1 Router, 2 Networks w/ Separate DNS Servers

[Manicjonah]

Is it possible to configure a home router with two different sets of DNS servers?

I'd like to setup a "kids" network that uses OpenDNS servers and another network that uses generic public DNS servers but I don't know how to do it.

I have an ASUS RT-AC68U with stock firmware. I'm not opposed to loading DD-WRT on it (though I prefer the look/feel of the stock firmware) but in either case I don't know how to create a second network expressly for the purpose of configuring different DNS servers. My router can be configured to use another WAN but only in "standby" mode. I need two active WAN connections.

I'd prefer not to add another router to the network to accomplish what I want to do and am not really strong in networking so I figured I could learn a little something here. Is it possible to do what I want to do? How?

Thanks,

MJ

 

[Ford Prefect]

....You really do *need/want* two separate networks?
IMHO the DNS-feature is hiding behind the parental control settings..at least Merlin FW has it.

 

[azazel1024]

I'd just use the appropriate DNS for the kids on the router itself and then set static DNS on the adult devices. Or do it the other way around and set static DNS on the kid's devices and use the router's DNS for the adult devices.

 

[coxhaus]

If you are going to run 2 WAN ports, I would not have one in standby mode. You are paying for 2 ISP connections use them both. Set your router up for load balancing and use both connections you are paying for.

To make using 2 different sets of DNS server work you will need to secure the adult machines so the kids cannot use them.

 

[Ford Prefect]

Ahhh..right...OP was referring to two WAN connections, not WLANs

IMHO using two WANs and separate DNS does not take you anywhere in forcing the kids into a specific gateway.
You must ensure that the kids clients get the correct gateway IP to separate traffic to the WAN side (and that the client configs sticks...kids are getting smarter).

I've been using my AC68U with Dual-WAN loadbalancing for a while..not a very sophisticated solution...I run this with pfsense now -> http://www.pcengines.ch/apu.htm

 

[Manicjonah]

Thanks everyone for the replies. Ford Perfect, I may look further into pfsense. This is the second time I've come across that name in the last several days.

Anyway, we have some shared devices in the house and I worry that the kids will find the network settings and change the DNS servers themselves. If I can configure the gateway to do all of the heavy lifting that concern is alleviated.

I probably shouldn't have mentioned the two WAN ports. I'm aware that they are active/standby and have no intention of paying for another ISP's service. I don't need two networks per se but I do need two sets of DNS servers which, without DD-WRT or an Enterprise class router will require that I run two routers. I had hoped that (like Pfsense and Merlin firmware) I might mind find out that there was a way for me to use the dual WAN connection on my router in Active/Active mode. I thought I might be able to put a switch between the modem and my router and present the same WAN connection to the router twice - which, in my mind, would allow me to configure two different networks and configure two different sets of DNS servers as a result.

I like the look/feel of the Asus firmware but the folks over at DD-WRT confirmed that I could use DNSmasq to to what I need so I may be putting DD-WRT back on my router. Unless you guys have any other ideas.

Thanks,

MJ

 

[Nullity]

AsusWRT-merlin runs dnsmasq as well.

 

[coxhaus]

I don’t think DD-WRT or an enterprise router is going to help. You cannot run 2 DHCP servers in the same broadcast domain. You will need to manually manage one set of DNS servers by assigning them yourself.

 

[Nullity]

I don’t think DD-WRT or an enterprise router is going to help. You cannot run 2 DHCP servers in the same broadcast domain. You will need to manually manage one set of DNS servers by assigning them yourself.

That may be true, but dnsmasq has many options. For example:
-6 --dhcp-script=<path>
Whenever a new DHCP lease is created, or an old one destroyed, or a TFTP file transfer completes, the executable specified by this option is run. <path> must be an absolute pathname, no PATH search occurs. The arguments to the process are "add", "old" or "del", the MAC address of the host (or DUID for IPv6) , the IP address, and the hostname, if known. "add" means a lease has been created, "del" means it has been destroyed, "old" is a notification of an existing lease when dnsmasq starts or a change to MAC address or hostname of an existing lease (also, lease length or expiry and client-id, if leasefile-ro is set). If the MAC address is from a network type other than ethernet, it will have the network type prepended, eg "06-01:23:45:67:89:ab" for token ring. The process is run as root (assuming that dnsmasq was originally run as root) even if dnsmasq is configured to change UID to an unprivileged user.
(I truncated this section. Please visit the link below for the full manpage/help-file.)

or

-j, --dhcp-userclass=set:<tag>,<user-class>
Map from a user-class string to a tag (with substring matching, like vendor classes). Most DHCP clients provide a "user class" which is configurable. This option maps user classes to tags, so that DHCP options may be selectively delivered to different classes of hosts. It is possible, for instance to use this to set a different printer server for hosts in the class "accounts" than for hosts in the class "engineering".

For more information, check out http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

 

[coxhaus]

It does not matter about the options, DHCP traffic is non-directed traffic. Options will not help. It is first come first serve with non-directed traffic.

If you are talking about passing info from the client then you are back to it can be spoofed just like a MAC address.

 

[Nullity]

It does not matter about the options, DHCP traffic is non-directed traffic. Options will not help. It is first come first serve with non-directed traffic.

If you are talking about passing info from the client then you are back to it can be spoofed just like a MAC address.

He wants all kids get DNS-A and everyone else to get DNS-B. The two options I mentioned are capable of achieving that.

Depending of the sophistication level of the kids, there is no way to stop them from doing as they please. Until the above methods prove insufficient, I see no reason to preemptively abandon them.

Hopefully there's a simpler method of achieving his goals though.

 

[coxhaus]

How do you plan to setup to distinguish between DNS-A and DNS-B? By MAC?

I guess it is a way to not have to manually configure the extra set of DNS servers.

 

[azazel1024]

That is the way I'd do it is to differentiate by MAC or by VLAN.

Honestly anything more sophisticated than that is a waste IMHO. If the kids are savy enough to bypass the DNS settings I am forcing on them, then they are just going to set a static DNS on their machine and be done with it and I am not going to the level of routing rules and such to attempt DNS redirects for their machines.

Within reason I look at DNS protection for my kids, which I'll probably start doing soon, is more about keeping them from stumbling across crap I don't think they are ready for. I don't relish the idea of my kids when they are, say, 14 looking at porn or something, but crap, it'll probably happen whether I want to try to stop them or not. I certainly don't wnat them when they are, say, 10 years old accidently stumbling across that kind of stuff. Same thing with file sharing sites, etc. Once they get old enough mandatory VPN (which I'll explain is for all of our protection, please don't try to bypass) and relying on their discretion and judgement is the best I can hope for.

Until they are adults (IE home from college visiting/summers) though they'll probably have time based ACLs no matter what (IE not letting them have wifi connectivity at 1am). That is somewhat harder to get around.

My parents didn't do any of that and I managed to turn out more or less okay, so I figure only a bit more stringent controls on them and they should be fine too.

 

[Ford Prefect]

Anyway, we have some shared devices in the house and I worry that the kids will find the network settings and change the DNS servers themselves. If I can configure the gateway to do all of the heavy lifting that concern is alleviated.

As said, the parental control feature of the ASUS should do that...IMHO it will block DNS queries to external DNS servers and you can set a kids friendly DNS (like yandex family) for the kids devices.
However, it is based on client MAC...so a shared device will always be treated like it were belonging to a kid.

 

[Manicjonah]

As said, the parental control feature of the ASUS should do that...IMHO it will block DNS queries to external DNS servers and you can set a kids friendly DNS (like yandex family) for the kids devices.
However, it is based on client MAC...so a shared device will always be treated like it were belonging to a kid.

Ford Prefect - are you referring to the stock Asus firmware? I enabled parental controls last night and found that the only control I had was in setting time limits. What am I missing?

Thanks,

MJ

 

[Ford Prefect]

....I am actually not sure if this is stock or in Merlin only ...I am using Merlin (John's fork http://www.snbforums.com/threads/fork-update-for-374-43-available.18914/) and this definitely has got it.
When in parental control settings, there are two sub-menus, one for time and one for DNS settings.

 

[Manicjonah]

So I went ahead and installed the Merlin firmware to my RT-AC68U. I love it. Thanks for mentioning it. Not only did it solve my DNS issues (I no longer need the VPN client on several devices) it introduces a few features that I like while maintaining the overall look and feel of the stock Asus firmware. I'm happy with the firmware and happy not to have to flash DD-WRT onto the router, though I don't think the process is as involved on the Asus products as it was on my Cisco E3000. Overall I'm very happy and happy to have found Small Net Builder. Thanks everyone.

 

[Ford Prefect]

...glad that it worked for you. Merlin has its own sub-forum here, but you probably know that already by now