Use specific DNS for different IPs

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
Phonism
DD-WRT User


Joined: 27 Sep 2008
Posts: 449
Location: Norway

PostPosted: Sat Feb 16, 2013 16:13    Post subject: Use specific DNS for different IPs Reply with quote
Hi guys,

I'm still running my trusty WRT600N and E3000 with build 15747, and it's working great.

Now I wonder if there's a way to configure the router to set one DNS address to a IP, and another DNS to a second IP (fex my wife's computer gets DNS from the ISP and the PS3 gets DNS from another service)?

I know I can just let the router have DNS from the ISP and just set up the DNS manually for each device I want differently, but wondered if this could be done in the router.

Thank you for any input Smile

_________________

Asus RT-AC66U DD-WRT v24-sp2 giga - build 25015 [Main]
Linksys E3000 DD-WRT v24-sp2 mega - build 15962 [Backup]
Linksys WRT600N v1.1 DD-WRT v24-sp2 (08/12/10) mega - build 14929 [Retired]
Linksys WRT54GS v4 DD-WRT v24-sp2 mini - build 15747 [Retired]
E3000 Info | WRT600N Info | Know-it-all thread
Sponsor
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sat Feb 16, 2013 20:39    Post subject: Reply with quote
Yes it is possible. You need to check the documentation for DNSmasq. You can set different DNS servers for specific addresses as well as for the computers that get DNS. I am not sure if the internal dnsmasq will support it though. You *might* have to use the optware version.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Phonism
DD-WRT User


Joined: 27 Sep 2008
Posts: 449
Location: Norway

PostPosted: Sat Feb 16, 2013 21:25    Post subject: Reply with quote
Thanks, crashfly, I'll take a closer look at DNSmasq . Let's hope I can figure it out Wink
_________________

Asus RT-AC66U DD-WRT v24-sp2 giga - build 25015 [Main]
Linksys E3000 DD-WRT v24-sp2 mega - build 15962 [Backup]
Linksys WRT600N v1.1 DD-WRT v24-sp2 (08/12/10) mega - build 14929 [Retired]
Linksys WRT54GS v4 DD-WRT v24-sp2 mini - build 15747 [Retired]
E3000 Info | WRT600N Info | Know-it-all thread
chjohans
DD-WRT User


Joined: 27 Mar 2008
Posts: 196

PostPosted: Sun Feb 17, 2013 1:57    Post subject: Reply with quote
You can also do the same by running a second instance of dnsmasq and adding some iptables rules to redirect DNS traffic from certain ip addresses to the dnsmasq instance. En examlpe:

Add the following to your "Startup" script:
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054

This starts an dnsmasq instance on port 1054 using the OpenDNS DNS server (208.67.222.222)

Add the following to your "Firewall" script:
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054

This intercepts traffic from the ip address 192.168.1.100 to whatever DNS server (port 53) end redirects that traffic to port 1054 on your router, which will use OpenDNS.

Add as many lines to your "Firewall" script as necessary, two lines for each ip address (for tcp and udp). Or you can combine addresses by specifying a network/mask. Of course you can change the OpenDNS ip address to whatever DNS server you want to use.

I'm using this to *force* my kids to go through OpenDNS which in turn will deny access to certain sites not suitable for their age group. This way, even if they manually change their DNS server, the iptables rule will make sure they are redirected to the OpenDNS server. In my case the whole subnet is redirected to OpenDNS, so even if they change their ip address it won't make any difference.

Of course this is combined with guidance on how to use the Internet and what to avoid and why. But since they're only 9 and 11 we feel it's good to have this layer of "technological protection" as well. This technique, in combination with a well configured OpenDNS account, mak4es a pretty good "family filter".

But whatever your purpose is, enforcing a spesific DNS server this way works pretty good.

Edit: Optware not needed Smile
Phonism
DD-WRT User


Joined: 27 Sep 2008
Posts: 449
Location: Norway

PostPosted: Sun Feb 17, 2013 11:17    Post subject: Reply with quote
Wow, thanks chjohans! This is exactly what I was looking for. But I don't know what I do wrong, cause I'm not getting it to work properly.

I have put this in the startup script (without the sleep command, I would get No Internet available):
Code:
sleep 10
dnsmasq -S 208.122.23.22 -R -i br0 -p 1054


and for the firewall script I used:

Code:
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.101 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.101 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054


I can ping my ISPs gateway, but I can't ping any other web address, so it looks like I'm almost there, but no cigar.

The idea about using OpenDNS to keep the young ones off certain sites is great, I'm definitely using that when this is working. My 7 and 2 year old are learning fast.

Any input is deeply appreciated Smile

_________________

Asus RT-AC66U DD-WRT v24-sp2 giga - build 25015 [Main]
Linksys E3000 DD-WRT v24-sp2 mega - build 15962 [Backup]
Linksys WRT600N v1.1 DD-WRT v24-sp2 (08/12/10) mega - build 14929 [Retired]
Linksys WRT54GS v4 DD-WRT v24-sp2 mini - build 15747 [Retired]
E3000 Info | WRT600N Info | Know-it-all thread
Phonism
DD-WRT User


Joined: 27 Sep 2008
Posts: 449
Location: Norway

PostPosted: Sun Feb 17, 2013 18:51    Post subject: Reply with quote
I couldn't rest, and kept trying but never got internet to work on the machine I had set to use a different DNS, so I ended up resetting the router and upgraded to 16785, cause I was worried that some other setting was conflicting with the new scripts.

Guess what, now it works!

Thank you so much, chjohans - you deserve a beer! Very Happy

PS! Out of curiosity, would it be possible to add a 3rd DNS to the startup script, but use different ports?

_________________

Asus RT-AC66U DD-WRT v24-sp2 giga - build 25015 [Main]
Linksys E3000 DD-WRT v24-sp2 mega - build 15962 [Backup]
Linksys WRT600N v1.1 DD-WRT v24-sp2 (08/12/10) mega - build 14929 [Retired]
Linksys WRT54GS v4 DD-WRT v24-sp2 mini - build 15747 [Retired]
E3000 Info | WRT600N Info | Know-it-all thread
chjohans
DD-WRT User


Joined: 27 Mar 2008
Posts: 196

PostPosted: Tue Feb 19, 2013 22:19    Post subject: Reply with quote
I'm glad to be able to help. And yes, you could start more dnsmasq servers each running on their own port and using their own DNS server, no problem at all.

Can't remember exactly which builds of dd-wrt had this problem but the dnsmasq process used to "die" randomly. I made a small script that I ran every 5 minutes by cron, the script checks and restarts dnsmasq if necessary.

This is the script I'm using (check_dns.sh):
#!/bin/sh
if [ -z $(ps|grep dnsmasq|grep 208.67.222.222) ]
then
logger $('date') "dnsmasq for OpenDNS NOT running, restarting..."
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054
fi

Here is my cron entry to run the script:
*/5 * * * * root /jffs/bin/check_dns.sh

I'm now running kong build 20575 on all my E4200 routers and so far that build has been a winner.
gps_dave
DD-WRT Novice


Joined: 05 Nov 2009
Posts: 11

PostPosted: Fri Feb 22, 2013 3:28    Post subject: Reply with quote
This looks like what I want to do but can it be done using mac addresses?
I'm trying to setup my Roku (Like Apple TV) to use a different DNS server than whats configured in the main setup page. Since I can't assign a static IP to the Roku, can I have the DNSmasq catch the requests from a mac address and use an alternative DNS.

This is a recommendation from Unblock-Us to have the Roku use an American DNS to bypass the Canadian restrictions by using the following DNS:

Primary DNS 208.122.23.22
Secondary DNS 208.122.23.23
Additional DNS (if available) 184.106.242.193

http://support.unblock-us.com/customer/portal/articles/323038

I would just change my main setup page DNS settings to the ones above but since I also run a web/mail server on this access point, I can't use another DNS other then the one setup for my connection to my ISP.

Thanks,
Dave.
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Fri Feb 22, 2013 22:07    Post subject: Reply with quote
@gps_dave - It would be best if you put your roku on a static IP from router, and then use the firewall commands above to route the DNS from that specific IP address to the "alternate" DNS server.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
themastertruth
DD-WRT Novice


Joined: 07 Jul 2014
Posts: 4

PostPosted: Mon Jul 07, 2014 0:29    Post subject: Reply with quote
chjohans wrote:
You can also do the same by running a second instance of dnsmasq and adding some iptables rules to redirect DNS traffic from certain ip addresses to the dnsmasq instance. En examlpe:

Add the following to your "Startup" script:
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054

This starts an dnsmasq instance on port 1054 using the OpenDNS DNS server (208.67.222.222)

Add the following to your "Firewall" script:
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054

This intercepts traffic from the ip address 192.168.1.100 to whatever DNS server (port 53) end redirects that traffic to port 1054 on your router, which will use OpenDNS.

Add as many lines to your "Firewall" script as necessary, two lines for each ip address (for tcp and udp). Or you can combine addresses by specifying a network/mask. Of course you can change the OpenDNS ip address to whatever DNS server you want to use.

I'm using this to *force* my kids to go through OpenDNS which in turn will deny access to certain sites not suitable for their age group. This way, even if they manually change their DNS server, the iptables rule will make sure they are redirected to the OpenDNS server. In my case the whole subnet is redirected to OpenDNS, so even if they change their ip address it won't make any difference.

Of course this is combined with guidance on how to use the Internet and what to avoid and why. But since they're only 9 and 11 we feel it's good to have this layer of "technological protection" as well. This technique, in combination with a well configured OpenDNS account, mak4es a pretty good "family filter".

But whatever your purpose is, enforcing a spesific DNS server this way works pretty good.

Edit: Optware not needed Smile


This thread looks dead, but I was wondering if anyone could help me with this.

I am doing something similar with directing my kids traffic to opendns while allowing other devices use the router's default DNS servers. I was wondering if for the "new dnsmasq instance" on port 1054 you could add address redirects, such as adding this to the startup script:

dnsmasq -A address=/google.com/216.239.32.20.

The end goal is to force google to use a non-SSL connection so access restrictions will be able to filter the traffic. This is mainly to prevent images in Google search.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum