modified: dnss.sh

modified:   install.sh

dnss.sh

@@ -4,10 +4,6 @@ sudo cp ../dnss/dnss.socket ../dnss/dnss.service /etc/systemd/system/
 sudo systemctl daemon-reload
 sudo systemctl restart dnss.service
 sudo systemctl restart dnss.socket
-sudo iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:53
-sudo iptables -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to 127.0.0.1:53
-sudo iptables -t nat -I OUTPUT -p udp --dport 5353 -j DNAT --to 127.0.0.1:53
-sudo iptables -t nat -I OUTPUT -p tcp --dport 5353 -j DNAT --to 127.0.0.1:53
 if [ -f /etc/pdnsd.conf ]
 then
 echo "hit enter to continue"

install.sh

@@ -9,3 +9,18 @@ sudo debconf-set-selections < ../debconf.conf
 ../dnscrypt-proxy.sh
 ../squid.sh
 ../spoof-dpi.sh
+## Rules to force local DNS traffic to DNSMasq
+sudo iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:53
+sudo iptables -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to 127.0.0.1:53
+sudo iptables -t nat -I OUTPUT -p udp --dport 5353 -j DNAT --to 127.0.0.1:53
+sudo iptables -t nat -I OUTPUT -p tcp --dport 5353 -j DNAT --to 127.0.0.1:53
+## Rules to force network DNS traffic to DNSMasq
+sudo iptables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to 127.0.0.1:53
+sudo iptables -t nat -I PREROUTING -p tcp --dport 53 -j DNAT --to 127.0.0.1:53
+sudo iptables -t nat -I PREROUTING -p udp --dport 5353 -j DNAT --to 127.0.0.1:53
+sudo iptables -t nat -I PREROUTING -p tcp --dport 5353 -j DNAT --to 127.0.0.1:53
+## TTL Modification Hack
+#iptables -t mangle -I POSTROUTING 1 -j TTL --ttl-set 66
+## Countermeasure for TCP Reset Attacks
+sudo iptables -I INPUT -p tcp --tcp-flags RST RST -j DROP
+sudo iptables -t mangle -I PREROUTING -p tcp --tcp-flags RST RST -j DROP