Force OpenDNS exclusively; disallow any other DNS

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
BlueToast
DD-WRT Novice


Joined: 01 Jun 2010
Posts: 9
Location: Missouri, US

PostPosted: Tue Jul 23, 2013 2:08    Post subject: Force OpenDNS exclusively; disallow any other DNS Reply with quote
Greetings,

I am trying to follow along http://www.dd-wrt.com/phpBB2/viewtopic.php?t=58746&highlight=iptable+dns, but since the OP here throws in the wrench of OpenDNS *and* own DNS server, it makes it hard to follow along just to accomplish a simple task.

I want to make it so only OpenDNS 208.67.222.123 and 208.67.220.123 DNS servers can be used; attempting to use anything else via manual configuration on the client to something such as 8.8.8.8 or 8.8.4.4 or any other should result without success.

Under Administration --> Commands --> Firewall I had
Quote:
iptables -I INPUT -i br0 -s 192.168.2.0/24 -p tcp --dport 53 -j DROP
iptables -I INPUT -i br0 -s 192.168.2.0/24 -p udp --dport 53 -j DROP
iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to 208.67.220.123
But I removed it for now because I have no idea what I'm doing and I don't want to apply those without confidence.

Under Services --> Services --> DNSMasq --> Additional DNSMasq Options I had
Quote:
dhcp-option=6,208.67.222.123,208.67.220.123
strict-order
But removed it for the same reason.

Under Services --> Services --> DNSMasq --> DNSMasq = Enable
Under Services --> Services --> DNSMasq --> Local DNS = Disable
Under Services --> Services --> DNSMasq --> No DNS Rebind = Enable

Under Setup --> Basic Setup --> WAN Setup --> Connection Type = Static IP
Under Setup --> Basic Setup --> WAN Setup --> WAN IP Address = 192.168.100.2
Under Setup --> Basic Setup --> WAN Setup --> Subnet Mask = 255.255.255.0
Under Setup --> Basic Setup --> WAN Setup --> Gateway = 192.168.100.1
Under Setup --> Basic Setup --> WAN Setup --> Static DNS 1 = 208.67.222.123
Under Setup --> Basic Setup --> WAN Setup --> Static DNS 2 = 208.67.220.123
Under Setup --> Basic Setup --> WAN Setup --> Static DNS 3 = 0.0.0.0
Under Setup --> Basic Setup --> WAN Setup --> STP = Disable

Under Setup --> Basic Setup --> Network Setup --> Local IP Address = 192.168.2.1
Under Setup --> Basic Setup --> Network Setup --> Subnet Mask = 255.255.255.0
Under Setup --> Basic Setup --> Network Setup --> Gateway = 192.168.2.1
Under Setup --> Basic Setup --> Network Setup --> Local DNS = 192.168.2.1

Under Setup --> Basic Setup --> Network Setup --> DHCP Type = DHCP Server
Under Setup --> Basic Setup --> Network Setup --> DHCP Server = Enable
Under Setup --> Basic Setup --> Network Setup --> Start IP Address = 192.168.2.100
Under Setup --> Basic Setup --> Network Setup --> Maximum DHCP Users = 50
Under Setup --> Basic Setup --> Network Setup --> Client Lease Time = 7200 minutes
Under Setup --> Basic Setup --> Network Setup --> WINS = 0.0.0.0
Under Setup --> Basic Setup --> Network Setup --> Use DNSMasq for DHCP = True
Under Setup --> Basic Setup --> Network Setup --> Use DNSMasq for DNS = True
Under Setup --> Basic Setup --> Network Setup --> DHCP-Authoritative = True

Router Model: Netgear WNDR3700 v2
Firmware: DD-WRT v24-sp2 (06/14/11) std
CPU Model: Atheros AR7161 rev 2 (0xaa)

I would be very very happy if someone could help me with achieving my desire. Smile

EDIT: Ok, I'm throwing a wrench in here too. I followed this guide at http://www.howtogeek.com/51477/how-to-remove-advertisements-with-pixelserv-on-dd-wrt/ to remove advertisements via pixelserv. For this to work, the DNS server clients use would be my router's IP address 192.168.2.1. So what do I need to do to have the router retrieve its DNS queries from 208.67.222.123 and 208.67.220.123, force clients to be unable to use any other DNS, and use pixelserv-based adblocking at the same time?

EDIT2: So right now for Additional DNSMasq Options I have the following:

Quote:
address=/reddit.com/192.168.2.254
address=/digg.com/192.168.2.254
conf-file=/jffs/dns/dnsmasq.adblock.conf
addn-hosts=/jffs/dns/dlhosts
conf-file=/jffs/dns/personal-ads-list.conf


Based on the original thread I was reading, I will try this:

Quote:
address=/reddit.com/192.168.2.254
address=/digg.com/192.168.2.254
conf-file=/jffs/dns/dnsmasq.adblock.conf
addn-hosts=/jffs/dns/dlhosts
conf-file=/jffs/dns/personal-ads-list.conf
dhcp-option=6,192.168.2.1
strict-order


And this for Administration --> Commands --> Firewall:

Quote:
/usr/sbin/iptables -I INPUT -i br0 -s 192.168.2.0/24 -p tcp --dport 53 -j DROP
/usr/sbin/iptables -I INPUT -i br0 -s 192.168.2.0/24 -p udp --dport 53 -j DROP
/usr/sbin/iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
/usr/sbin/iptables -t nat -I PREROUTING 1 -d 192.168.2.1 -p tcp --dport 80 -j DNAT --to 192.168.2.1:81


(The last line appeared in the Commands for Firewall via automation due to the adblocking pixelserv, so I put my stuff before it to keep the 'prerouting' statements together)

EDIT3: That didn't work (couldn't browse the internet), so I modified it to be this:

Quote:
/usr/sbin/iptables -I INPUT -i br0 -s 192.168.2.0/24 -p tcp --dport 53 -j DROP
/usr/sbin/iptables -I INPUT -i br0 -s 192.168.2.0/24 -p udp --dport 53 -j DROP
/usr/sbin/iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to 192.168.2.1
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to 192.168.2.1
/usr/sbin/iptables -t nat -I PREROUTING 1 -d 192.168.2.1 -p tcp --dport 80 -j DNAT --to 192.168.2.1:81


Still didn't work, so I just set it back to:

Quote:
/usr/sbin/iptables -t nat -I PREROUTING 1 -d 192.168.2.1 -p tcp --dport 80 -j DNAT --to 192.168.2.1:81


Help please. Sad
Sponsor
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1546
Location: Zwolle

PostPosted: Tue Jul 23, 2013 13:55    Post subject: Reply with quote
I have solved it this way:

Static DNS 1: 192.168.2.1
Static DNS 2: 127.0.0.2
Static DNS 3: 127.0.0.3

Firewall script:
Code:
# Asiablock Rules
# iptables -I INPUT 2 -i vlan2 -p tcp -j asia
# iptables -I FORWARD 1 -i vlan2 -p tcp --dport 20:1024 -j asia
# Asiablock Rules - END

iptables -I INPUT 2 -i vlan2 -p tcp -j world
iptables -I FORWARD 1 -i vlan2 -p tcp --dport 20:1024 -j world

# iptables -I INPUT 2 -i vlan2 -p tcp -j birma
# iptables -I FORWARD 1 -i vlan2 -p tcp --dport 20:1024 -j birma

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

DNSMasq: Enable
Local DNS: Enable
No DNS Rebind: Enable

DNSMasq config:
Code:
bogus-priv
no-resolv
server=192.168.2.1#40
domain-needed
local=/lan/
expand-hosts
dhcp-option=43,01:04:00:00:00:02
user=root
dhcp-boot=pxelinux.0,dd-wrt,192.168.2.1
addn-hosts=/opt/etc/pixelserv/blacks6
addn-hosts=/opt/etc/pixelserv/blacks

Of course, I have dnscrypt-proxy running on port 40, you may have an OpenDNS IP instead.

_________________
2 times RT-AC56U running 33772 with entware-ng, Yamon 3 (SFE disabled).

Asus RT-N16 running Merlin LTS fork RT-N16_3.0.0.4_374.43_2-25E8j9527.trx with entware-ng.

2 times Asus RT-N16 running dd-wrt.v24-33772_NEWD-2_K3.x_big.bin with entware-ng

E4200 V1 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin (bridged with LAN cable)

BlueToast
DD-WRT Novice


Joined: 01 Jun 2010
Posts: 9
Location: Missouri, US

PostPosted: Tue Jul 30, 2013 1:50    Post subject: Reply with quote
So what exactly would I have to modify in the configs you provided me, and could you explain those items you say I would need to change to fit my scenario and why? (So that I may understand what I and the functions are doing.)
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1546
Location: Zwolle

PostPosted: Wed Jul 31, 2013 10:54    Post subject: Reply with quote
Well, the static DNS are there to inform your connected devices that they have to call the DNS server of the router, otherwise call an invalid DNS server. Then the beginning of the firewall script is specific to OTRW2, the last lines matter for you. For the DNSMasq options see the DNSMasq manual.
_________________
2 times RT-AC56U running 33772 with entware-ng, Yamon 3 (SFE disabled).

Asus RT-N16 running Merlin LTS fork RT-N16_3.0.0.4_374.43_2-25E8j9527.trx with entware-ng.

2 times Asus RT-N16 running dd-wrt.v24-33772_NEWD-2_K3.x_big.bin with entware-ng

E4200 V1 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin (bridged with LAN cable)

wifiphantom
DD-WRT Novice


Joined: 20 Jun 2011
Posts: 25

PostPosted: Tue Aug 06, 2013 9:42    Post subject: Reply with quote
I have found that if you go into access restrictions and block DNS that it won't allow anyone to use DNS on the computer except for what the router provides. Be sure to use DNSMasq for DNS under setup.

I did this in an older version of DD-WRT though.
BlueToast
DD-WRT Novice


Joined: 01 Jun 2010
Posts: 9
Location: Missouri, US

PostPosted: Wed Oct 16, 2013 1:53    Post subject: Reply with quote
Quote:
the last lines matter for you
This?
Code:
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


Quote:
I have dnscrypt-proxy running on port 40, you may have an OpenDNS IP instead.
I'm confused, do I just use the following and I'll be okay?
Code:
bogus-priv
no-resolv
server=192.168.2.1#40
domain-needed
local=/lan/
expand-hosts
dhcp-option=43,01:04:00:00:00:02
user=root
dhcp-boot=pxelinux.0,dd-wrt,192.168.2.1
addn-hosts=/opt/etc/pixelserv/blacks6
addn-hosts=/opt/etc/pixelserv/blacks


Or do you mean I should examine each option in your DNSMasq config?
Quote:
For the DNSMasq options see the DNSMasq manual.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1546
Location: Zwolle

PostPosted: Wed Oct 16, 2013 15:05    Post subject: Reply with quote
BlueToast wrote:
Quote:
the last lines matter for you
This?
Code:
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

Yes, these lines.
BlueToast wrote:
Quote:
I have dnscrypt-proxy running on port 40, you may have an OpenDNS IP instead.
I'm confused, do I just use the following and I'll be okay?
Code:
bogus-priv
no-resolv
server=192.168.2.1#40
domain-needed
local=/lan/
expand-hosts
dhcp-option=43,01:04:00:00:00:02
user=root
dhcp-boot=pxelinux.0,dd-wrt,192.168.2.1
addn-hosts=/opt/etc/pixelserv/blacks6
addn-hosts=/opt/etc/pixelserv/blacks


Or do you mean I should examine each option in your DNSMasq config?
Quote:
For the DNSMasq options see the DNSMasq manual.

Again, you may use another server than 192.168.2.1#40, namely 208.67.222.222 or 208.67.220.220 or more than one server.

The pixelserv lines are meaningful only if you run pixelserv (part of OTRW2).

dhcp-boot instructs DNSMasq to do TFTP boot, provided there is a TFTP server active at that IP (if it is router's IP, you have to run the TFTP server on your router).

dhcp-option is there to disable NetBIOS.

local=/thenameofyourlocaldomain/ instructs DNSMasq to use a local domain.

bogus-priv, no-resolv and domain-needed enhance security.

user=root is just in case that DNSMasq refuses to start.

_________________
2 times RT-AC56U running 33772 with entware-ng, Yamon 3 (SFE disabled).

Asus RT-N16 running Merlin LTS fork RT-N16_3.0.0.4_374.43_2-25E8j9527.trx with entware-ng.

2 times Asus RT-N16 running dd-wrt.v24-33772_NEWD-2_K3.x_big.bin with entware-ng

E4200 V1 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin (bridged with LAN cable)

buddee
DD-WRT Guru


Joined: 06 Feb 2010
Posts: 7401
Location: Little Rock

PostPosted: Thu Oct 17, 2013 10:47    Post subject: Reply with quote
One important piece of info that is seemingly left out here, or i just simply didn't see it is that it looks like the unit you are setting up to configure in this manner is some kind of repeater or client bridge?
_________________
Wireless N Config | Linking Routers | DD-WRT Wiki | DD-WRT Builds | Peacock - Broadcom FAQ

Having problems with port forwarding? Check out Port Forward Troubleshooting for more info.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum