFTables to:
✅ Hijack all DNS traffic (port 53) on the forwarded chain and redirect it to a local instance of dnsmasq.
✅ Block DNS over TLS (DoT) traffic (port 853) to prevent users from circumventing local resolution.
✅ Ensure persistence by creating a custom systemd service that enables these rules at startup.

Step 1: Install and Configure DNSMASQ

Since we’ll be forcing all DNS traffic through a local resolver, install dnsmasq on your Debian box:

sudo apt update && sudo apt install -y dnsmasq

Once installed, edit the configuration file to ensure that it listens on the correct interface (e.g., eth0 or br0):

sudo nano /etc/dnsmasq.conf

Modify or add the following lines:

# Listen only on the LAN interface
interface=eth0  

# Ensure it only binds to specified interfaces
bind-interfaces  

# Upstream resolvers (replace with your preferred ones)
server=9.9.9.9
server=149.112.112.112

# Do not read /etc/resolv.conf
no-resolv

Save and restart dnsmasq:

sudo systemctl restart dnsmasq
sudo systemctl enable dnsmasq

Step 2: Create NFTables Rules to Hijack DNS and Block DoT

Now, let’s redirect all forwarded DNS queries (port 53) to our local dnsmasq instance and block DNS over TLS (DoT) traffic.

Create an NFTables ruleset file:

sudo nano /etc/nftables.dnshijack.nft

Add the following content:

table inet dnshijack {
    chain forward {
        type filter hook forward priority 0; policy accept;

        # Redirect all DNS traffic to local dnsmasq (UDP and TCP 53)
        meta l4proto udp ip dport 53 redirect to :53
        meta l4proto tcp ip dport 53 redirect to :53

        # Block DNS over TLS (DoT) on port 853
        meta l4proto tcp ip dport 853 drop
        meta l4proto udp ip dport 853 drop
    }
}

Step 3: Create a systemd Service for NFTables Rules

To ensure the rules persist after reboots, create a custom systemd service that loads the NFTables rules at startup.

sudo nano /etc/systemd/system/nftables-dnshijack.service

Add the following content:

[Unit]
Description=NFTables DNS Hijacking Rules
After=network.target
Wants=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/nft -f /etc/nftables.dnshijack.nft
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Save the file, then reload systemd and enable the service:

sudo systemctl daemon-reload
sudo systemctl enable nftables-dnshijack
sudo systemctl start nftables-dnshijack

Step 4: Verify the Setup

To confirm that the NFTables rules are active, run:

sudo nft list table inet dnshijack

You should see the rules redirecting DNS and blocking DoT.

To test that DNS hijacking is working, run the following command from a client machine:

nslookup google.com 8.8.8.8

Even though 8.8.8.8 (Google DNS) was specified, the request should still resolve using your local dnsmasq server.

To check that DoT is blocked, use:

telnet 1.1.1.1 853

The connection should fail, confirming that DNS over TLS is blocked.

Final Thoughts

With these NFTables rules and a systemd service, your Debian box now:

✅ Forces all clients to use your local DNS resolver (dnsmasq)
✅ Prevents users from bypassing the local resolver
✅ Blocks encrypted DNS over TLS (DoT)

This setup is simple, lightweight, and effective for enforcing network-wide DNS security. 🚀

Let me know if you have any questions! 🛠️

Securing DNS with NFTables | Hijacking Unauthorized DNS and Blocking DoT on Debian ✅🛠️