DNS redirect for specific hosts on LAN - RT-AC68U - Asuswrt-Merlin

[Calisro]

Chromecast has dns entries hard coded I believe. The only way you're going to get it to talk to a different dns is by intercepting it with iptables.

 

[mstombs]

The DNS filter web page is a configuration tool for iptables rules, it does not rely on dhcp serving of dns servers which is easily ignored by clients. On my system N66U with merlin 378.51 the global setting to "router" does not work as described above. The links to the DNSFILTER chain are created, but the chain itself is empty. If I set the global filter to custom 1 and put the router lan ip address in the custom 1 box the DNSFILTER chain is correctly populated:-

admin@RT-N66U:/tmp/home/root# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 59 packets, 3046 bytes)
pkts bytes target     prot opt in     out     source               destination
    1    57 DNSFILTER  udp  --  *      *       192.168.66.0/24      0.0.0.0/0           udp dpt:53
    0     0 DNSFILTER  tcp  --  *      *       192.168.66.0/24      0.0.0.0/0           tcp dpt:53

...

Chain DNSFILTER (2 references)
pkts bytes target     prot opt in     out     source               destination
    1    57 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           to:192.168.66.1

relevant source-code seems to be

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c#L5246

so it appears on my system at least the default line is not added when web gui global filter mode set to router.

 

[AFN]

Well thats good Got to the bottom of this. I will try this early next week.

It's interesting to note the subtle difference between No Filtering and Router. "No Filtering will disable/bypass the filter, and Router will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined)." So with "Router" clients are forced to use the routers DNS settings, with No Filtering it's possible for clients to ignore the settings and specify their own DNS.

I'm finding it hard to understand how that works still! haha.

I have two assumptions here:

Assumption 1:

In order to force the router to redirect client DNS settings as per the "Client List" you have to set "Global Filter Mode" to "Router". If not then clients could override all of this then. I don't see why you would need "No Filtering" then?


My assumption here: (assumption 1)
Would it be perhaps if you have clients set to DHCP for DNS, and selecting"No Filtering", the client will receive the override as defined in the "Client List" , however if they choose to enter a DNS server manually then the router would honor the DNS setting from the client. In other words, override global router DNS with the "Client List" settings delivered DHCP but don't enforce. On the other hand I assume that when set to "Router" the router itself just doesn't care what is requested by the client and forces a redirect that can't be bypassed by clients regardless of what DNS settings the client wants , e.g. forced transparent redirection.

Assumption 2:
Select "No Filtering" - The DNS Filter page has no effect at all.

Select "Router" - Router locks everything DNS down from the perspective of network clients - No client DNS settings are considered at all. Anything not listed in the "Client List" will use the router's DNS settings by force - (from WAN or LAN pages) and anything listed in the "Client List" will be an exception and thus be forced to the defined DNS settings from the "Client List". Changing DNS on clients will have no effect - the router will transparently redirect DNS.

Which is correct do you think? Or have a totally confused everything now? I will be able to test this next week. Right now i'm trying to make sense of this in my mind.

 

[AFN]

The DNS filter web page is a configuration tool for iptables rules, it does not rely on dhcp serving of dns servers which is easily ignored by clients. On my system N66U with merlin 378.51 the global setting to "router" does not work as described above. The links to the DNSFILTER chain are created, but the chain itself is empty. If I set the global filter to custom 1 and put the router lan ip address in the custom 1 box the DNSFILTER chain is correctly populated:-

admin@RT-N66U:/tmp/home/root# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 59 packets, 3046 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 VSERVER    all  --  *      *       0.0.0.0/0            82.13.252.157
    1    57 DNSFILTER  udp  --  *      *       192.168.66.0/24      0.0.0.0/0           udp dpt:53
    0     0 DNSFILTER  tcp  --  *      *       192.168.66.0/24      0.0.0.0/0           tcp dpt:53

...

Chain DNSFILTER (2 references)
pkts bytes target     prot opt in     out     source               destination
    1    57 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           to:192.168.66.1

relevant source-code seems to be

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c#L5246

so it appears on my system at least the default line is not added when web gui global filter mode set to router.

Are you saying there is a bug in the GUI when "Global Filter Mode: Router" is selected?
And thus a workaround is to set "Global Filter Mode" to "Custom 1", and "Custom 1" to the router's IP, thus creating the same effect that selecting "Global Filter Mode: Router" would have if it worked correctly?

 

[mstombs]

There is a bug in my attempted use at least - it may depend other settings - I have dhcp wan and have blank entries for gateway and dns in lan dhcp - so router is specified to clients. I allow router to use my ISP dns servers but I also add additional servers via dnsmasq extra config. I intend all clients to use the router, but checking using "namebench" made it clear the router divert was not working

I have walked through the source code - my problem may be that the nvram var "dhcp_dns1_x" is blank in my setup

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/services.c#L6849

You don't actually need to enter anything in custom1, it defaults to the router lan address because of the check in above code #L6868

 

[john9527]

There is a bug in my attempted use at least - it may depend other settings - I have dhcp wan and have blank entries for gateway and dns in lan dhcp - so router is specified to clients. I allow router to use my ISP dns servers but I also add additional servers via dnsmasq extra config. I intend all clients to use the router, but checking using "namebench" made it clear the router divert was not working

I have walked through the source code - my problem may be that the nvram var "dhcp_dns1_x" is blank in my setup

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/services.c#L6849

You don't actually need to enter anything in custom1, it defaults to the router lan address because of the check in above code #L6868

I agree that this is a bug.....another workaround is to enter the router address as the DNS server under LAN/DHCP Servers

 

[martinr]

I agree that this is a bug.....another workaround is to enter the router address as the DNS server under LAN/DHCP Servers

So it's a bug in the basic firmware independent of model or personalised settings, in which case implement one the 2 suggested workarounds?

 

[john9527]

So it's a bug in the basic firmware independent of model or personalised settings, in which case implement one the 2 suggested workarounds?

That's my opinion....will let Merlin make the final comment.

Just as an FYI for any users of my 374 based fork who may be reading this thread....the fork does not have this bug.

 

[martinr]

That's my opinion....will let Merlin make the final comment.

Just as an FYI for any users of my 374 based fork who may be reading this thread....the fork does not have this bug.

John, is there a simple test we could do (not looking into code!) if we wanted, by, for example, trying to access a certain resource, with specific settings (temporarily) entered, to see - for interest's sake - whether this bug affects us?

 

[ColinTaylor]

Just as an FYI for any users of my 374 based fork who may be reading this thread....the fork does not have this bug.

Ah, thanks for explaining that. I've recently started using your fork so hadn't realised that this bug existed.

 

[john9527]

John, is there a simple test we could do (not looking into code!) if we wanted, by, for example, trying to access a certain resource, with specific settings (temporarily) entered, to see - for interest's sake - whether this bug affects us?

I *think* you may be able to see it this way....
- Set a Global Filter mode to use one of the services, like OpenDNS home
- Set a specific client to use 'Router' as the filter mode

I think you will see that the client you want to use the Router DNS servers will still be using the OpenDNS server.

 

[RMerlin]

I see that RMerlin said to you earlier "That setting is only valid for individual entries". With all due respect, that is incorrect. It can also be applied to the Global Filter Mode.

You're correct. I forgot the case where one would enable DNSFilter but only wanted some specific clients filtered.

 

[martinr]

I *think* you may be able to see it this way....
- Set a Global Filter mode to use one of the services, like OpenDNS home
- Set a specific client to use 'Router' as the filter mode

I think you will see that the client you want to use the Router DNS servers will still be using the OpenDNS server.

You're right! Your test works in that it does, indeed, point out the bug. (If my iPhone had obtained its DNS info via the router, as Custom filter appeared to indicate), Facebook would have been blocked, but Facebook appeared in my browser proving the custom setting had been ignored and DNS was from OpenDNS.)

Clever!!! Sincere thanks.

 

[AFN]

Ok, so I finally had to chance to test this out today via my PC.

It is very simple to get working. Here are my findings:

To have 1 or more devices be forced to a DNS server of choice regardless of what DNS settings clients are configured to use:
1. Turn on DNS-Based Filtering
2. Set Global Filter Mode to "No Filtering"
3. Enter any custom servers in the the "Custom DNS" boxes
4. Select the client you want to redirect DNS for in the "Client List" - router will add the MAC address.
5. Select a "filter mode" - example "Custom 1" or "No Filtering"
6. Click Add "+"
7. "Apply"

Result - Devices not on the list continue to operate as per router WAN settings (ie Get DNS from ISP or manually entered), and devices on the list are forced to use the DNS that have been configured on the "DNS Filter" page.

I see no need in this case to set "Global Filter Mode" to anything else but "No Filtering". I can see why you have the choice but to force a handful of devices to use a different DNS server from other devices on the network, this can be left at "No Filtering".

I can also see where the "set to router" bug exists. RMerlin - will you be fixing this bug in your future releases?

 

[RMerlin]

I agree that this is a bug.....another workaround is to enter the router address as the DNS server under LAN/DHCP Servers

Thanks - should be taken care of with this commit.

 

[AFN]

Thanks - should be taken care of with this commit.

Awesome, thanks RMerlin.



Ok so having all the gear now to test all of this I have run into an issue.

Objective Recap:
Have all LAN clients use Google DNS (handed out via RTAC68U DHCP) besides specific devices forced to another DNS server at the router level – e.g. 123.123.123.123.

I have set DNS Filtering so Global Filter Mode : No Filtering (allowing LAN clients to use WAN DNS) and the device and in this case a Roku3 is in the client list set to Custom 1. The Custom 1 field is set to a certain DNS server – e.g. 123.123.123.123. This should force Roku to use my custom DNS instead of its hardcoded DNS.

When I open Netflix on the Roku 3 when the router is setup to use DNS Filtering, Netflix breaks. It never connects, the internet connection test half works, other times it all fails. Gives me nw-8-17 and nw3-6 codes.

If I turn off DNS Filtering, and set the router (WAN DNS) to the DNS I wish to use (123.123.123.123), then Netflix works fine – this is exactly what DNS Filter should be doing but it appears to have issues.

Having set my WAN DNS to 123.123.123.123 is now ensuring all network devices are using this new DNS. I don’t want this. I want DNS Filter to force 1 device to the 123.123.123.123 DNS server and the rest of my clients to use Google’s DNS.

It appears DNS Filter isn’t working correctly for certain devices. Funny thing is my PC works as expected with DNS Filter and my Samsung TV but not Roku.
---- I have simulated hard coded DNS entries via my PC - Set it to 8.8.8.8 and use DNS Filtering to force it to 123.123.123.123 - and it works.

How can this be fixed? If DNS Filter works for certain devices, why not for every device? The router should just do job and make this transparent to the end device - hence my confusion.

 

[mstombs]

Note that RMerlin's fix for the default router in in git but is not available in any firmware till the next release unless you compile your own - but shouldn't be an issue here

Can you check what iptables rules are actually implemented - see

DNS redirect for specific hosts on LAN - RT-AC68U - Asuswrt-Merlin

just edited to remove irrelevant reference to my then current WAN IP - lan ip is 192.168.66.1

The PREROUTING rule should capture just the specific lan clients you specify, the second rule apply the divert. The counters help prove the rules work.

Use of non-standard ports or dnscrypt on a client will bypass these rules - but I doubt if Roku do that?

 

[AFN]

Hey mstombs,

Sure thing - here is what iptables show with DNS Filtering enabled and set to redirect DNS for the Roku to 123.123.123.123 *actual IP changed for security reasons
LAN address 10.0.0.0/24
DNS set in WAN - 8.8.8.8 / 8.8.4.4
10.0.0.X - has the correct IP for another computer on the LAN.
Merlin 378.52_2
Router: RT-AC68U
Radios both off.

admin@RTAC68U:/tmp/home/root# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 143 packets, 10048 bytes)
pkts bytes target  prot opt in  out  source  destination
  24  3133 VSERVER  all  --  *  *  0.0.0.0/0  <WAN IP>
  138  8883 DNSFILTER  udp  --  *  *  10.0.0.0/24  0.0.0.0/0  udp dpt:53
  4  240 DNSFILTER  tcp  --  *  *  10.0.0.0/24  0.0.0.0/0  tcp dpt:53

Chain INPUT (policy ACCEPT 51 packets, 4496 bytes)
pkts bytes target  prot opt in  out  source  destination

Chain OUTPUT (policy ACCEPT 12 packets, 1587 bytes)
pkts bytes target  prot opt in  out  source  destination

Chain POSTROUTING (policy ACCEPT 12 packets, 1587 bytes)
pkts bytes target  prot opt in  out  source  destination
  872 95341 MASQUERADE  all  --  *  eth0  !<WAN IP>  0.0.0.0/0
  0  0 MASQUERADE  all  --  *  *  0.0.0.0/0  0.0.0.0/0  mark match 0xb400

Chain DNSFILTER (2 references)
pkts bytes target  prot opt in  out  source  destination
  99  6320 DNAT  all  --  *  *  0.0.0.0/0  0.0.0.0/0  MAC <ROKU MAC> to:123.123.123.123
  43  2803 DNAT  all  --  *  *  0.0.0.0/0  0.0.0.0/0  to:10.0.0.1

Chain LOCALSRV (0 references)
pkts bytes target  prot opt in  out  source  destination

Chain PCREDIRECT (0 references)
pkts bytes target  prot opt in  out  source  destination

Chain VSERVER (1 references)
pkts bytes target  prot opt in  out  source  destination
  24  3133 VUPNP  all  --  *  *  0.0.0.0/0  0.0.0.0/0

Chain VUPNP (1 references)
pkts bytes target  prot opt in  out  source  destination
  0  0 DNAT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  udp dpt:54019 to:10.0.0.X:54019

When I do a Netflix "Check your network" test - It randomly fails the Server1,2,3. Sometimes these work, other times not. Often get the code nw-8-17. This problem only occurs when I am trying to use DNS Filter. The "Internet Connection" check never passes. Half the Netflix show thumbnails never load - just stay grey - a few do load.

If I turn off DNS Filter - All thumbnails load, "Check your network" passes 100%, everything works. Clearly something isn't working correctly with DNS Filter in this case.

 

[mstombs]

Can't see any specific problem - is 123.123.123.123 an internet service? If local (which I doubt) there could be a loopback problem.

Most internet guides refer to a Roku lan IP address, but MAC address should be better.

I wonder if the dns filter works for anyone? Another place they could be blocked is in the filter FORWARD chain.

 

[AFN]

123.123.123.123 is an example DNS - the actual IP I have hidden. This is what I want the Roku DNS to redirect to.

It half works. You would think from the router's perspective that if it is redirecting any DNS requests from the Roku and changing it to 123.123.123.123 everything would be fine. But it only seems to sort of work.

With DNS Filtering enabled the Netflix app crashes half the time, half loads thumbnails etc. Turn off DNS Filter - everything starts working fine.

If I static route 8.8.8.8 and 8.8.4.4 into a black hole and change the WAN DNS to 123.123.123.123, then everything also works perfectly. Only issue is as I have mentioned is I dont want to have the 123.123.123.123 DNS server for all devices on the LAN, just certain clients.