[Phonism]

Hi guys,

I'm still running my trusty WRT600N and E3000 with build 15747, and it's working great.

Now I wonder if there's a way to configure the router to set one DNS address to a IP, and another DNS to a second IP (fex my wife's computer gets DNS from the ISP and the PS3 gets DNS from another service)?

I know I can just let the router have DNS from the ISP and just set up the DNS manually for each device I want differently, but wondered if this could be done in the router.

Thank you for any input

[crashfly]

Yes it is possible. You need to check the documentation for DNSmasq. You can set different DNS servers for specific addresses as well as for the computers that get DNS. I am not sure if the internal dnsmasq will support it though. You *might* have to use the optware version.

[Phonism]

Thanks, crashfly, I'll take a closer look at DNSmasq . Let's hope I can figure it out

[chjohans]

You can also do the same by running a second instance of dnsmasq and adding some iptables rules to redirect DNS traffic from certain ip addresses to the dnsmasq instance. En examlpe:

Add the following to your "Startup" script:
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054

This starts an dnsmasq instance on port 1054 using the OpenDNS DNS server (208.67.222.222)

Add the following to your "Firewall" script:
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054

This intercepts traffic from the ip address 192.168.1.100 to whatever DNS server (port 53) end redirects that traffic to port 1054 on your router, which will use OpenDNS.

Add as many lines to your "Firewall" script as necessary, two lines for each ip address (for tcp and udp). Or you can combine addresses by specifying a network/mask. Of course you can change the OpenDNS ip address to whatever DNS server you want to use.

I'm using this to *force* my kids to go through OpenDNS which in turn will deny access to certain sites not suitable for their age group. This way, even if they manually change their DNS server, the iptables rule will make sure they are redirected to the OpenDNS server. In my case the whole subnet is redirected to OpenDNS, so even if they change their ip address it won't make any difference.

Of course this is combined with guidance on how to use the Internet and what to avoid and why. But since they're only 9 and 11 we feel it's good to have this layer of "technological protection" as well. This technique, in combination with a well configured OpenDNS account, mak4es a pretty good "family filter".

But whatever your purpose is, enforcing a spesific DNS server this way works pretty good.

Edit: Optware not needed

[Phonism]

Wow, thanks chjohans! This is exactly what I was looking for. But I don't know what I do wrong, cause I'm not getting it to work properly.

I have put this in the startup script (without the sleep command, I would get No Internet available):

[Phonism]

I couldn't rest, and kept trying but never got internet to work on the machine I had set to use a different DNS, so I ended up resetting the router and upgraded to 16785, cause I was worried that some other setting was conflicting with the new scripts.

Guess what, now it works!

Thank you so much, chjohans - you deserve a beer!

PS! Out of curiosity, would it be possible to add a 3rd DNS to the startup script, but use different ports?

[chjohans]

I'm glad to be able to help. And yes, you could start more dnsmasq servers each running on their own port and using their own DNS server, no problem at all.

Can't remember exactly which builds of dd-wrt had this problem but the dnsmasq process used to "die" randomly. I made a small script that I ran every 5 minutes by cron, the script checks and restarts dnsmasq if necessary.

This is the script I'm using (check_dns.sh):
#!/bin/sh
if [ -z $(ps|grep dnsmasq|grep 208.67.222.222) ]
then
logger $('date') "dnsmasq for OpenDNS NOT running, restarting..."
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054
fi

Here is my cron entry to run the script:
*/5 * * * * root /jffs/bin/check_dns.sh

I'm now running kong build 20575 on all my E4200 routers and so far that build has been a winner.

[gps_dave]

This looks like what I want to do but can it be done using mac addresses?
I'm trying to setup my Roku (Like Apple TV) to use a different DNS server than whats configured in the main setup page. Since I can't assign a static IP to the Roku, can I have the DNSmasq catch the requests from a mac address and use an alternative DNS.

This is a recommendation from Unblock-Us to have the Roku use an American DNS to bypass the Canadian restrictions by using the following DNS:

Primary DNS 208.122.23.22
Secondary DNS 208.122.23.23
Additional DNS (if available) 184.106.242.193

http://support.unblock-us.com/customer/portal/articles/323038

I would just change my main setup page DNS settings to the ones above but since I also run a web/mail server on this access point, I can't use another DNS other then the one setup for my connection to my ISP.

Thanks,
Dave.

[crashfly]

@gps_dave - It would be best if you put your roku on a static IP from router, and then use the firewall commands above to route the DNS from that specific IP address to the "alternate" DNS server.

[themastertruth]