per-client dns filtering + dnsmasq for local domains

[vesper8]

Hi all,

I just recently discovered OpenDNS and I am really enjoying using it to filter out certain websites from certain clients.

I'm using the latest 376.48 beta2 btw.

I love how I can set it so it only applies OpenDNS filtering to certain clients.

I was also previously using dnsmasq to resolve all domains that end in ".dev.local" to a local machine web server.

I had this working by simply adding this line to /jffs/configs/dnsmasq.conf.add:
address=/.dev.local/192.168.0.199

And this was working great.

I noticed ever since I started using DNS Filtering that my dnsmasq rule no longer works and I can't reach my local domain from clients that are filtered under the Parental Control > DNS Filtering.

I would really like to figure out a way to use both. I tried adding this additional line to my /jffs/configs/dnsmasq.conf.add: local=/dev.local/

But I later figured out that dnsmasq is ignored entirely when using DNS Filtering.

I read somewhere that losing dnsmasq functionality is a price to pay for using DNS Filtering.

I realize that the way to proceed is to NOT use DNS Filtering and instead use dnsmasq to do DNS Filtering by having it query the OpenDNS nameservers

I found a few explanations as to how to do that.. but none of them explained how to do BOTH OpenDNS filtering (via dnsmasq) as well as local dns resolution for a specified domain (.dev.local) in my case.

Also, would it even be possible to do both those things as well as not apply dns filtering to certain clients (based on their mac addresses) ?

I know this is getting complicated... but if someone could help put me in the right direction.. this is really what I need to accomplish:

1) apply opendns filtering on certain clients only
2) all clients should be able to access local websites that end in .dev.local

Is it possible?

Many thanks!

 

[vesper8]

bump

anybody know if what I want to do is possible?

 

[RMerlin]

If it were possible, I would have already done so in the DNSFilter design. It's just not possible to do both at the same time.

 

[ethician]

It is possible with DNSthingy on other platforms such as OpenWRT, pfSense, ipfire, etc.

I am in the middle of modifying Merlin's firmware to have DNSthingy included but there are still some issues.

 

[RMerlin]

It is possible with DNSthingy on other platforms such as OpenWRT, pfSense, ipfire, etc.

DNSFilter's advantage over most known solutions is that it prevents your users from manually specifying a different DNS server on their clients to work around it. Iptables will force their DNS traffic to go through a specified DNS server.

The only way around this limitation would be to modify dnsmasq to have it handle local queries, and then route all unresolvable entries to an appropriate DNS servers based on the requester's MAC, and have iptables force filtered clients to go through the router's dnsmasq.

 

[ethician]

That's exactly what DNSthingy does as well through simple iptables rules.

 

[davidredekop]

@vesper8 I'm the founder of DNSthingy and I'd be happy to give you an additional free trial time... just direct-message me here or on Twitter at @DRtheNerd (follow me and I'll follow back) and I can give you links to firmware you can apply to various devices to try it out.

What you're looking for is our feature called Rainbow lists. A rainbow list is where you specify DNS servers to use for specific domains. Typical use is just as you described: you want all Internet TLDs to go to someone like OpenDNS, but yourcompany.local should be referred to your internal Active Directory. This solves that scenario, but there are a lot of other creative applications that people have found as well.

 

[davidredekop]

Combining lists

I should have clarified, DNSthingy supports rainbow lists as described, but also blacklists (to disallow) and whitelists (an exclusive "block all, allow some" approach).

Furthermore, you can apply different profiles to different devices. That way the boss can have unrestricted access while others can have restrictions applied.

To achieve this, DNSmasq is no longer bound to port 53, but our own resolver takes care of DNS resolutions, forwarding & caching, and it does so in a deterministic fashion to honour your per-device preferences.

 

[vesper8]

Thanks for the helpful replies all.

I ended up solving my problem by installing Acrylic DNS Proxy on the few machines that require access to the local web server. This wouldn't work if I was managing a big network but this is for my home network so it's fine. Acrylic allowed me to set a sort of wildcard for any requests ending in ".local" to point to my local web server.

If there's some kind of tutorial that explains how to set up dnsmasq to work the way RMerlin described it then I'd be happy to try that. And maybe sometime in the future RMerlin will come up with a way to add this side-by-side the DNS Filtering. In my case it's not a requirement that "users be unable to bypass the router's DNS". This may sound silly but I use OpenDNS to filter my own self from going on timesink websites such as facebook and others. I guess my brain knows better than to "bypass" measures that I myself put in place lol.. weird but it works for me

 

[Corey10e]

Change of MAC and DNSFilter

I am looking for some clarification. My basic story is that I have some very smart teenage sons that know how to change their MAC address. If I goto DNSFilter and enable it, set it to OpenDNS Home, then specify their MAC addresses below and say OpenDNS Home that will block them. (I do understand that).

If however they change their MAC address does it take the default from above and still force them to go thru OpenDNS?

FYI they are Wired and I am wireless... does this make a difference?

Thanks in advance
Corey

 

[Zirescu]

Sounds like you will want to enable the Global Filter Mode to OpenDNS and then specify your MAC to use No Filtering. Wired vs. Wireless should make no difference.

I am looking for some clarification. My basic story is that I have some very smart teenage sons that know how to change their MAC address. If I goto DNSFilter and enable it, set it to OpenDNS Home, then specify their MAC addresses below and say OpenDNS Home that will block them. (I do understand that).

If however they change their MAC address does it take the default from above and still force them to go thru OpenDNS?

FYI they are Wired and I am wireless... does this make a difference?

Thanks in advance
Corey

 

[CaptainSTX]

The best chance you have to control smart/determined users from doing things on your network you want to prevent is to take away administrative privileges on their machines. This makes it much harder for a user with non administrative privileges to change IPs and MAC addresses. As long as users can change their MAC address neither white lists or black lists will be effective.

Another approach is to double NAT another router behind your primary router strictly for your sons use. Set the rules on this router to apply to all users at all times. Then changing IPs or MAC addresses won't change privileges. Other users would still connect to the primary router.

You will need to put both routers in a secure locations where someone can't plug an Ethernet cable into the primary router or perform a factory reset on either router. If necessary you can epoxy the reset button on the second router and also glue the WAN cable in place on the second router to increase security.

 

[Corey10e]

Sounds like you will want to enable the Global Filter Mode to OpenDNS and then specify your MAC to use No Filtering. Wired vs. Wireless should make no difference.

So you are saying it can be done with this router. Is the upper part the Global Filter? (Above the 3 Custom DNS addresses) Please see attached image.

 

[crash486]

I agree with Zirescu. Enable OpenDNS at your desired level applying to all devices and just exclude specific devices.