Different DNS for different IP ranges

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
newvisions
DD-WRT Novice


Joined: 22 Jan 2018
Posts: 17
PostPosted: Thu Feb 01, 2018 10:06    Post subject: Different DNS for different IP ranges Reply with quote
Hi, a question for the experts here!

I have two "networks" on my router, one is an open connection to internet through a wired and wireless connection.
The other is a VPN that uses a virtual wireless connection and they have policy based routing with 192.168.2.80/29
So everything connected to that wireless SSID gets those IP and goes trough VPN.
Everyhting ok and all working.

But, everything is using the DNS of the Setup-Basic Setup-Network Address Server Settings (DHCP)-Static DNS 1, 2 and 3

And I want to all the 192.168.2.80/29 range (the ones in VPN) use two other different DNS servers to prevent DNS Leak and all that stuff.

So, the question is how to setup some "rule" for all those clients connected to the VPN (or ath1.1 or br1 or tun1 or 192.168.2.80/29) to bypass the general DNS servers and use other differents two DNS???

Thanks!
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12877
Location: Netherlands
PostPosted: Thu Feb 01, 2018 12:48    Post subject: Reply with quote
A quick an dirty method:
If you have a recent version you just enable "Forced DNS Redirection" on the Virtual interface after that a box opens where you can fill in the DNS server.

Otherwise you can use DNSMasq options like:
Code:
interface=ath1.1
dhcp-option=ath1.1,3,192.168.2.1
dhcp-option=ath1.1,6,8.8.8.8
dhcp-range=ath1.1,192.168.2.80,192.168.2.87,255.255.255.0,1440m

In this case do not use the GUI

Mind you there are bugs in DDWRT where sometimes the ISP DNS servers can be used. So check for DNS leaks.
You can use "Query DNS in Strict order" from Services tab or use the "no-resolv" directive in DNSMasq Options
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
newvisions
DD-WRT Novice


Joined: 22 Jan 2018
Posts: 17
PostPosted: Thu Feb 01, 2018 13:59    Post subject: Reply with quote
Thank you guys!
I agree with you eibgrad that if I want a full protected system to DNS leaks is much more complex. Right now I feel ok with using the DNS provided by VPN (NordVPN) so I put the DNS server in "Forced DNS Redirection" of br1 and it's working ok I guess.
Clients connected to non-vpn SSID are using OpenDNS, and clients connected to VPN SSID are accesing with VPN of course and using the VPN provided DNS.
As tested in ipleak.net and dnsleaktest.com my VPN IP is the same as the DNS IP so I believe it's working ok.
Thanks!
Back to top View user's profile Send private message
rebeto13
DD-WRT Novice


Joined: 10 Sep 2019
Posts: 15
PostPosted: Tue Sep 10, 2019 15:44    Post subject: Different DNS per IP Range / DNS Leaks Reply with quote
eibgrad wrote:
TIP: If you really want to know if you have a DNS leak, go to a shell (telnet/ssh) on the router and issue the following command.

Code:
watch -n 5 "cat /proc/net/ip_conntrack | grep ' dport=53 '"


What this does is monitors connection tracking for DNS queries (dport=53). It updates itself every 5 secs (which you can change, the default is 2 secs).

Take special note of the first src and first dst fields. The src field tells you which device has made the request. The dst field tells you (indirectly) which network interface is being used for that connection (if you check ifconfig, you'll find that IP bound to some network interface, in our case, usually vlan2 for the WAN, and tun1 for the VPN).

The second half of any connection tracking record is what the system expects to be returned on the reply packet, so you can usually ignore it, including the second instance of the src and dst fields.

That is the *only* reliable means to determine where your DNS queries are being routed.


Hi @eibgrad... been reading lots of your posts and getting informed and (sort of versed in DDWRT)... so thanks for that... I have a question for you... You see I do not use PBR because it causes some issues with some connections so I use iptables. Specifically I use these commands on startup:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t mangle -I PREROUTING -i br0 -s 192.168.8.130/26 -j MARK --set-mark 1
iptables -t nat -I PREROUTING -s 192.168.8.130/26 -p udp --dport 53 -j DNAT --to WANDNS
iptables -t nat -I PREROUTING -s 192.168.8.130/26 -p tcp --dport 53 -j DNAT --to WANDNS

Basically what I do is I have the DNS servers in the setup page as the VPN DNS servers, and i assign static IPs (outside the DHCP range) for the devices i want to route through the VPN. All else are assigned the DHCP range (which is what you see in the scripts) All these alongside the startup script work as expected.

So I ran your command to check for DNS leaks.
I get these results:

udp 17 40 src=100.64.16.11 dst: VPN-DNS

that address is for the router but it's nowhere in my private IP. I know its the router because when i input it in a browser it takes me to the browser homepage. My question is where is this address coming from??? Is it right? is it a sing that something's wrong???

Thanks!
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12877
Location: Netherlands
PostPosted: Tue Sep 10, 2019 16:15    Post subject: Reply with quote
Public IP of your WAN?
See Status/WAN
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
rebeto13
DD-WRT Novice


Joined: 10 Sep 2019
Posts: 15
PostPosted: Tue Sep 10, 2019 17:22    Post subject: Reply with quote
egc wrote:
Public IP of your WAN?
See Status/WAN


Sorry I didn’t clarify this. It isn’t the public IP, nor of the VPN nor of the WAN.
Nor the private ip of the modem.
Back to top View user's profile Send private message
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14208
Location: Texas, USA
PostPosted: Tue Sep 10, 2019 17:29    Post subject: Reply with quote
There's always that thing of how to lock down your browser from preventing webrtc leaks, too. Google it. I locked down Edge, FF, Safari, Opera, and Chrome as an added measure.

@eibgrad, I will have to look at FreshTomato and more recent Advanced Tomato commits to see if anything has been done, my FT router is mostly out-of-the-box configured, I hadn't done too many custom configs to it, but I am also running a more recent build than the last public beta http://anon.groov.pl/index.php?version=2019.3.203+K26+USB
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum