Using OpenDNS or my ISPs DNS servers selectivly

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
chjohans
DD-WRT User


Joined: 27 Mar 2008
Posts: 196

PostPosted: Sat May 03, 2008 17:53    Post subject: Using OpenDNS or my ISPs DNS servers selectivly Reply with quote
Right now my DNS setup is set up so all my clients get their DNS server from my router (running dd-wrt v24RC7) which is giving them it's own address as the only DNS server. My router is using the default DNS servers it gets from my ISP.

I would like to block access to certain web sites and I've found that OpenDNS does exactky what I want. I've set up an account there and configered evering as I want it. It works fine when I manually set one of my PCs to use their DNS server.

I would like to achieve the following in dd-wrt:

1) Block access to DNS so clients on my network can't set their own DNS servers but are forced to use OpenDNS.
- I found how to intercept and forward DNS queries to the OpenDNS servers in the wiki: http://www.dd-wrt.com/wiki/index.php/OpenDNS#Intercept_DNS_Port

2) I would like dd-wrt to use either my ISPs DNS server or OpenDNS based on which client I am on. I realize that for this to work, if there is a solution to this, I might have to revise the strategy above for intercepting and forwarding DNS queries to OpenDNS.

Does anyone have a clever idea regarding how to do this? I would like it as flexible as possible so it's easy to decide which client PC gets to use which DNS service. And it most be "fuelproof" (no way to get around), or as "fuelproof" as possible. I am currently assigning IPs by DHCP on the dd-wrt but all my IPs are "static" so I know which client has which IP. Please help!
Sponsor
chjohans
DD-WRT User


Joined: 27 Mar 2008
Posts: 196

PostPosted: Tue May 06, 2008 17:05    Post subject: Reply with quote
Please jump in if you know a solution to this. If this is not possible at all then I'll have to use to routers but I would rather have a setup where selected clients can use a selected set of DNS servers (eg OpenDNS "filtered" DNS servers or my ISPs "unfiltered" DNS servers).

Please help if you can Smile
Knasher
DD-WRT User


Joined: 07 Nov 2007
Posts: 449

PostPosted: Tue May 06, 2008 17:49    Post subject: Reply with quote
This sounds pretty reasonable. What you need to do is setup a second instance of dnsmasq, with no dhcp server functionality and listening on a different port

Firstly allow the isp dns server to be the main one in the router as you would normally configure it. Then adding
Code:
dnsmasq -S x.x.x.x -R -i br0 -p 1054
should start a dns server listining on port 1054 and forwarding to x.x.x.x (put in opendns server here).

Then you just need to change the firewall to
Code:

iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054

Code:

iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


You can add the source switch to either the first block or the second, depending on whichever is easier to enumerate. However just remember that the you need to run the one which doesn't get any source rules last so that it catches anything which isn't caught by an earlier rule. If I were you I would get the mac addresses of the machines that you want to let through rather than the ip addresses as mac addresses are slightly harder to change than ip addresses. Plus you can leave everything on dhcp.

As with regards to how foolproof (and its foolproof not fuelproof) this whole thing is, you need to remember that the whole thing is based off dns. Anyone with a reasonable amount of tech savvy could figure a way passed something which depends on dns. It might be that you'll get away with it but I'd keep an eye on it just in case people figure out what you have done.
chjohans
DD-WRT User


Joined: 27 Mar 2008
Posts: 196

PostPosted: Wed May 07, 2008 2:03    Post subject: Reply with quote
Brilliant! Thanks a million, sweet and simple approach, this is exactly what I was looking for :)

This is what I did:

Added this to Administration -> Commands -> Startup:
Code:

dnsmasq -S 208.67.222.222 -R -i br0 -p 1054


Added this to Administration -> Commands -> Firewall:
Code:

iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.3.150/31 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.3.152/29 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.3.160/27 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.3.192/29 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.3.150/31 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.3.152/29 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.3.160/27 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.3.192/29 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054


This makes sure that DNS queries from any client within the ip-range 192.168.3.150-199 will be forwarded to OpenDNS, regardless of which DNS server(s) the client is configured to use.

I have also set up an account with OpenDNS and configured it up to filter unwanted categories. I have also set up DDNS on my dd-wrt to update OpenDNS with my public ip address using their "DNS-O-Matic" service. That service updates my DDNS accounts as well. Keeping OpenDNS updated with my public IP at all times is necessary so it can apply my filters when doing DNS queries. This is working great!

All other clients (outsides the ip-range above) will use the DNS server assigned to dd-wrt by my ISP or whatever DNS server(s) that is configuered locally.

Altho it would be much more foolproof I could not use "--mac-source" and filter by MAC address since some of the clients are connected to a switch and dd-wrt would just pick up the MAC address of the switch.

I am well aware of the limitations of this approach. It's not really "secure" but then again I'm not protecting government secrets here. I am just implementing a simple way to block certain categories of websites from minors who should not be able to browse adult sites and other unwanted content, at least not when under my supervision.

And, should they be able to bypass this then I guess they deserve to be able to browse whatever they get access to Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum