先劫持局域网内机器的域名解析:
# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.family="any"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
service firewall restart
将域名 demo.com 强制解析到ip 192.168.1.100:
/demo.com/#
/demo.com/192.168.3.100
第一行是避免解析到ipv6地址。
屏蔽域名 demo.com 以及它的所有子域名,也就是解析不了任何ip:
/demo.com/#
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns