DNS redirect for specific hosts on LAN - RT-AC68U - Asuswrt-Merlin

[mstombs]

When you test without DNS Filter do you still have the divert for all DNS lookups to use the router dnsmasq?

I wonder if the Roku likes talking to the local caching DNS forwarder rather than a remote unblockus type server directly?

Do you use any of the TM DPI stuff? I very much doubt the iptables configured kernel netfilter code works only part-time!

 

[AFN]

When you test without DNS Filter do you still have the divert for all DNS lookups to use the router dnsmasq?

I disable DNS Filtering entirely via the GUI and LAN DNS is set to 10.0.0.1 thus ensuring all LAN clients query dnsmasq for a DNS server from the ac68u (I assume my understanding is correct here).
All clients hence get 10.0.0.1 as DNS via DHCP (also from the ac68u), which is the router and its built in dnsmasq service.

I wonder if the Roku likes talking to the local caching DNS forwarder rather than a remote unblockus type server directly?

I am using an unblockus type service, correct. I dont want everything being forward to the unblockus type service, just the Rocku for security purposes as you could imagine.

Do you use any of the TM DPI stuff? I very much doubt the iptables configured kernel netfilter code works only part-time!

No TM DPI stuff enabled. Never switched it on from the start so I can say that's not running for sure.

Interesting - I just found out: I have a new Samsung 4k TV - HU8500 (2014) series, and DNS Filter also breaks Netflix on this - All connection tests fail, doesn't even want to login to Netflix. As I can actually change DNS manually on this TV via its menu, then it works fine. Enforce it via DNS Filter - no go.

An older Samsung Smart TV (2012 model) has no issues with DNS Filter and actually works first time with the Netflix app.

Very frustrating!

 

[RMerlin]

It's possible that Netflix might be starting to take steps against users using such workarounds. They did mention their intention on clamping down on region-bypass methods. As someone mentioned, maybe they run their own internal recursive resolver rather than rely on an external nameserver. Since your router would be forcing all those recursive queries through that specified nameserver, it could break name lookups then.

 

[AFN]

It's possible that Netflix might be starting to take steps against users using such workarounds. They did mention their intention on clamping down on region-bypass methods. As someone mentioned, maybe they run their own internal recursive resolver rather than rely on an external nameserver. Since your router would be forcing all those recursive queries through that specified nameserver, it could break name lookups then.

But if so, then wouldn't forcing the Netflix client to the unlockus service have the same effect?

For instance routing the hardcoded Google DNS to a black hole will force the Netflix client (ie the Roku) to fall back to the router's DNS vis DHCP - which has the unlockus DNS service set on the router (WAN). The router then forwards any DNS queries to the unlockus service - this does work as I have tired it.

Ive also been able to do this on other Netflix devices via DNS Filter. Just these two - Roku and a newer Samsung Smart TV won't play ball.

 

[RMerlin]

But if so, then wouldn't forcing the Netflix client to the unlockus service have the same effect?

Maybe not all DNS queries are resolved recursively?

This is all pure theory, as I just can't see why newer Netflix-capable devices would specifically have issues with DNSFilter.

 

[mstombs]

http://digiex.net/guides-reviews/gu...unotelly-use-your-own-dns-server-instead.html ?

 

[AFN]

hmmm.

Well i'm not sure where this leaves me. Surely there must be a way to force 1 or 2 clients to use unblock us DNS and the rest to use Google DNS from the router.

I do have another rtn66u that isnt being used. Would this be of any use? i.e put the Roku behind that, set it up to block 8.8.8.8 and 8.8.4.4 via static routes and have it connect via its WAN port to the main router (AC68U)? Have the secondary router serve Unblock US DNS. That way anything not connected to it would get the normal network DNS.

Thinking through that ^, It will work but Roku will be on a different subnet - i.e YouTube's Play on TV feature wont work now as I believe thats multicast dependent and multicast packets wont traverse subnets by default.


Hmm i'm running out of ideas on how to solve this.

 

[gabell]

Hi AFN

Came across the post by chance after experiencing the exact same problems.
Some great advice from all concerned....many thanks.

Just wondering if you managed to get a fix for the Roku problem.

I have just set my rt-ac86 up as per the advice, albeit remotely, so I can test till I get home tonight.

One thought I had, and please feel free to shoot me down in flames, was to turn the DNS filtering setting on their head, i.e. set the WAN DNS to the unblock service e.g 123.123.123.123, set DHCP DNS to blank or 192.168.1.1 , set DNS Filtering global setting to "NO FILTERING", which effectively sets all devices to use 123.123.123.123, but then create a custom 8.8.8.8 and assign those networked devices that must use google's DNS.
I realise, that you may only want one device looking at 123.123.123.123 and would therefore need to have every other device listed in the client list for filtering.

Just wondering if this would then fix the Roku issue.

Regards.....

 

[RMerlin]

One thought I had, and please feel free to shoot me down in flames, was to turn the DNS filtering setting on their head, i.e. set the WAN DNS to the unblock service e.g 123.123.123.123, set DHCP DNS to blank or 192.168.1.1 , set DNS Filtering global setting to "NO FILTERING", which effectively sets all devices to use 123.123.123.123, but then create a custom 8.8.8.8 and assign those networked devices that must use google's DNS.

This has the disadvantage that all your LAN clients will be unable to resolve other internal client names, which is a limitation of DNSFilter's implementation.

 

[AFN]

Hi AFN

Came across the post by chance after experiencing the exact same problems.
Some great advice from all concerned....many thanks.

Just wondering if you managed to get a fix for the Roku problem.

I have just set my rt-ac86 up as per the advice, albeit remotely, so I can test till I get home tonight.

One thought I had, and please feel free to shoot me down in flames, was to turn the DNS filtering setting on their head, i.e. set the WAN DNS to the unblock service e.g 123.123.123.123, set DHCP DNS to blank or 192.168.1.1 , set DNS Filtering global setting to "NO FILTERING", which effectively sets all devices to use 123.123.123.123, but then create a custom 8.8.8.8 and assign those networked devices that must use google's DNS.
I realise, that you may only want one device looking at 123.123.123.123 and would therefore need to have every other device listed in the client list for filtering.

Just wondering if this would then fix the Roku issue.

Regards.....

Hey gabell,

Yes, you will be pleased to know there is working fix for this issue.

There are two working solutions:
1. Create a dnsmasq.conf.add file to have the router give the Roku a custom DNS server
2. Use another router (i.e RTN66U/AC68U) and use your LAN as a "WAN".

While DNS Filter feature appeared to be what I was after, it half works for the Roku. I am not sure why. You would think the router would mask and change the DNS so the Roku wouldn't know but it just wont work correctly for it. Works fine for my PC however. It also breaks one of my new TVs. Its rather strange.

Option 1 is the easiest if you don't have another router on hand and goes like this:

Step 1:
1. Ensure you have the MAC address of the Roku - If you don't, disconnect the router from the internet, connect the Roku and get to the network menu where it shows the MAC or just grab it from the router under DHCP Leases table (quicker).
Ensure you do not have a static DHCP entry defined for it on the router via its admin webpage.

2. Once you have the Roku MAC, log into the router:
Administration > System
- Enable JFFS partition
- Format JFFS partition at next boot
- Enable JFFS custom scripts and configs
- Enable SSH
- Reboot Router

3. SSH to the router and login

4. cd /jffs/configs/

5. vi dnsmasq.conf.add

6.Type/copy:
dhcp-host=set:ROKU1 (can be anything really),00:00:00:00:00:00 (Roku MAC),192.168.1.11 (Fixed IP you want to assign to the Roku - choose a free address in your subnet)
dhcp-option=tag:ROKU1 (same as above),option:dns-server,123.123.123.123 (IP of your unblock service)

- Will look something like this:
dhcp-host=set:ROKU1,00:00:00:00:00:00,192.168.1.11
dhcp-option=tag:ROKU1,option:dns-server,123.123.123.123

7. Press ESC on your keyboard

8: type :wq
9. type cd
10. type chmod a+rx /jffs/configs/dnsmasq.conf.add

11. Check file has saved with: cat /jffs/configs/dnsmasq.conf.add
- You should see the contents of the file displayed.

12. Type nvram commit

13. Type service restart_dnsmasq
- Router should return "Done."

14. Close your SSH session

15. On the router's GUI:
Firewall > Network Services Filter
Enable Network Services Filter
Filter table type - "BlackList"
Rest of the options as default (all on)

Source IP of your Roku from your dnsmasq.conf.add file eg 192.168.1.11
Leave both port range fields blank
Destination IP 8.8.*.*
Protocol needs to be set to TCP ALL
Do the same again but select UDP as the protocol.
You should have two entries for your Roku's IP.
Save.

16. Reboot the router

17. Connect the Roku to the network and it will now use your desired DNS IP - check your Roku network page.

Problem solved.

Martineau did mention this code at the start of the thread but I figured it would be the same as the DNS filter - not so.

Remember not to give the Roku a reserved DHCP entry on the GUI (LAN>DHCP Server) - It will add its own tags that will prevent the custom DNS being sent to the Roku. This is why you need to have dnsmasq.conf.add.

You can also use a second router - set its WAN DNS servers to the unblock service, setup the firewall as above and connect the Roku to this. Make sure the second router's IP is in a different subnet ie 192.168.2.1.
Connect your main router to the second routers' WAN port. Connect a PC to see if you can browse the web. If so you are all good. Connect the Roku and anything else you want to connect to the unblock service to this router.

If you want YouTube to play videos from your phone iPad etc., it will not find the Roku automatically as it is on a different network (aka subnet). You will have to pair your devices from the YouTube pair option.

With the dnsmasq.conf.add and Merlin's work, you can simply add in the code above (step 6) and setup the firewall and it will work.

 

[gabell]

Awesome....thanks.

 

[maverickjesus]

Registered just to confirm that the method AFN describes a few posts up was the only solution that works for me on the latest Netflix app on Android & PS4, which has had me stumped for a while.

Made a few minor modifications:

• Used the network blacklist to sinkhole ALL traffic to the 8.8.*.* IP range, as I use the Global DNS Filter to force all clients to use a DNSCrypt proxy anyway. Always a risk that a new client will break with this if it pulls Netflix style DNS shenanigans, but nothing on my network has so far.
• Defined multiple dhcp-host/dhcp-option pairs, one for each client (PS4, 2x Chromecasts and an Android TV box), each one pointing to the nearest TVUnblock server. You can do this in one go as described, but you don't need to reboot the router - just reconnect each client to refresh the DHCP lease.

Shame you can't do this via the GUI, but its really not that hard to get setup.

 

[greg50]

Maybe not all DNS queries are resolved recursively?

This is all pure theory, as I just can't see why newer Netflix-capable devices would specifically have issues with DNSFilter.

I have exactly the same issue @RMerlin . I was using the DNS Filtering feature on my AC66U with a smart dns service (Global filter mode - no filtering, and the smart dns was set to custom 1, and the device was added and set to custom 1). BBC, and other apps worked fine on my Xbox One, but Netflix was broken. The only fix was to turn off the DNS filtering feature for that device (set to no filtering), and since you can set the DNS manually on the Xbox One, I entered the smart dns address there, and now it works flawlessly. To be honest, I don't really get what's the difference (since in both cases, all the DNS requests are supposed to go to that server), but the only way to make it work was this (and Netflix is available in my country). The error code was always NW-2-5. One more thing that I tried was to turn off the "redirecting" at the DNS provider, restart everything, etc... but it was the same.

Do you have any idea what's the difference, or any way to test this? Do you think a fix for this is possible?

 

[itlnstln]

I have exactly the same issue @RMerlin . I was using the DNS Filtering feature on my AC66U with a smart dns service (Global filter mode - no filtering, and the smart dns was set to custom 1, and the device was added and set to custom 1). BBC, and other apps worked fine on my Xbox One, but Netflix was broken. The only fix was to turn off the DNS filtering feature for that device (set to no filtering), and since you can set the DNS manually on the Xbox One, I entered the smart dns address there, and now it works flawlessly. To be honest, I don't really get what's the difference (since in both cases, all the DNS requests are supposed to go to that server), but the only way to make it work was this (and Netflix is available in my country). The error code was always NW-2-5. One more thing that I tried was to turn off the "redirecting" at the DNS provider, restart everything, etc... but it was the same.

Do you have any idea what's the difference, or any way to test this? Do you think a fix for this is possible?

Here's a fix in a post from the Unblock-Us forums that I would like to try, but I don't know how to translate this Cisco script into something Merlin's firmware can use. The goal of this is to intercept traffic to 8.8.*.*, redirect it to the DNS of your choice, and intercept the response and mask it as 8.8.*.* to fool the device(s) into thinking they successfully connected to 8.8.*.*. In my specific case, I would like this to work for all traffic going through the router, not just one device. If someone could help me with this, I would greatly appreciate it.

From: https://support.unblock-us.com/cust...m-with-netflix-update-3-7-2-android-?b_id=530

Hi All
I have found a solution to this problem.
Netflix on my chromecast in Australia stopped working after the latest update 19084 when casting from Netflix android app 3.7.1 while it would work normally on my laptop and android.
At this point I had unblock-us dns configured on the android device and laptop (issued by the router).

The solution involves fooling the chromecast and android app into thinking they are talking to google DNS while they are actually communicating with unblock-us DNS
Latest chromecast firmware and Netflix app are required for this. (19084 and 3.7.2 respectively)
The way to do this on a cisco router is by using the following configuration

------------------------------------------------------
interface Vlan1 (or any other LAN interface)
ip address 192.168.15.1 255.255.255.0
ip nat inside
ip policy route-map google_dns-redirect

ip access-list extended google_dns
permit udp 192.168.15.0 0.0.0.255 host 8.8.8.8

route-map google_dns-redirect permit 10
match ip address google_dns
set ip next-hop 111.118.175.56

ip nat outside source static 111.118.175.56 8.8.8.8
-------------------------------------------------------

With this config, the router redirects any traffic destined for 8.8.8.8 to instead go to 111.118.175.56 (while the Chromecast thinks it is still going to 8.8.8.8)
It is important that the return traffic to CC does not appear to be coming from Unblock-us so the router needs to be setup to change any traffic coming from 111.118.175.56 to 8.8.8.8 using a static NAT statement.
As you can see, this method is different to the popular method of blackholing traffic to 8.8.8.8 causing the CC to fail over to whatever DNS is configured on the router (unblock-us DNS)
This fix should also be fairly easily to setup on a firewall using a GUI. Not sure if DD-WRT, Open-WRT or Tomato are capable of this as they are firewall features.
Also note that this fix will only work if the Netflix on the Android is latest 3.7.2 as the old version (3.7.1) without hardcoded DNS gives away its location while casting to the lastest chromecast 19084
Hope this helps

 

[primitivo]

I have exactly the same issue @RMerlin . I was using the DNS Filtering feature on my AC66U with a smart dns service (Global filter mode - no filtering, and the smart dns was set to custom 1, and the device was added and set to custom 1). BBC, and other apps worked fine on my Xbox One, but Netflix was broken. The only fix was to turn off the DNS filtering feature for that device (set to no filtering), and since you can set the DNS manually on the Xbox One, I entered the smart dns address there, and now it works flawlessly. To be honest, I don't really get what's the difference (since in both cases, all the DNS requests are supposed to go to that server), but the only way to make it work was this (and Netflix is available in my country). The error code was always NW-2-5. One more thing that I tried was to turn off the "redirecting" at the DNS provider, restart everything, etc... but it was the same.

Do you have any idea what's the difference, or any way to test this? Do you think a fix for this is possible?

I have exactly the same issue with NW-2-5 error on Netflix despite setting DNS filtering the same way as you. Custom 1 Smart DNS to Nvidia Shield and Global setting: no filtering. I have also added static routes as per Smart DNS websites recommendations LAN/Route , I have also followed the recommendation of blacklisting Google DNS: Firewall / Network Services Filter. Unfortunately this didn't help.

I am about to try @AFN recommendation for dnsmasq setting and or putting Smart DNS directly into Nvidia Shield settings.

It's a pity DNS filtering doesn't work properly and DNS is is not forced to the device.

 

[darkfinger]

Just a quick note that it appears that the blacklist wont accept entries like 8.8.*.* so I had to add 8.8.8.8 and 8.8.4.4 discretely. Perhaps another annotation would work instead of the wildcards?

Anyway, very useful. Many thanks!

Hey gabell,

Yes, you will be pleased to know there is working fix for this issue.

There are two working solutions:
1. Create a dnsmasq.conf.add file to have the router give the Roku a custom DNS server
2. Use another router (i.e RTN66U/AC68U) and use your LAN as a "WAN".

While DNS Filter feature appeared to be what I was after, it half works for the Roku. I am not sure why. You would think the router would mask and change the DNS so the Roku wouldn't know but it just wont work correctly for it. Works fine for my PC however. It also breaks one of my new TVs. Its rather strange.

Option 1 is the easiest if you don't have another router on hand and goes like this:

Step 1:
1. Ensure you have the MAC address of the Roku - If you don't, disconnect the router from the internet, connect the Roku and get to the network menu where it shows the MAC or just grab it from the router under DHCP Leases table (quicker).
Ensure you do not have a static DHCP entry defined for it on the router via its admin webpage.

2. Once you have the Roku MAC, log into the router:
Administration > System
- Enable JFFS partition
- Format JFFS partition at next boot
- Enable JFFS custom scripts and configs
- Enable SSH
- Reboot Router

3. SSH to the router and login

4. cd /jffs/configs/

5. vi dnsmasq.conf.add

6.Type/copy:
dhcp-host=set:ROKU1 (can be anything really),00:00:00:00:00:00 (Roku MAC),192.168.1.11 (Fixed IP you want to assign to the Roku - choose a free address in your subnet)
dhcp-option=tag:ROKU1 (same as above),option:dns-server,123.123.123.123 (IP of your unblock service)

- Will look something like this:
dhcp-host=set:ROKU1,00:00:00:00:00:00,192.168.1.11
dhcp-option=tag:ROKU1,option:dns-server,123.123.123.123

7. Press ESC on your keyboard

8: type :wq
9. type cd
10. type chmod a+rx /jffs/configs/dnsmasq.conf.add

11. Check file has saved with: cat /jffs/configs/dnsmasq.conf.add
- You should see the contents of the file displayed.

12. Type nvram commit

13. Type service restart_dnsmasq
- Router should return "Done."

14. Close your SSH session

15. On the router's GUI:
Firewall > Network Services Filter
Enable Network Services Filter
Filter table type - "BlackList"
Rest of the options as default (all on)

Source IP of your Roku from your dnsmasq.conf.add file eg 192.168.1.11
Leave both port range fields blank
Destination IP 8.8.*.*
Protocol needs to be set to TCP ALL
Do the same again but select UDP as the protocol.
You should have two entries for your Roku's IP.
Save.

16. Reboot the router

17. Connect the Roku to the network and it will now use your desired DNS IP - check your Roku network page.

Problem solved.

Martineau did mention this code at the start of the thread but I figured it would be the same as the DNS filter - not so.

Remember not to give the Roku a reserved DHCP entry on the GUI (LAN>DHCP Server) - It will add its own tags that will prevent the custom DNS being sent to the Roku. This is why you need to have dnsmasq.conf.add.

You can also use a second router - set its WAN DNS servers to the unblock service, setup the firewall as above and connect the Roku to this. Make sure the second router's IP is in a different subnet ie 192.168.2.1.
Connect your main router to the second routers' WAN port. Connect a PC to see if you can browse the web. If so you are all good. Connect the Roku and anything else you want to connect to the unblock service to this router.

If you want YouTube to play videos from your phone iPad etc., it will not find the Roku automatically as it is on a different network (aka subnet). You will have to pair your devices from the YouTube pair option.

With the dnsmasq.conf.add and Merlin's work, you can simply add in the code above (step 6) and setup the firewall and it will work.

 

[vw-kombi]

Sorry to bring forward such an old thread. I am new to asus merlin and have followed these instructions in this post to get my roku's working. I have been reading other threads for other merlin enhancements where I came across someone who updating the firewall with dns re-route commands for ad-blocking I think. does the same work on merlin for smart dns reroutes ?

I used the below FW rules on DD-WRT when it was my internet router and it was the only setup needed to be done for the 6 roku's to work and reroute to my smart dns provider - which is used to watch UK TV shows. Does the same work on merlin, i.e could I just add the below to the firewall script (straight copy from the old dd-wrt), and remove the dnsmask.add stuff ? I think the 8.8.x.x stuff is only for netflix as it is hardcoded in there but I never needed to block that on dd-wrt either :

iptables -t nat -I PREROUTING -p udp -s 192.168.1.24 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.24 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p udp -s 192.168.1.25 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.25 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p udp -s 192.168.1.26 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.26 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p udp -s 192.168.1.27 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.27 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p udp -s 192.168.1.28 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.28 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p udp -s 192.168.1.29 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.29 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p udp -s 192.168.1.30 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.30 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p udp -s 192.168.1.31 --dport 53 -j DNAT --to 108.61.169.104
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.31 --dport 53 -j DNAT --to 108.61.169.104

 

[ColinTaylor]

@vw-kombi Just use DNSFilter, it will generate those rules for you.

Set Global Filter Mode to No Filtering and then set Custom DNS 1 = 108.61.169.104

Finally select each Roku device in the Client List, specify Custom DNS 1 for it and click Add.

Apply the changes and you're done.

 

[vw-kombi]

@ColinTaylor - Thanks for the reply, I was unsure of this as there are a few posts in this thread (just a few posts up), where some say that did not work.... or maybe it did not work with netflix, (possibly as that needed the google dns block). But as I don't use netflix, I can just do this then as you suggest? However - I have hunted around the interface. I must be stupid as I cant find Global Filter anywhere......

editing - I see - I did not have AiProtection turned on.......

Final edit - all perfect. Reversed all i did from the detailed steps in this forum, then just did this very easy step instead. Checked the roku's - all good.

downside - nothing on the jffs/configs/ now - so I better get cracking on some more cool stuff.....

Oh Dear - I thought it was working but cant play any videos with this method. I will go back to the old method as described in this post, as I know that was working. Just buying a new usb3 drive first and they will re-setup.

 

[Jaska]

Hello everyone, first post, first problem with Merlin (or Asus)

Device is RT-AC66U_B1, Merlin 384.10_2

Situation is that I want to assign certain LAN devices (children) to use OpenDNS servers, and rest to use ISP DNS servers.

What I've read from this thread and others correct way to accomplish this is as follows:

- WAN, set DNS to "Auto acquire" or set manually to ISP servers (tested both ways)
- LAN->DHCP, DNS servers set to blank
- LAN->DNSFilter, set DNS-based Filtering "ON"
- set "Global Filter Mode" to "Router"
- add desired device to list and "Filter Mode" to OpenDNS

Tried with my own phone for couple of hours (Galaxy S7), and seems that if "Filter Mode" is anything but "No fltering" or "Router" internet is cut out alltogether from it, and error displayed by phone is "DNS_probe_finished_no_internet".

I can't figure out what's the problem, so any help would be greatly appreciated.

And since I also have few custom rules in OpenDNS Dashboard, I also have DDNS set to update if and when my ip changes. This shoudn't be a problem? And as said, same thing with all the other servers in the filter mode list.