Questions about the new DNS filtering in 3.0.0.4_374.39_0

[cdysthe]

Hi,

I have used OpenDNS for years and have a "Household" account with them which allows detailed filter rules and administration as long as I keep the IP updated with OpenDNS. Currently i have OpenDNS set as DNS in the WAN DNS settings making all clients use OpenDNS instead of DHCP based through my ISP. My OpenDNS account and dyndns (through Namecheap) are updated using DNS-O-Matic set in the WAN DDNS settings. It all works great. On this background I have a few questions about the new Parental Control DNS filtering options in 3.0.0.4_374.39_0:

- If I now want to use OpenDNS filtering in Parental Control in the latest firmware do i set DNS to automatic in the WAN DNS settings ?

- If i use the new DNS filtering in Parental Control will i be using the rules in my OpenDNS account like I am now with my current setup (as long as my dynamic IP is updated)?

- If I enable OpenDNS and set the Global Filter Mode to OpenDNS do I still have to add clients below, or is that only if I want filtering for some client and not for others? Likewise if I do want OpenDNS set on a client base do I keep Global Filter Mode set at "No Filtering"?

- What are the benefits of using the DNS settings in Parental Control over simply pointing to a DNS service in the manual WAN DNS settings except for being able to set it on a client basis?

Finally, thank you Merlin for yet a great firmware update!

 

[RMerlin]

- If I now want to use OpenDNS filtering in Parental Control in the latest firmware do i set DNS to automatic in the WAN DNS settings ?

Yes.

- If i use the new DNS filtering in Parental Control will i be using the rules in my OpenDNS account like I am now with my current setup (as long as my dynamic IP is updated)?

In theory it should, tho I haven't tested it.

- If I enable OpenDNS and set the Global Filter Mode to OpenDNS do I still have to add clients below, or is that only if I want filtering for some client and not for others? Likewise if I do want OpenDNS set on a client base do I keep Global Filter Mode set at "No Filtering"?

Take the Global setting as a default, if you prefer. Clients entered below will be exceptions to that default value.

If you only need to filter out 2-3 specific devices, then I recommend leaving the Global list to "None", and specifically configuring those clients below.

- What are the benefits of using the DNS settings in Parental Control over simply pointing to a DNS service in the manual WAN DNS settings except for being able to set it on a client basis?

Clients could override your WAN DNS simply by manually entering different nameservers on their computers. That won't work with DNSFilter since it essentially redirects DNS queries to the intended target.

 

[tigreseis]

Confused about DNS Filter

I (like the original poster) already use Opendns. I understand your comments about removing the Wan DNS opendns servers since the parental DNS filter is on. However, when I turned the filtering on and selected Opendns, it never asks for a log in or anything of the sort.

So, how is this helping me? I have my account setup to custom filter various categories, but if there is no log in it really doesn't access that. So, how is it filtering?

Tomato has something similar, but when you activate it, it requires a log in to access your Opendns account. You also don't have to use the dynamic ip updater.

 

[RMerlin]

I (like the original poster) already use Opendns. I understand your comments about removing the Wan DNS opendns servers since the parental DNS filter is on. However, when I turned the filtering on and selected Opendns, it never asks for a log in or anything of the sort.

So, how is this helping me? I have my account setup to custom filter various categories, but if there is no log in it really doesn't access that. So, how is it filtering?

Tomato has something similar, but when you activate it, it requires a log in to access your Opendns account. You also don't have to use the dynamic ip updater.

The OpenDNS account must be configured through the DDNS page, using the DNS-o-Matic service (which belongs to OpenDNS).

 

[DreXon]

Thanks for the features

Just "upgraded" my router to asuswrt-merlin. I have a block of static IPs that the default firmware would not support. This forced me to use another router for some time a Linksys RV042. That worked ok, but the performance was not on par with what the RTN66U provided. Given I play FPS on XBOX I couldn't take it anymore, so thank you very much for giving me an option that will allow the great hardware that Asus built to actually meet my needs.

Now I too am working with OpenDNS, have been for a long time. I want to be able to use this new feature globally with some exceptions. I work from my home and while I do not want my children in forums, I need to be able to consult forums daily. It seems to support this configuration, but it is not working. My computer with the exception is still getting OpenDNS denied pages.

One comment to the others using OpenDNS. The login is only necessary to map your IP address to your account. If your IP Address is consistent, which often it is, and in the case of static IP Addresses it always is, then it will sync up and use your configured settings. I can verify that mine has attached to my account.

 

[DreXon]

One More Question

Is there anyway to view the DNSFilter configuration from the ssh cmd line?

 

[Builder71]

Is there anyway to view the DNSFilter configuration from the ssh cmd line?

Here.

 

[DreXon]

Progress

I just found that I can assign the "exception" workstation to another filter mode and that works, it just seems to not work when assigned to None.

 

[Builder71]

I just found that I can assign the "exception" workstation to another filter mode and that works, it just seems to not work when assigned to None.

If I'm correct, "none" means what you configured on the WAN page.
(Client on DHCP.)
Or DNS configured directly on the clients NIC.

 

[DreXon]

If I'm correct, "none" means what you configured on the WAN page.
(Client on DHCP.)
Or DNS configured directly on the clients NIC.

I have it configured on my NIC but it is being redirected by the DNSFilter to the OpenDNS servers, or which ever other I choose, None doesn't seem to undo this.

 

[RMerlin]

I have it configured on my NIC but it is being redirected by the DNSFilter to the OpenDNS servers, or which ever other I choose, None doesn't seem to undo this.

Upgrade to 374.40 Beta 1. There were many bugfixes related to DNSFilter in it (which was in its first release in 374.39).

 

[DreXon]

Upgrade to 374.40 Beta 1. There were many bugfixes related to DNSFilter in it (which was in its first release in 374.39).

Is it otherwise stable?

 

[L&LD]

Except for the RT-AC68U, the 374.40 Beta 1 version is the recommend version right now.

 

[DreXon]

Thank You

That totally resolved my issue.

I don't think I can express exactly how happy I am that this feature was in here. I switched to Merlin firmware to make it possible to support multiple static IP addresses on the WAN for web servers on the inside.

Previously I had been using a hacky solution to force OpenDNS, blocking port 53 at the firewall and only allowing the Asus to do DNS resolution. This however makes that soo much easier and more effective, as well as allowing those exceptions that exist to continue to function. Xbox Live runs into issues with some of the blocks in OpenDNS, and isn't very clear about what it can't connect to it just says your offline. With this solution I can put it on an exception list easily, as well as my work computer.

Thank you

 

[sammyano]

The OpenDNS account must be configured through the DDNS page, using the DNS-o-Matic service (which belongs to OpenDNS).

RMelrin - Are you saying that if 'OpenDNS' is not selected via the DDNS settings page, selecting it as my DNS Filter will then not work as intended, that is using OpenDNS for my global DNS Filter, please advise as am a little bit confused.

Currently - I use asus.com as my DDNS and then in WAN > DNS Servers set use automatic to 'No' and specified OpenDNS IP addresses and for DNS Filter selected OpenDNS Family which the account I have within their portal.

PS - Before I selected the OpenDNS / entered its IP addresses in the DNS Filter page, I lookup my DNS Filter and noticed that it was using google's IP addresses, even though I manually specified OPenDNS IP within the WAN > DNS Servers

thanks

 

[RMerlin]

RMelrin - Are you saying that if 'OpenDNS' is not selected via the DDNS settings page, selecting it as my DNS Filter will then not work as intended, that is using OpenDNS for my global DNS Filter, please advise as am a little bit confused.

Currently - I use asus.com as my DDNS and then in WAN > DNS Servers set use automatic to 'No' and specified OpenDNS IP addresses and for DNS Filter selected OpenDNS Family which the account I within their portal.

PS - Before I selected the OpenDNS / entered its IP addresses in the DNS Filter page, I lookup my DNS Filter and noticed that it was using google's IP addresses, even though I manually specified OPenDNS IP within the WAN > DNS Servers

thanks

OpenDNS offers two types of services:

- Open, anonymous usage. In this mode, anyone can use their servers, however you won't be able to customize how the service works

- Through a registered account. In this mode, you can also login to their website to customize various settings, such as whether you want invalid hostnames be redirected to an error page rather than return an NXDOMAIN error (domain not found)

For registered accounts to work, OpenDNS needs to know your current IP. This is what the DDNS service will do. That's how the OpenDNS server will know it's you, and will use your customized settings.

Both modes will work perfectly well with DNSFilter.

 

[sammyano]

Thanks, but I use asus.com as my DDNS and not OpenDNS, though I do login into my account from home to check that it has my current Internet IP - Do I need to change DDNS for this to work or leave it as I specified in my previous comment?

 

[RMerlin]

Thanks, but I use asus.com as my DDNS and not OpenDNS, though I do login into my account from home to check that it has my current Internet IP - Do I need to change DDNS for this to work or leave it as I specified in my previous comment?

You will have to install some computer-based DDNS updater for OpenDNS then, unless you have a static IP that won't change, and you can manually enter it on the OpenDNS portal.

 

[sammyano]

You will have to install some computer-based DDNS updater for OpenDNS then, unless you have a static IP that won't change, and you can manually enter it on the OpenDNS portal.

Thanks I due have Opendns updater on my PC

 

[RMerlin]

Thanks I due have Opendns updater on my PC

Then you're all set. That client will take care of keeping OpenDNS updated with your IP, so when DNS queries come from that IP, it will know which account to associate them with.