Help with DNS Filtering

[algae737]

I've tried to setup for MAC Address specific DNS Filtering (with 43_2 firmware), but after rebooting both the ASUS RT-AT68U router and the Roku, it still doesn't appear to be working..."working" being defined as redirecting the Roku via Unblock-US to avoid MLB.TV blackouts.

I have Enable DNS-based Filtering enabled, Global Filter Mode set to Custom 1, and Custom 1 set to 208.122.23.23, and two Roku MAC Addresses set to Custom 1.

What have I missed?

Thanks in advance.

 

[Alfsu]

More info needed

DNS filtering alone won't get traffic routed to your VPN connection.

More information about your setup is needed:

Do you have your VPN client connection running? if so, are your devices accessing MLB.TV?
Are you trying to now use a split tunnel (selective routing)?

Assuming you followed this thread to set up your selective routing for your VPN; what your script looks like?

 

[algae737]

No vpn involved. I've successfully ssh'd into the router and used dnsmasq previously...but, it seems to have not survived my firmware upgrade. I noticed the new feature included in the new firmware (BTW, thanks Merlin)...so, I figured I'd go that route this time instead. I'm sure I'm missing something tough.

Do I need to turn Parental Control "ON"?

Thanks,

Algae

 

[ColinTaylor]

Well, I've just tried it with my PC and it seems to work as expected.

Parental Control is not on.

Enable DNS-based Filtering is On.

I set Global Filter Mode to No Filtering (because I only want to effect 1 device).

I then selected my client PC from the drop down list, chose OpenDNS Home and hit + (to add).

Then hit Apply and it all worked.

 

[algae737]

Thanks Colin - I went back over my settings and found that I had the Global Filter Mode set to "Custom 1" which contains the redirect. Although I don't know why that would have prevented it from working, it certainly wasn't my intent. Anyway, after setting Global to "No Filtering", all's well. Good stuff. Thanks again to you and Merlin.

 

[yoggit]

I'll try this...

I've got a roku that I'm trying to set up also with a DNS service and having absolutely no luck with getting DNS Filtering to work.

I add the custom DNS, added the roku host (which has a static DHCP address) with custom 1 as the filter, and it simply just doesn't work! I have tcpdump running on the router and see DNS queries from the roku hitting my router's IP and Google (8.8.8.8), which I presume is hard coded into the roku, because I don't have it configured anywhere!

I'm on version 374.40. Tonight I'll upgrade to the latest.. 374.43 as per ColinTaylor, and try again.

Doing my head in!!

Well, I've just tried it with my PC and it seems to work as expected.

Parental Control is not on.

Enable DNS-based Filtering is On.

I set Global Filter Mode to No Filtering (because I only want to effect 1 device).

I then selected my client PC from the drop down list, chose OpenDNS Home and hit + (to add).

Then hit Apply and it all worked.

Fingers crossed.

 

[yoggit]

DNS Filter Failing

I thought this would be simple, but it's proving to be a real pain. I cannot for the life of me have my roku use the getflix DNS while everything else on my LAN uses the router...

192.168.1.7 is my Roku. It has a manually assigned address from the DHCP server page.

I then followed ColinTaylor's advice above (which I'm 100% sure I'd already tried), but I cannot get my roku to use a custom DNS!

Under Parental Controls - DNS Filtering:-
Enabled = On
Global Filtering = No Filtering
Custom DNS1 = 54.252.183.4

I then select my roku client, set filter mode to custom1, hit '+' and apply.

After this point, I did a factory reset on the roku, but then as you can see, when I attach the roku to my wifi network it uses the router for DNS, and funnily enough also talks to Google DNS on 8.8.8.8 even though I don't have that configured anywhere!

Here's a tcpdump from the router:-

tcpdump -ni any -c20 host 192.168.1.7 and port 53

21:37:31.443339 IP 192.168.1.7.59854 > 192.168.1.1.53: 61245+ A? api.roku.com. (30)
21:37:31.444741 IP 192.168.1.7.59854 > 192.168.1.1.53: 61245+ A? api.roku.com. (30)
21:37:31.444092 IP 192.168.1.7.42918 > 192.168.1.1.53: 56819+ A? www.google.com. (32)
21:37:31.444092 IP 192.168.1.7.42918 > 192.168.1.1.53: 56819+ A? www.google.com. (32)
21:37:31.444119 IP 192.168.1.7.57234 > 8.8.8.8.53: Flags , seq 2419035526, win 5840, options [mss 1460,sackOK,TS val 4294955533 ecr 0,nop,wscale 4], length 0
21:37:31.444119 IP 192.168.1.7.57234 > 8.8.8.8.53: Flags , seq 2419035526, win 5840, options [mss 1460,sackOK,TS val 4294955533 ecr 0,nop,wscale 4], length 0
21:37:31.458563 IP 192.168.1.1.53 > 192.168.1.7.59854: 61245* 1/0/0 A 192.184.84.41 (46)

Oh, and version is as per ColinTaylor 374.43.

Any ideas? Do I need to use iptables to NAT the DNS from the roku? That seems like a massive pain given that the feature is right there...

Maybe I change the global DHCP server setting so everyone on the LAN uses the custom DNS setting?

Far out???!!!


Cheers,
Jon

 

[ColinTaylor]

What do you see if you issue the following iptables command?

# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 663 packets, 28916 bytes)
 pkts bytes target     prot opt in     out     source               destination
  505 19633 VSERVER    all  --  *      *       0.0.0.0/0            82.2.173.29
[B]   24  1416 DNSFILTER  udp  --  *      *       192.168.1.0/24       0.0.0.0/0           udp dpt:53
    0     0 DNSFILTER  tcp  --  *      *       192.168.1.0/24       0.0.0.0/0           tcp dpt:53[/B]

Chain POSTROUTING (policy ACCEPT 27 packets, 3266 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   232 MASQUERADE  all  --  *      eth0   !82.2.173.29          0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0xd001

Chain OUTPUT (policy ACCEPT 27 packets, 3266 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DNSFILTER (2 references)
 pkts bytes target     prot opt in     out     source               destination
[B]    0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC 94:DE:80:C5:79:52 to:208.67.222.222[/B]

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  505 19633 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Here you can see (scroll window right) my device with MAC address 94: DE:80:C5:79:52 being directed to 208.67.222.222 (OpenDNS)

 

[yoggit]

Not NATing?

Hi again,

Thanks for your help ColinTaylor

Yep, my iptables are the same as yours...

I mistakenly thought that dns filtering would be done via DHCP... wouldn't that make sense?? Anyway...

So I finally got Netflix to show up on the roku, but when I try to open it I'm told there are network problems, and when running the included tests it would fail to some netflix servers.

I figured I'd see if Getflix are having issues... so I find this page:- https://www.getflix.com.au/support which says roku accesses some public DNS servers and I'll need to block them, which I did.

Still netflix tests fail...

I then thought I'd globally change the DNS server in the DHCP options, and tada - Netflix now works!

So, given that Getflix DNS works fine when I set it as my DNS server for the whole of my LAN, I still believe that the custom DNS filter isn't behaving.

Cheers,
yoggit

 

[ColinTaylor]

I figured I'd see if Getflix are having issues... so I find this page:- https://www.getflix.com.au/support which says roku accesses some public DNS servers and I'll need to block them, which I did.

How did you block these DNS servers?

 

[yoggit]

I added static routes to 192.168.1.1 to block those routes. Seems to have done the job.

I've finally solved my problem. dnsmasq to the rescue!

I did this:-

admin@RT-AC66U:/jffs/configs# vi dnsmasq.conf.add

server=/netflix.com/54.252.183.4
server=/nflximg.com/54.252.183.4
server=/nflximg.net/54.252.183.4
server=/roku.com/54.252.183.4

Then rebooted and no more netflix problems!

Thanks for your help ColinTaylor.

-yoggit

 

[ColinTaylor]

I added static routes to 192.168.1.1 to block those routes. Seems to have done the job.

I don't know what you mean by this.

I've finally solved my problem. dnsmasq to the rescue!

Interesting, but if the iptables entries are working correctly then the Roku will be bypassing the routers DNS server completely so those settings should have no effect. There must be something other than just DNS involved!

But, if it works.... that would be good enough for me

 

[peraburek]

sorry for raising old topic, is there option to do DNS Filtering based on IP range ?

for example - filter 192.168.1.0/25 (subnet mask: 255.255.255.128) so I could get everything in DHCP Pool DNS filtered, and IPs outside of the DHCP Pool independent from DNS Filter