DNS redirect for specific hosts on LAN - RT-AC68U - Asuswrt-Merlin
- Thread starter AFN
- Start date
mstombs
Very Senior Member
The DNS filter web page is a configuration tool for iptables rules, it does not rely on dhcp serving of dns servers which is easily ignored by clients. On my system N66U with merlin 378.51 the global setting to "router" does not work as described above. The links to the DNSFILTER chain are created, but the chain itself is empty. If I set the global filter to custom 1 and put the router lan ip address in the custom 1 box the DNSFILTER chain is correctly populated:-
relevant source-code seems to be
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c#L5246
so it appears on my system at least the default line is not added when web gui global filter mode set to router.
Code:
admin@RT-N66U:/tmp/home/root# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 59 packets, 3046 bytes)
pkts bytes target prot opt in out source destination
1 57 DNSFILTER udp -- * * 192.168.66.0/24 0.0.0.0/0 udp dpt:53
0 0 DNSFILTER tcp -- * * 192.168.66.0/24 0.0.0.0/0 tcp dpt:53
...
Chain DNSFILTER (2 references)
pkts bytes target prot opt in out source destination
1 57 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.66.1relevant source-code seems to be
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c#L5246
so it appears on my system at least the default line is not added when web gui global filter mode set to router.
Last edited:
Well thats good 
Got to the bottom of this. I will try this early next week.
I'm finding it hard to understand how that works still! haha.
I have two assumptions here:
Assumption 1:
In order to force the router to redirect client DNS settings as per the "Client List" you have to set "Global Filter Mode" to "Router". If not then clients could override all of this then. I don't see why you would need "No Filtering" then?
My assumption here: (assumption 1)
Would it be perhaps if you have clients set to DHCP for DNS, and selecting"No Filtering", the client will receive the override as defined in the "Client List" , however if they choose to enter a DNS server manually then the router would honor the DNS setting from the client. In other words, override global router DNS with the "Client List" settings delivered DHCP but don't enforce. On the other hand I assume that when set to "Router" the router itself just doesn't care what is requested by the client and forces a redirect that can't be bypassed by clients regardless of what DNS settings the client wants , e.g. forced transparent redirection.
Assumption 2:
Select "No Filtering" - The DNS Filter page has no effect at all.
Select "Router" - Router locks everything DNS down from the perspective of network clients - No client DNS settings are considered at all. Anything not listed in the "Client List" will use the router's DNS settings by force - (from WAN or LAN pages) and anything listed in the "Client List" will be an exception and thus be forced to the defined DNS settings from the "Client List". Changing DNS on clients will have no effect - the router will transparently redirect DNS.
Which is correct do you think? Or have a totally confused everything now? I will be able to test this next week. Right now i'm trying to make sense of this in my mind.
Got to the bottom of this. I will try this early next week.I'm finding it hard to understand how that works still! haha.
I have two assumptions here:
Assumption 1:
In order to force the router to redirect client DNS settings as per the "Client List" you have to set "Global Filter Mode" to "Router". If not then clients could override all of this then. I don't see why you would need "No Filtering" then?
My assumption here: (assumption 1)
Would it be perhaps if you have clients set to DHCP for DNS, and selecting"No Filtering", the client will receive the override as defined in the "Client List" , however if they choose to enter a DNS server manually then the router would honor the DNS setting from the client. In other words, override global router DNS with the "Client List" settings delivered DHCP but don't enforce. On the other hand I assume that when set to "Router" the router itself just doesn't care what is requested by the client and forces a redirect that can't be bypassed by clients regardless of what DNS settings the client wants , e.g. forced transparent redirection.
Assumption 2:
Select "No Filtering" - The DNS Filter page has no effect at all.
Select "Router" - Router locks everything DNS down from the perspective of network clients - No client DNS settings are considered at all. Anything not listed in the "Client List" will use the router's DNS settings by force - (from WAN or LAN pages) and anything listed in the "Client List" will be an exception and thus be forced to the defined DNS settings from the "Client List". Changing DNS on clients will have no effect - the router will transparently redirect DNS.
Which is correct do you think? Or have a totally confused everything now? I will be able to test this next week. Right now i'm trying to make sense of this in my mind.
Are you saying there is a bug in the GUI when "Global Filter Mode: Router" is selected?
And thus a workaround is to set "Global Filter Mode" to "Custom 1", and "Custom 1" to the router's IP, thus creating the same effect that selecting "Global Filter Mode: Router" would have if it worked correctly?
Last edited:
mstombs
Very Senior Member
There is a bug in my attempted use at least - it may depend other settings - I have dhcp wan and have blank entries for gateway and dns in lan dhcp - so router is specified to clients. I allow router to use my ISP dns servers but I also add additional servers via dnsmasq extra config. I intend all clients to use the router, but checking using "namebench" made it clear the router divert was not working
I have walked through the source code - my problem may be that the nvram var "dhcp_dns1_x" is blank in my setup
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/services.c#L6849
You don't actually need to enter anything in custom1, it defaults to the router lan address because of the check in above code #L6868
I have walked through the source code - my problem may be that the nvram var "dhcp_dns1_x" is blank in my setup
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/services.c#L6849
You don't actually need to enter anything in custom1, it defaults to the router lan address because of the check in above code #L6868
john9527
Part of the Furniture
I agree that this is a bug.....another workaround is to enter the router address as the DNS server under LAN/DHCP Servers
So it's a bug in the basic firmware independent of model or personalised settings, in which case implement one the 2 suggested workarounds?
john9527
Part of the Furniture
That's my opinion....will let Merlin make the final comment.
Just as an FYI for any users of my 374 based fork who may be reading this thread....the fork does not have this bug.
John, is there a simple test we could do (not looking into code!) if we wanted, by, for example, trying to access a certain resource, with specific settings (temporarily) entered, to see - for interest's sake - whether this bug affects us?
ColinTaylor
Part of the Furniture
Ah, thanks for explaining that. I've recently started using your fork so hadn't realised that this bug existed.
john9527
Part of the Furniture
I *think* you may be able to see it this way....
- Set a Global Filter mode to use one of the services, like OpenDNS home
- Set a specific client to use 'Router' as the filter mode
I think you will see that the client you want to use the Router DNS servers will still be using the OpenDNS server.
You're correct. I forgot the case where one would enable DNSFilter but only wanted some specific clients filtered.
You're right! Your test works in that it does, indeed, point out the bug. (If my iPhone had obtained its DNS info via the router, as Custom filter appeared to indicate), Facebook would have been blocked, but Facebook appeared in my browser proving the custom setting had been ignored and DNS was from OpenDNS.)
Clever!!! Sincere thanks.
Last edited:
Ok, so I finally had to chance to test this out today via my PC.
It is very simple to get working. Here are my findings:
To have 1 or more devices be forced to a DNS server of choice regardless of what DNS settings clients are configured to use:
1. Turn on DNS-Based Filtering
2. Set Global Filter Mode to "No Filtering"
3. Enter any custom servers in the the "Custom DNS" boxes
4. Select the client you want to redirect DNS for in the "Client List" - router will add the MAC address.
5. Select a "filter mode" - example "Custom 1" or "No Filtering"
6. Click Add "+"
7. "Apply"
Result - Devices not on the list continue to operate as per router WAN settings (ie Get DNS from ISP or manually entered), and devices on the list are forced to use the DNS that have been configured on the "DNS Filter" page.
I see no need in this case to set "Global Filter Mode" to anything else but "No Filtering". I can see why you have the choice but to force a handful of devices to use a different DNS server from other devices on the network, this can be left at "No Filtering".
I can also see where the "set to router" bug exists. RMerlin - will you be fixing this bug in your future releases?
It is very simple to get working. Here are my findings:
To have 1 or more devices be forced to a DNS server of choice regardless of what DNS settings clients are configured to use:
1. Turn on DNS-Based Filtering
2. Set Global Filter Mode to "No Filtering"
3. Enter any custom servers in the the "Custom DNS" boxes
4. Select the client you want to redirect DNS for in the "Client List" - router will add the MAC address.
5. Select a "filter mode" - example "Custom 1" or "No Filtering"
6. Click Add "+"
7. "Apply"
Result - Devices not on the list continue to operate as per router WAN settings (ie Get DNS from ISP or manually entered), and devices on the list are forced to use the DNS that have been configured on the "DNS Filter" page.
I see no need in this case to set "Global Filter Mode" to anything else but "No Filtering". I can see why you have the choice but to force a handful of devices to use a different DNS server from other devices on the network, this can be left at "No Filtering".
I can also see where the "set to router" bug exists. RMerlin - will you be fixing this bug in your future releases?
Awesome, thanks RMerlin.
Ok so having all the gear now to test all of this I have run into an issue.
Objective Recap:
Have all LAN clients use Google DNS (handed out via RTAC68U DHCP) besides specific devices forced to another DNS server at the router level – e.g. 123.123.123.123.
I have set DNS Filtering so Global Filter Mode : No Filtering (allowing LAN clients to use WAN DNS) and the device and in this case a Roku3 is in the client list set to Custom 1. The Custom 1 field is set to a certain DNS server – e.g. 123.123.123.123. This should force Roku to use my custom DNS instead of its hardcoded DNS.
When I open Netflix on the Roku 3 when the router is setup to use DNS Filtering, Netflix breaks. It never connects, the internet connection test half works, other times it all fails. Gives me nw-8-17 and nw3-6 codes.
If I turn off DNS Filtering, and set the router (WAN DNS) to the DNS I wish to use (123.123.123.123), then Netflix works fine – this is exactly what DNS Filter should be doing but it appears to have issues.
Having set my WAN DNS to 123.123.123.123 is now ensuring all network devices are using this new DNS. I don’t want this. I want DNS Filter to force 1 device to the 123.123.123.123 DNS server and the rest of my clients to use Google’s DNS.
It appears DNS Filter isn’t working correctly for certain devices. Funny thing is my PC works as expected with DNS Filter and my Samsung TV but not Roku.
---- I have simulated hard coded DNS entries via my PC - Set it to 8.8.8.8 and use DNS Filtering to force it to 123.123.123.123 - and it works.
How can this be fixed? If DNS Filter works for certain devices, why not for every device? The router should just do job and make this transparent to the end device - hence my confusion.
mstombs
Very Senior Member
Note that RMerlin's fix for the default router in in git but is not available in any firmware till the next release unless you compile your own - but shouldn't be an issue here
Can you check what iptables rules are actually implemented - see
DNS redirect for specific hosts on LAN - RT-AC68U - Asuswrt-Merlin
just edited to remove irrelevant reference to my then current WAN IP - lan ip is 192.168.66.1
The PREROUTING rule should capture just the specific lan clients you specify, the second rule apply the divert. The counters help prove the rules work.
Use of non-standard ports or dnscrypt on a client will bypass these rules - but I doubt if Roku do that?
Can you check what iptables rules are actually implemented - see
DNS redirect for specific hosts on LAN - RT-AC68U - Asuswrt-Merlin
just edited to remove irrelevant reference to my then current WAN IP - lan ip is 192.168.66.1
The PREROUTING rule should capture just the specific lan clients you specify, the second rule apply the divert. The counters help prove the rules work.
Use of non-standard ports or dnscrypt on a client will bypass these rules - but I doubt if Roku do that?
Hey mstombs,
Sure thing - here is what iptables show with DNS Filtering enabled and set to redirect DNS for the Roku to 123.123.123.123 *actual IP changed for security reasons
LAN address 10.0.0.0/24
DNS set in WAN - 8.8.8.8 / 8.8.4.4
10.0.0.X - has the correct IP for another computer on the LAN.
Merlin 378.52_2
Router: RT-AC68U
Radios both off.
When I do a Netflix "Check your network" test - It randomly fails the Server1,2,3. Sometimes these work, other times not. Often get the code nw-8-17. This problem only occurs when I am trying to use DNS Filter. The "Internet Connection" check never passes. Half the Netflix show thumbnails never load - just stay grey - a few do load.
If I turn off DNS Filter - All thumbnails load, "Check your network" passes 100%, everything works. Clearly something isn't working correctly with DNS Filter in this case.
Sure thing - here is what iptables show with DNS Filtering enabled and set to redirect DNS for the Roku to 123.123.123.123 *actual IP changed for security reasons
LAN address 10.0.0.0/24
DNS set in WAN - 8.8.8.8 / 8.8.4.4
10.0.0.X - has the correct IP for another computer on the LAN.
Merlin 378.52_2
Router: RT-AC68U
Radios both off.
Code:
admin@RTAC68U:/tmp/home/root# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 143 packets, 10048 bytes)
pkts bytes target prot opt in out source destination
24 3133 VSERVER all -- * * 0.0.0.0/0 <WAN IP>
138 8883 DNSFILTER udp -- * * 10.0.0.0/24 0.0.0.0/0 udp dpt:53
4 240 DNSFILTER tcp -- * * 10.0.0.0/24 0.0.0.0/0 tcp dpt:53
Chain INPUT (policy ACCEPT 51 packets, 4496 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 1587 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 12 packets, 1587 bytes)
pkts bytes target prot opt in out source destination
872 95341 MASQUERADE all -- * eth0 !<WAN IP> 0.0.0.0/0
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xb400
Chain DNSFILTER (2 references)
pkts bytes target prot opt in out source destination
99 6320 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC <ROKU MAC> to:123.123.123.123
43 2803 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:10.0.0.1
Chain LOCALSRV (0 references)
pkts bytes target prot opt in out source destination
Chain PCREDIRECT (0 references)
pkts bytes target prot opt in out source destination
Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
24 3133 VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VUPNP (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:54019 to:10.0.0.X:54019When I do a Netflix "Check your network" test - It randomly fails the Server1,2,3. Sometimes these work, other times not. Often get the code nw-8-17. This problem only occurs when I am trying to use DNS Filter. The "Internet Connection" check never passes. Half the Netflix show thumbnails never load - just stay grey - a few do load.
If I turn off DNS Filter - All thumbnails load, "Check your network" passes 100%, everything works. Clearly something isn't working correctly with DNS Filter in this case.
Last edited:
mstombs
Very Senior Member
Can't see any specific problem - is 123.123.123.123 an internet service? If local (which I doubt) there could be a loopback problem.
Most internet guides refer to a Roku lan IP address, but MAC address should be better.
I wonder if the dns filter works for anyone? Another place they could be blocked is in the filter FORWARD chain.
Most internet guides refer to a Roku lan IP address, but MAC address should be better.
I wonder if the dns filter works for anyone? Another place they could be blocked is in the filter FORWARD chain.
Last edited:
123.123.123.123 is an example DNS - the actual IP I have hidden. This is what I want the Roku DNS to redirect to.
It half works. You would think from the router's perspective that if it is redirecting any DNS requests from the Roku and changing it to 123.123.123.123 everything would be fine. But it only seems to sort of work.
With DNS Filtering enabled the Netflix app crashes half the time, half loads thumbnails etc. Turn off DNS Filter - everything starts working fine.
If I static route 8.8.8.8 and 8.8.4.4 into a black hole and change the WAN DNS to 123.123.123.123, then everything also works perfectly. Only issue is as I have mentioned is I dont want to have the 123.123.123.123 DNS server for all devices on the LAN, just certain clients.
It half works. You would think from the router's perspective that if it is redirecting any DNS requests from the Roku and changing it to 123.123.123.123 everything would be fine. But it only seems to sort of work.
With DNS Filtering enabled the Netflix app crashes half the time, half loads thumbnails etc. Turn off DNS Filter - everything starts working fine.
If I static route 8.8.8.8 and 8.8.4.4 into a black hole and change the WAN DNS to 123.123.123.123, then everything also works perfectly. Only issue is as I have mentioned is I dont want to have the 123.123.123.123 DNS server for all devices on the LAN, just certain clients.
Last edited:
Similar threads
Similar threads
Similar threads
-
-
-
-
-
-
Suggestion: DNS Director, add optional compatibility with DOT
- Started by Linuxer
- Replies: 2
-
-
-
-
DNS - passing on source IP address to pihole in the cloud
- Started by R3dbvll
- Replies: 7
Latest threads
-
VPN Director - 2 VPN Clients and Killswitch (3004.388.8_2)
- Started by Skillz
- Replies: 1
-
-
XT8 DFS causing game desync?- Started by Senseitional
- Replies: 3
-
vnStat vnStat on Merlin 386.14 missing scrollbar bug- Started by Tarek Yag
- Replies: 0
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!