DNS redirect for specific hosts on LAN - RT-AC68U - Asuswrt-Merlin

[AFN]

Hi all,

I recently installed an Asus RTAC68U router which is loaded with the latest version of Merlin (378.51).

I’m kind new to some of this but this is what I want to achieve:

I have a device (static, 192.168.1.100) that I want to redirect DNS for.
Example, the device has fixed DNS addresses of 8.8.8.8 and 8.8.4.4 but I don’t want it to talk to those servers, but rather for example 12.34.56.78 instead. The rest of the network via the RTAC68U is configured to reach 8.8.8.8 and 8.8.4.4 and all other clients besides 192.168.1.100 need the .8.8 and .4.4 as their DNS.

How can I tell the RTAC68U to redirect DNS requests from the single device at 192.168.1.100 to 12.34.56.78? I need to make sure it cannot reach 8.8.8.8 and 8.8.4.4 for DNS, only 12.34.56.78.

I understand I need to make use of DNSmasq. Am I correct? Can anyone suggest how I can get this working?

 

[mstombs]

You can divert normal DNS lookups using iptables rules, see for example

http://www.dd-wrt.com/wiki/index.php/OpenDNS#Intercept_DNS_Port

Tomato has a web gui checkbox to divert all to the router dnsmasq, achieved by a similar iptables rule.

Note this won't work for newer secure lookups (Google chrome?), and likely incompatible with other dns filtering.

 

[Martineau]

Hi all,

I recently installed an Asus RTAC68U router which is loaded with the latest version of Merlin (378.51).

I’m kind new to some of this but this is what I want to achieve:

I have a device (static, 192.168.1.100) that I want to redirect DNS for.
Example, the device has fixed DNS addresses of 8.8.8.8 and 8.8.4.4 but I don’t want it to talk to those servers, but rather for example 12.34.56.78 instead. The rest of the network via the RTAC68U is configured to reach 8.8.8.8 and 8.8.4.4 and all other clients besides 192.168.1.100 need the .8.8 and .4.4 as their DNS.

How can I tell the RTAC68U to redirect DNS requests from the single device at 192.168.1.100 to 12.34.56.78? I need to make sure it cannot reach 8.8.8.8 and 8.8.4.4 for DNS, only 12.34.56.78.

I understand I need to make use of DNSmasq. Am I correct? Can anyone suggest how I can get this working?

You can manually add entries to DNSMasq using a custom /jffs/configs/dnsmasq.conf.add for the MAC of the target device:

dhcp-host=xx:xx:xx:xx:xx:xx,set:mydns
dhcp-option=tag:mydns,option:dns-server,12.34.56.78

or from the Router GUI, look under Parental Controls for the DNS filter option and define your custom DNS there.

 

[AFN]

You can divert normal DNS lookups using iptables rules, see for example

http://www.dd-wrt.com/wiki/index.php/OpenDNS#Intercept_DNS_Port

Tomato has a web gui checkbox to divert all to the router dnsmasq, achieved by a similar iptables rule.

Note this won't work for newer secure lookups (Google chrome?), and likely incompatible with other dns filtering.

Thanks for the replies.

I should have mentioned this will be for Google Chromecast and possibly a Roku 3.

You can manually add entries to DNSMasq using a custom /jffs/configs/dnsmasq.conf.add for the MAC of the target device:

dhcp-host=xx:xx:xx:xx:xx:xx,set:mydns
dhcp-option=tag:mydns,option:dns-server,12.34.56.78

Right so in order to force Google Chromecast/ Roku 3 to use a DNS server of my choice I can ether:

1. Enable JFFS on the ac68u
2. SSH to the router and create dnsmasq.conf.add in the /jffs/configs/ folder
3. Via “vi” add in dhcp-host=<MAC ADDR>,set:mydns and dhcp-option=tag:mydns,option:dns-server,<New DNS ADDR>
4. Save with :wq and reboot router?
5. Restart Google Chromecast/ Roku 3 and test

Does this sound right? My understanding this should append those two lines to dnsmasq.conf. I assume everything will start working fine. Do I need to do anything to get dnsmasq working at all?

Furthermore I assume this will survive reboots and will take effect soon as the router boots?

So the desired effect will be the device specified by <MAC ADDR> will be redirected to <New DNS ADDR> when it requests 8.8.8.8/8.8.4.4. I then should have no need to block 8.8.8.8 / 8.8.4.4 on the router and can continue to have the DNS set for the router itself so other clients can still continue to use google’s DNS via DHCP unaffected.

or from the Router GUI, look under Parental Controls for the DNS filter option and define your custom DNS there.

This would work the same way as above? Any downsides between this and above?

I see i can turn on DNS-based Filtering, set a custom DNS 1, add a client, choose Custom 1 and apply. Looks like that should force my DNS on the device also when it requests 8.8.8.8 / 8.8.4.4. Would I need to block both 8.8.8.8 / 8.8.4.4 to the device in the router firewall? Or would that be it?

 

[ColinTaylor]

If you had searched the forum you would have found that this question (Chromecast/Roku) has been asked and answered many times before. In short, use DNS filter, that's what it was designed for.

 

[martinr]

....... In short, use DNS filter, that's what it was designed for.

I can see one disadvantage, but could there possibly be any security benefit in duplicating the DNS settings by using the DNS filter?

What I mean, by way of illustration, is that in the WAN settings page I have the WAN DNS setting as the address of my Raspberry Pi "ad-blocking" DNS server (192.168.....). So my question is: is there any possible security benefit to also going into the DNS Filtering page and setting the Global Filter Mode to"Router" and then listing each device (except the Pi DNS server) on my home network, selecting "Router" for each in the Filter Mode?

 

[ColinTaylor]

If you set the Global Filter to Router I can't see any point in then setting individual devices to Router also (unless I'm misunderstanding how it works).

 

[martinr]

Yes, Colin, I see, now. So, forget that part then and let me re-phrase it: could there be any possible security benefit in using DNS Filtering to set the Global Filter to Router, which I guess just refers it back to the WAN DNS setting on the WAN Settings page? (There are obvious disdvantages in duplicating settings eg possible unexpected behaviour/conflictions at some later date and hours spent wondering why.)

 

[ColinTaylor]

Well I'm not sure I'd call it a security issue, but by using the DNS Filtering option you are forcing the clients to only use your specified DNS server.

That means it can't be overridden by the client. So kids can't change the DNS setting on their PC to get to naughty sites, or Chromecast boxes can (or cannot) access content from other countries.

If you don't trust the people/devices on your network then this is one way of keeping a tight control of things. That's why it's in the Parental Control section I suppose.

 

[ColinTaylor]

Thinking more about your question... I don't know, but I guess there's some malware/virus stuff out there that hijacks a PCs DNS requests to do bad things. This might be a way of reducing the damage. But in my experience, if you've picked up a virus you've probably got about 20 rather than just 1.

 

[martinr]

Well I'm not sure I'd call it a security issue, but by using the DNS Filtering option you are forcing the clients to only use your specified DNS server.

That means it can't be overridden by the client. So kids can't change the DNS setting ..........

..... .

That was exactly the sort of thing I had in mind but you put it into words so much better than I could have done.

Many thanks

Martin

 

[AFN]

Thanks for the replies. Looks like I can force DNS to my own servers on specific network clients via the DNS filter option in the GUI. Sounds like just the fix for hardcoded DNS in devices.

It’s a tad confusing how the GUI states selecting “No Filtering will disable/bypass the filter…”

Sounds like it won’t observe the client list below but that would not make sense as Colin says.

With this said, I don’t believe I will need to block 8.8.8.8/ 8.8.4.4 TCP/UDP to the device IP on the router firewall. DNS Filter will deal with it and redirect it for me instead.

I will try this out soon.

 

[RMerlin]

It’s a tad confusing how the GUI states selecting “No Filtering will disable/bypass the filter…”

That setting is only valid for individual entries. If you setup a global filter and you want to exclude a specific device from the global filter, then you add the device, and set it to "No Filtering". Sounds fairly straightforward to me - it tells a specific client to bypass the global filter.

 

[AFN]

That setting is only valid for individual entries. If you setup a global filter and you want to exclude a specific device from the global filter, then you add the device, and set it to "No Filtering". Sounds fairly straightforward to me - it tells a specific client to bypass the global filter.

I see. So, If I want all devices to get DNS via DHCP from the router (I have it set manually to 8.8.8.8 / 8.8.4.4) WAN page > “WAN DNS setting”, and I would only want certain devices to have the router force another DNS server as specified on the DNS Filtering page, I would set Global Filter Mode to “Router”.

That way every other device that has not been overridden in the client list (eg Custom 1) on the DNS Filtering page will get DNS via DHCP which is set on the router from WAN page > “WAN DNS setting”.

Is my understanding correct?

 

[martinr]

Correct.

And I just tested it to prove it. My WAN DNS is set to my malicious-domain-blocking DNS server (Raspberry Pi) , my DNS Global Filtering is set Router, and I set Custom 1 on DNS Filtering to 8.8.8.8.
Under normal conditions Facebook is blocked. For this test I listed my iPhone, as the only entry in the clients list on the DNS Filtering page and pointed it to Custom 1 (and hit Apply). I could then get Facebook on that device. Afterwards, I removed the iPhone from the list (cleared the browser cache) and Facebook was blocked again.

 

[ColinTaylor]

That way every other device that has not been overridden in the client list (eg Custom 1) on the DNS Filtering page will get DNS via DHCP which is set on the router from WAN page > “WAN DNS setting”.

That's not 100% true.

If LAN > DHCP Server > DNS Server is left blank then DHCP clients will get the router's IP address as their DNS server (i.e 192.168.1.1), which in turn uses the value set on the WAN page. If that field is not blank then the clients will get that entry as their DNS server.

In the first example clients are able to use the routers DNS server to resolve the names of devices on the LAN. In the second example they are not because the clients have been told to go directly to the external DNS server (similar to DNS Filter although not enforced).

 

[martinr]

That's not 100% true.

If LAN > DHCP Server > DNS Server is left blank then DHCP clients will get the router's IP address as their DNS server (i.e 192.168.1.1), which in turn uses the value set on the WAN page. If that field is not blank then the clients will get that entry as their DNS server.

In the first example clients are able to use the routers DNS server to resolve the names of devices on the LAN. In the second example they are not because the clients have been told to go directly to the external DNS server (similar to DNS Filter although not enforced).

Fascinating, Colin. Such subtleties, I see, could cause a lot of head scratching (and forum posts) if got wrong. So, in your second example - LAN DNS server field NOT blank (and let's say some external address, eg 8.8.8.8) - would clients be unable to communicate with other clients on the same LAN because internal IP addresses can't be resolved or is it just "names" as you wrote eg "Computer 2" ie hostnames? Under which circumstances might someone need/want to put an external DNS Server address in the field LAN > DHCP Server > DNS Server?

 

[ColinTaylor]

In a typical home network - when a client connects to the DHCP server it will also register its name in the router's own DNS server (remember that the router is running dnsmasq which is both a DHCP server and a DNS server). If all the local devices do this then they can talk to each other by referring to their short names, i.e. Freds-PC or Printer3, etc.

Irrespective of whether or not they have registered their names, clients will always be able to communicate with each other by their IP addresses.

So in the second example above. One client could "ping" another by its IP address but not by its name because the DNS server at 8.8.8.8 has no knowledge of the names used on your LAN.

Why use an external DNS server? One use would be as a form of parental control, but as we have seen this relies on the client not overriding the setting on the PC. Another use would be if you were running a separate DNS server on your LAN. "external DNS" doesn't always mean "on the internet" it could just be elsewhere on the LAN. The router's DNS server is pretty basic so some people might want to run something more sophisticated. - But I admit it's pretty unusual in a typical home.

 

[AFN]

That's not 100% true.

If LAN > DHCP Server > DNS Server is left blank then DHCP clients will get the router's IP address as their DNS server (i.e 192.168.1.1), which in turn uses the value set on the WAN page. If that field is not blank then the clients will get that entry as their DNS server.

In the first example clients are able to use the routers DNS server to resolve the names of devices on the LAN. In the second example they are not because the clients have been told to go directly to the external DNS server (similar to DNS Filter although not enforced).

Good information there Colin. Good to know.

Ok - in order to force 1 client to use a certain DNS server (on the internet) regardless of the client’s DNS settings and leave all other devices on the LAN using Google's DNS servers at 8.8.8.8 and 8.8.4.4 we need:



1. Set “WAN” > “WAN DNS Setting” > “DNS Server1” – 8.8.8.8 “DNS Server 2” – 8.8.4.4
Effect: Providing “LAN” > “DHCP Server” > “DNS and WINS Server Setting” > “DNS Server” field is blank, all LAN devices will ask the router for DNS lookup for web addresses and the like, and the router will use Google’s DNS instead of the ISP DNS.

2. Under “LAN” > “DHCP Server” > “DNS and WINS Server Setting” > “DNS Server” – ensure the field is blank so all LAN clients use the defined WAN DNS servers from step 1, in this case 8.8.8.8/8.8.4.4

3. Set “Parental Control” > “DNS Filtering” to “ON”

4. Set Global Filter to “Router” – This will set all LAN devices to use the router’s DNS settings (via DHCP) – as is happening currently as no filters are defined on the “Client List”

5. Define the Custom DNS server one desires in the “Custom (user-defined) DNS 1

6. Add the client(s) to the “Client List” on the same page (DNS Filtering) via Name, MAC address and choose “Custom DNS 1” to force a DNS redirect to a DNS server of choice regardless of client settings.

End result:
All network clients not on the “Parental Control” > “DNS Filtering” > “Client List” will continue to use Google DNS as “Global Filter Mode” is set to “Router” and “WAN” > “WAN DNS Setting” is set to Google’s DNS IP.

Only clients defined on the “Parental Control” > “DNS Filtering” > “Client List” will be forced to the custom DNS server regardless of local client DNS settings.

Do I now have this correct? Will this achieve what I want?



In addition to this, are you saying to set “LAN” > “DHCP Server” > “DNS and WINS Server Setting” > “DNS Server” to the IP of the router E.g. 192.168.1.1 in order for local DNS resolution to work? I.e. as you say, “Freds-PC” etc.

I assume leaving that field blank would have the same effect - e.g use the router (192.168.1.1) for LAN DNS look ups rather than forwarding out to an external (other DNS on LAN or on WAN).
I also assume then it will only use DNS not from the router for local LAN DNS lookups if an IP is defined in the “LAN” > “DHCP Server” > “DNS and WINS Server Setting” > “DNS Server” field. Correct?

Currently I have nothing set for LAN DNS and Google DNS set for WAN. I can still access internal LAN devices by name from the Windows “run” box - \\UpstairsPC1.

 

[ColinTaylor]

Do I now have this correct? Will this achieve what I want?

Yes, you've got it.

In addition to this, are you saying to set “LAN” > “DHCP Server” > “DNS and WINS Server Setting” > “DNS Server” to the IP of the router E.g. 192.168.1.1 in order for local DNS resolution to work? I.e. as you say, “Freds-PC” etc.

I assume leaving that field blank would have the same effect - e.g use the router (192.168.1.1) for LAN DNS look ups rather than forwarding out to an external (other DNS on LAN or on WAN).

Personally I would recommend leaving the LAN DNS server field blank. As you say, leaving it blank has exactly the same effect as putting the router's IP address in there. If you put a hard-coded IP address in there you would have to rememeber to change it if, for some reason, you decide to change to router's IP.

I also assume then it will only use DNS not from the router for local LAN DNS lookups if an IP is defined in the “LAN” > “DHCP Server” > “DNS and WINS Server Setting” > “DNS Server” field. Correct?

Correct.

--------------------

4. Set Global Filter to “Router” – This will set all LAN devices to use the router’s DNS settings (via DHCP) – as is happening currently as no filters are defined on the “Client List”

It's interesting to note the subtle difference between No Filtering and Router. "No Filtering will disable/bypass the filter, and Router will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined)." So with "Router" clients are forced to use the routers DNS settings, with No Filtering it's possible for clients to ignore the settings and specify their own DNS.

I see that RMerlin said to you earlier "That setting is only valid for individual entries". With all due respect, that is incorrect. It can also be applied to the Global Filter Mode.