Can't use OpenDNS and google forcesafesearch simultaneously

[cubagoodingrobot]

I can't seem to get the two of them to work simultanously. I've gone through the post here:

http://www.snbforums.com/threads/force-google-safesearch.22738/

I created dnsmasq.conf.add and hosts.add files to forcesafesearch as described. On it's own it works fine: when I nslookup google, it points to 216.239.38.120, and the log files show that the .add files are being appended.

When I try to point to OpenDNS, either via the DNSFiltering control or the LAN>DHCP>DNS Server settings, that's when I lose the forcesafesearch. I've tried setting DNSFiltering to OpenDNS Home and leaving DNS Server settings blank, I've also tried leaving DNSFiltering off and setting DNS servers to the OpenDNS server IPs, I've also tried setting DNSFiltering to Router and setting DNS servers to OpenDNS server IPs. In all of these cases, OpenDNS works, but I lose the forcesafesearch, and nslookup shows a long list of google IPs. It looks like the user snevah admin had the same problem in the above thread and solved it by setting the DNS Servers with the OpenDNS IPs, but like I said, that didn't work for me. Anybody have any advice on how to make this work together?

I thought about making it work like this, but since this is all pretty new to me, I'm not sure if it's a legit solution: What if I set the DNSFiltering to Router, leave the DNS Server settings blank, and then in my dnsmasq.conf.add file, could I set it up so that the cname values for google get read first, then any thing that is not google would get sent to the OpenDNS IPs? would that work?

 

[ColinTaylor]

I've also tried setting DNSFiltering to Router and setting DNS servers to OpenDNS server IPs.

You are setting the DNS server values on the WAN page, not the LAN page?

 

[cubagoodingrobot]

No, the LAN>DHCP server page. I didn't see where to put DNS server values on the WAN page.

... just looked into it a little more. Looks like under WAN connection type if I change it to Static IP, then I can input DNS servers. I'm guessing that's how to do it? I'll try that and come back to report if it works.

On a side note, the solution I had mentioned above ended up working. I changed my dnsmasq.conf.add file to this:

strict-order
cname=www.google.com,forcesafesearch.google.com
cname=www.google.it,forcesafesearch.google.com
server=208.67.222.222
server=208.67.222.220

and everything seemed to be working well. But I'm gonna change that back to just the cname values and do as you said.

 

[cubagoodingrobot]

OK, my bad. I figured it out. It's under WAN, and you keep connection type as automatic, and then where it says connect to DNS server automatically, you have to set that to NO, and then input the IP addresses.... so noob.

Anyway, it looks like everything works now... thanks a lot for the clarification Colin

 

[ColinTaylor]

You're welcome. Glad you got it working.

 

[BionicDave]

Thanks for all the helpful posts on the thread!
I was caught by using DNS filtering for OpenDNS Family as well.

Here are the steps that I useds so all hosts in my network:

• Use OpenDNS FamilyShield IP
• Redirect to Google Safe Search VIP
• (Optional) Use DDNS to update dnsomatic in a double NAT environment to use OpenDNS Home

(I used Asuswrt-Merlin 380.61 on a RT-AC66U)

1. Set up the FamilyShield DNS servers
On the Asuswrt-Merlin Web Interface:

WAN->Internet Connection tab,

Connect to DNS Server automatically -> "No"
DNS Server1 ->"208.67.222.123"
DNS Server2 ->"208.67.220.123"​

and click "Apply"
LAN-> DNS Filtering

Enable DNS-based Filtering -> "ON"
Global Filter Mode->"Router"​

and click "Apply"​

2. Set up redirect for google to safesearch

*Note: If you are in the US and use google applications like calendar, this method may BREAK your google apps.​

On the Asuswrt-Merlin Web Interface:

Administration->System

Enable JFFS custom scripts and configs -> "Yes"​

and click "Apply"​

Log into your router via SSH, (go to the root user directory to use as a working directory

cd /tmp/home/root​

Get the up-to-date list of domains google uses

wget -O - http://www.google.com/supported_domains | awk -v vip=`nslookup forcesafesearch.google.com 127.0.0.1 | awk '{print $3}' | tail -1` '{print "address=/www"$0"/"vip}' > dnsmasq.conf.add
​

Some domains google uses have ".co.<country>" or ".com.<country>"
but for some reason google does not include them in their list so we will create those entries and add them

egrep ".co\.|.com" dnsmasq.conf.add | sed -e 's/co\.//' -e 's/com\.//' >> dnsmasq.conf.add​

Now move the completed dnsmasq.conf.add into the /jffs/configs folder

mv dnsmasq.conf.add /jffs/configs/dnsmasq.conf.add​

Restart the DNSMasq service so it reads in the additional hosts.

service restart_dnsmasq​

Test:
www.internetbadguys.com should be blocked by OpenDNS
images.google.com ->Safesearch should be on and you should not be able to turn it off
3. OPTIONAL:
I used the following to set up DDNS updating for dnsomatic.com so I can use OpenDNS Home
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-DDNS#double-nat---external-ip-example

Cheers

 

[spocko]

I had similar problems. Unfortunately I didn't find this thread until I had spent a lot of time tinkering and figuring it out myself. Surprisingly, setting up OpenDNS and dnsmasq is more complicated in Merlin than in Tomato.

The main problem that I encountered is that if you enable DNS filtering in the Parental Controls section, then it seems to prevent dnsmasq from working. I don't know if this is expected or not.

The post above from BionicDave is a good reference, with Step 1 being the critical piece for me. In the parental controls section, you need to either disable DNS filtering, or enable it and set it to Router. Do NOT set it to OpenDNS!

In Lan->DHCP server, I also set DNS Server 1 to the routers IP address. I don't know if this is necessary, but it is mentioned in this wiki page:
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-domains-with-dnsmasq

Here's the wiki page which talks about forcing safesearch:
https://github.com/RMerl/asuswrt-merlin/wiki/Enforce-Safesearch

It would be great if someone would update these wiki pages to describe the interaction between the DNS filtering settings and dnsmasq. I'd volunteer, but I'm new to Merlin and I'm not sure how it's intended to work.

For reference, I'm using Merlin 380.62 on a RT-AC66U.

 

[rmduk]

I've had both DSN Filtering and google safe search working for ages, but after trying some different configurations recently, I can't get this working again. It would be very helpful to understand how enabling DNS filtering on the GUI overrides dnsmasq. The config I did have working was as per Bionic Dave's setup above with DNS Filter set to "Router", and the WAN dns pointing to openDNS, and the LAN DNS blank. My understanding was in this configuration it would force all clients on my network to use OpenDNS, and they could not just bypass this by manually editing thier local DNS configuration. In trying to resolve this, I note that no matter what I set the DNS filtering to, the /etc/resolv.conf file (sym link to /rom/etc/resolv.conf) always points to the local host. However there is a /tmp/resolv.conf that appears to be updated with the router WAN DNS settings pointing to openDNS.

So is anyone able to provide any insight into what is going on here and how DNS Filtering settings in the GUI operate in respect of dnsmasq as they appear to be mutually exclusive.

Im running 380.70 on an RT-AC66U.

 

[dave14305]

I've had both DSN Filtering and google safe search working for ages, but after trying some different configurations recently, I can't get this working again. It would be very helpful to understand how enabling DNS filtering on the GUI overrides dnsmasq. The config I did have working was as per Bionic Dave's setup above with DNS Filter set to "Router", and the WAN dns pointing to openDNS, and the LAN DNS blank. My understanding was in this configuration it would force all clients on my network to use OpenDNS, and they could not just bypass this by manually editing thier local DNS configuration. In trying to resolve this, I note that no matter what I set the DNS filtering to, the /etc/resolv.conf file (sym link to /rom/etc/resolv.conf) always points to the local host. However there is a /tmp/resolv.conf that appears to be updated with the router WAN DNS settings pointing to openDNS.

So is anyone able to provide any insight into what is going on here and how DNS Filtering settings in the GUI operate in respect of dnsmasq as they appear to be mutually exclusive.

Im running 380.70 on an RT-AC66U.

It sounds like it’s setup correctly. How do you know it’s not working? Setup a test from a client to nslookup and post the full results that aren’t what you expect.

This is also a good time to suggest you upgrade to John’s fork for your AC66U. There’s a new release imminent, and even the previous release is much newer than 380.70.