Posted: Sat Feb 16, 2013 16:13 Post subject: Use specific DNS for different IPs
Hi guys,
I'm still running my trusty WRT600N and E3000 with build 15747, and it's working great.
Now I wonder if there's a way to configure the router to set one DNS address to a IP, and another DNS to a second IP (fex my wife's computer gets DNS from the ISP and the PS3 gets DNS from another service)?
I know I can just let the router have DNS from the ISP and just set up the DNS manually for each device I want differently, but wondered if this could be done in the router.
Thank you for any input _________________
Asus RT-AC66U DD-WRT v24-sp2 giga - build 25015 [Main]
Linksys E3000 DD-WRT v24-sp2 mega - build 15962 [Backup]
Linksys WRT600N v1.1 DD-WRT v24-sp2 (08/12/10) mega - build 14929 [Retired]
Linksys WRT54GS v4 DD-WRT v24-sp2 mini - build 15747 [Retired]
E3000 Info | WRT600N Info | Know-it-all thread
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Sat Feb 16, 2013 20:39 Post subject:
Yes it is possible. You need to check the documentation for DNSmasq. You can set different DNS servers for specific addresses as well as for the computers that get DNS. I am not sure if the internal dnsmasq will support it though. You *might* have to use the optware version. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Thanks, crashfly, I'll take a closer look at DNSmasq . Let's hope I can figure it out _________________
Asus RT-AC66U DD-WRT v24-sp2 giga - build 25015 [Main]
Linksys E3000 DD-WRT v24-sp2 mega - build 15962 [Backup]
Linksys WRT600N v1.1 DD-WRT v24-sp2 (08/12/10) mega - build 14929 [Retired]
Linksys WRT54GS v4 DD-WRT v24-sp2 mini - build 15747 [Retired]
E3000 Info | WRT600N Info | Know-it-all thread
You can also do the same by running a second instance of dnsmasq and adding some iptables rules to redirect DNS traffic from certain ip addresses to the dnsmasq instance. En examlpe:
Add the following to your "Startup" script:
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054
This starts an dnsmasq instance on port 1054 using the OpenDNS DNS server (208.67.222.222)
Add the following to your "Firewall" script:
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
This intercepts traffic from the ip address 192.168.1.100 to whatever DNS server (port 53) end redirects that traffic to port 1054 on your router, which will use OpenDNS.
Add as many lines to your "Firewall" script as necessary, two lines for each ip address (for tcp and udp). Or you can combine addresses by specifying a network/mask. Of course you can change the OpenDNS ip address to whatever DNS server you want to use.
I'm using this to *force* my kids to go through OpenDNS which in turn will deny access to certain sites not suitable for their age group. This way, even if they manually change their DNS server, the iptables rule will make sure they are redirected to the OpenDNS server. In my case the whole subnet is redirected to OpenDNS, so even if they change their ip address it won't make any difference.
Of course this is combined with guidance on how to use the Internet and what to avoid and why. But since they're only 9 and 11 we feel it's good to have this layer of "technological protection" as well. This technique, in combination with a well configured OpenDNS account, mak4es a pretty good "family filter".
But whatever your purpose is, enforcing a spesific DNS server this way works pretty good.
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.101 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.101 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
I can ping my ISPs gateway, but I can't ping any other web address, so it looks like I'm almost there, but no cigar.
The idea about using OpenDNS to keep the young ones off certain sites is great, I'm definitely using that when this is working. My 7 and 2 year old are learning fast.
Any input is deeply appreciated _________________
Asus RT-AC66U DD-WRT v24-sp2 giga - build 25015 [Main]
Linksys E3000 DD-WRT v24-sp2 mega - build 15962 [Backup]
Linksys WRT600N v1.1 DD-WRT v24-sp2 (08/12/10) mega - build 14929 [Retired]
Linksys WRT54GS v4 DD-WRT v24-sp2 mini - build 15747 [Retired]
E3000 Info | WRT600N Info | Know-it-all thread
I couldn't rest, and kept trying but never got internet to work on the machine I had set to use a different DNS, so I ended up resetting the router and upgraded to 16785, cause I was worried that some other setting was conflicting with the new scripts.
Guess what, now it works!
Thank you so much, chjohans - you deserve a beer!
PS! Out of curiosity, would it be possible to add a 3rd DNS to the startup script, but use different ports? _________________
Asus RT-AC66U DD-WRT v24-sp2 giga - build 25015 [Main]
Linksys E3000 DD-WRT v24-sp2 mega - build 15962 [Backup]
Linksys WRT600N v1.1 DD-WRT v24-sp2 (08/12/10) mega - build 14929 [Retired]
Linksys WRT54GS v4 DD-WRT v24-sp2 mini - build 15747 [Retired]
E3000 Info | WRT600N Info | Know-it-all thread
I'm glad to be able to help. And yes, you could start more dnsmasq servers each running on their own port and using their own DNS server, no problem at all.
Can't remember exactly which builds of dd-wrt had this problem but the dnsmasq process used to "die" randomly. I made a small script that I ran every 5 minutes by cron, the script checks and restarts dnsmasq if necessary.
This is the script I'm using (check_dns.sh):
#!/bin/sh
if [ -z $(ps|grep dnsmasq|grep 208.67.222.222) ]
then
logger $('date') "dnsmasq for OpenDNS NOT running, restarting..."
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054
fi
Here is my cron entry to run the script:
*/5 * * * * root /jffs/bin/check_dns.sh
I'm now running kong build 20575 on all my E4200 routers and so far that build has been a winner.
This looks like what I want to do but can it be done using mac addresses?
I'm trying to setup my Roku (Like Apple TV) to use a different DNS server than whats configured in the main setup page. Since I can't assign a static IP to the Roku, can I have the DNSmasq catch the requests from a mac address and use an alternative DNS.
This is a recommendation from Unblock-Us to have the Roku use an American DNS to bypass the Canadian restrictions by using the following DNS:
Primary DNS 208.122.23.22
Secondary DNS 208.122.23.23
Additional DNS (if available) 184.106.242.193
I would just change my main setup page DNS settings to the ones above but since I also run a web/mail server on this access point, I can't use another DNS other then the one setup for my connection to my ISP.
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Fri Feb 22, 2013 22:07 Post subject:
@gps_dave - It would be best if you put your roku on a static IP from router, and then use the firewall commands above to route the DNS from that specific IP address to the "alternate" DNS server. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
You can also do the same by running a second instance of dnsmasq and adding some iptables rules to redirect DNS traffic from certain ip addresses to the dnsmasq instance. En examlpe:
Add the following to your "Startup" script:
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054
This starts an dnsmasq instance on port 1054 using the OpenDNS DNS server (208.67.222.222)
Add the following to your "Firewall" script:
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
This intercepts traffic from the ip address 192.168.1.100 to whatever DNS server (port 53) end redirects that traffic to port 1054 on your router, which will use OpenDNS.
Add as many lines to your "Firewall" script as necessary, two lines for each ip address (for tcp and udp). Or you can combine addresses by specifying a network/mask. Of course you can change the OpenDNS ip address to whatever DNS server you want to use.
I'm using this to *force* my kids to go through OpenDNS which in turn will deny access to certain sites not suitable for their age group. This way, even if they manually change their DNS server, the iptables rule will make sure they are redirected to the OpenDNS server. In my case the whole subnet is redirected to OpenDNS, so even if they change their ip address it won't make any difference.
Of course this is combined with guidance on how to use the Internet and what to avoid and why. But since they're only 9 and 11 we feel it's good to have this layer of "technological protection" as well. This technique, in combination with a well configured OpenDNS account, mak4es a pretty good "family filter".
But whatever your purpose is, enforcing a spesific DNS server this way works pretty good.
Edit: Optware not needed
This thread looks dead, but I was wondering if anyone could help me with this.
I am doing something similar with directing my kids traffic to opendns while allowing other devices use the router's default DNS servers. I was wondering if for the "new dnsmasq instance" on port 1054 you could add address redirects, such as adding this to the startup script:
dnsmasq -A address=/google.com/216.239.32.20.
The end goal is to force google to use a non-SSL connection so access restrictions will be able to filter the traffic. This is mainly to prevent images in Google search.