Set DNSFilter to a schedule?

[JohnD5000]

Is there a way to set the DNSFilter based on a schedule for a specific device?

For example, for a device with MAC address 01:02:03:04:05:06

between 8:00AM and 8:00pm, DNSFilter = "No Filtering"
between 8:01pm and 7:59am, DNSFilter = "OpenDNS Home"


Thank you

 

[eibgrad]

AFAIK, No. The router was never designed to provide for the arbitrary changing of DNS servers. The only time you see this type of behavior is in response to higher level changes, such as the starting and stopping of the VPN clients, which themselves might change how DNS is handled for certain clients.

What you could do is create your own DNS filter(s) using scripting rather than relying on the GUI. It just requires creating firewall rules that include the netfilter time module to control when those rules are in effect. In theory, that's something that could some day be added by the developers to the existing GUI, but as of the moment, I'm unaware of any such capability.

For example, if we assume the default DNS server(s) are accessed between 8:00 AM and 8:00 PM, you could create a nat-start script like the following to change it to OpenDNS between the hours of 8:00 PM and 8:00 AM.

iptables -t nat -I PREROUTING -i br0 -p udp -m mac --mac-source 01:02:03:04:05:06 --dport 53 -m time --timestart 20:00 --timestop 00:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -p udp -m mac --mac-source 01:02:03:04:05:06 --dport 53 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -p tcp -m mac --mac-source 01:02:03:04:05:06 --dport 53 -m time --timestart 20:00 --timestop 00:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -p tcp -m mac --mac-source 01:02:03:04:05:06 --dport 53 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz -j DNAT --to 208.67.222.222

Note, when you cross the midnight boundary on a rule that uses the time module, you have to split it into two rules which straddle the midnight hour. Also, if it applies to everyday, I believe you could eliminate the --weekdays options, but I left it in the rule so it was clear you could configure it for specific days.

Realize that like all DNS filters, this bypasses DNSMasq, so the client will lose access to local name resolution, local caching, ad-blocking, and any other features offered by DNSMasq.

 

[eibgrad]

P.S. I originally said firewall-start script, but these changes require a nat-start script.

 

[Zastoff]

I change one of the custom fields under dnsfilter with cron-jobs, It changes from nextdns(custom setup) to cleanbrowsing-family on my kids school laptops..
It works but can maybe be done better..
Here is a post i did on how to set it up:

Block access to TikTok in the morning and evening

Hi all, I have AC68U with Merlin and I can install AddOns if any can do that. I want to disable access to TikTok and YouTube at specific hours in the morning and evening, but permit access to other websites in the same time. From Parental Controls -> Time Scheduling is not possible. Do you know...

www.snbforums.com

 

[JohnD5000]

Thanks for the responses. I think I've got it set up.

 

[eibgrad]

I change one of the custom fields under dnsfilter with cron-jobs, It changes from nextdns(custom setup) to cleanbrowsing-family on my kids school laptops..
It works but can maybe be done better..
Here is a post i did on how to set it up:

Block access to TikTok in the morning and evening

Hi all, I have AC68U with Merlin and I can install AddOns if any can do that. I want to disable access to TikTok and YouTube at specific hours in the morning and evening, but permit access to other websites in the same time. From Parental Controls -> Time Scheduling is not possible. Do you know...

www.snbforums.com

Seems to me there's a minor flaw in this approach. What if the router is rebooted? Won't the current DNS filter simply be whatever is the default, at least until the cronjob is triggered again for the relevant time period?

You may think a reboot is unlikely, but these little devils will often experiment by intentionally rebooting the router to see if it makes a difference. Or maybe you have the router configured to reboot on a schedule or in response to a failed WAN.

That's always the problem w/ these types of changes based on the scheduler. You're trying to cover a given time period, NOT just trip an event and have it be over. So you have to account for the possibility of a reboot and make sure to set the rules correctly for the current time.

Or maybe my concerns have been addressed and I just missed it.

 

[Zastoff]

Seems to me there's a minor flaw in this approach. What if the router is rebooted? Won't the current DNS filter simply be whatever is the default, at least until the cronjob is triggered again for the relevant time period?

You may think a reboot is unlikely, but these little devils will often experiment by intentionally rebooting the router to see if it makes a difference.

That's always the problem w/ these types of changes based on the scheduler. You're trying to cover a given time period, NOT just trip an event and have it be over. So you have to account for the possibility of a reboot and make sure to set the rules correctly for the current time.

Or maybe my concerns have been addressed and I just missed it.

I have used this for some time on my 87u and on my current ax88u and i had no issues with this so far, Sure i guess you can get it wrong if a reboot happens at the precise time the cron should have changed the custom 3 under dns-filter.. I guess i avoid rebooting during those times
A reboot will not reset custom 3 value, The last executed cron job will be the default value in custom 3 until the next cron job is executed and at reboot the crons are read from services-start

 

[eibgrad]

I have used this for some time on my 87u and on my current ax88u and i had no issues with this so far, Sure i guess you can get it wrong if a reboot happens at the precise time the cron should have changed the custom 3 under dns-filter.. I guess i avoid rebooting during those times

It doesn't require any precision. Any time the router is rebooted, regardless of any scheduled changes you may have instituted, it returns to its defaults until such time as the relevant cronjob is triggered again. Also, as I said, clever kids learn that rebooting a router will sometimes get around restrictions parents have imposed. If they don't learn it themselves, they learn it from their classmates.

Anyway, it's just something to take into consideration. Things may not always go as planned.

 

[Zastoff]

It doesn't require any precision. Any time the router is rebooted, regardless of any scheduled changes you may have instituted, it returns to its defaults until such time as the relevant cronjob is triggered again. Also, as I said, clever kids learn that rebooting a router will sometimes get around restrictions parents have imposed. If they don't learn it themselves, they learn it from their classmates.

Anyway, it's just something to take into consideration. Things may not always go as planned.

Edited my replay:

A reboot will not reset custom 3 value, The last executed cron job will be the default value in custom 3 until the next cron job is executed and at reboot the crons are read from services-start

 

[eibgrad]

A reboot will not reset custom 3 value, The last executed cron job will be the default value in custom 3 until the next cron job is executed and at reboot the crons are read from services-start

Well this is what I was saying. Am I missing something where this possibility is covered.

 

[Zastoff]

Well this is what I was saying. Am I missing something where this possibility is covered.

You mean the kids will learn the time it changes the value? and reboot at the precise time ?
In my case the kids are to tired in the morning to go up and reboot the router to skip the blocking during the day and if they do the reboot in the evening it would mean things is still blocked for them..
If they should succeed i will use the script Guiderails instead on all their devices

 

[dave14305]

Well this is what I was saying. Am I missing something where this possibility is covered.

He’s committing the current DNS IP in nvram and restarting the firewall for it to take effect. Should be fine after a reboot.

 

[eibgrad]

He’s committing the current DNS IP in nvram and restarting the firewall for it to take effect. Should be fine after a reboot.

Yes, I realize that now. In effect, the triggered change becomes the new default on a reboot. I just wanted to make sure a reboot had been considered. It wasn't obvious to me (until now) this was the case.

 

[Yota]

Why use DNS and IP addresses to filter traffic? Most devices these days can easily set up encrypted DNS.
I think we can using entware to install squid to check SNI for TLS.

 

[eibgrad]

You mean the kids will learn the time it changes the value? and reboot at the precise time ?

Well at least in theory, it's still possible to manipulate the router to avoid a cronjob. That's always an issue w/ *any* kind of scheduled job. That's why, for example, Microsoft's scheduler offers the option to trigger "missed" events (most likely due to a reboot or being offline for some reason). But I consider that far far less of a concern here. Even I don't consider most kids that clever.

 

[eibgrad]

Why use DNS and IP addresses to filter traffic? Most devices these days can easily set up encrypted DNS.
I think we can using entware to install squid to check SNI for TLS.

The goal here is to change the DNS provider at different times of the day. Encryption (having it or the lack of it) is NOT the issue.

 

[Yota]

The goal here is to change the DNS provider at different times of the day. Encryption (having it or the lack of it) is NOT the issue.

I don't understand what is the reason for this, but I mean DNS based filtering is outdated and many modern devices can bypass them. If just to block ads, it will not have any good effect, especially now that most websites put ads and content on the same domain.

 

[eibgrad]

I don't understand what is the reason for this, but I mean DNS based filtering is outdated and many modern devices can bypass them. If just to block ads, it will not have any good effect, especially now that most websites put ads and content on the same domain.

Those may be valid points. But *why* the OP has chosen to do this is an entirely different subject. And maybe worthy of discussion if the OP feels compelled to address it. All @Zastoff and I were attempting to address is the immediate problem.

 

[Zastoff]

I don't understand what is the reason for this, but I mean DNS based filtering is outdated and many modern devices can bypass them. If just to block ads, it will not have any good effect, especially now that most websites put ads and content on the same domain.

In my case i use this on my kids school devices and the devices is set to use NextDNS (a custom config) during the day when they have school and homework and it use a bypass blocklist that blocks most vpn`s and encrypted dns bypass options, They have not been able yet to bypass this .
And then it changes in the evenings to free time internet on those devices..still some parental control with cleanbrowsing-family.
And i use Anonymized DNSCrypt for most devices on my home network with diversion and Skynet and have no issues with ads., Only some devices are used via dns-filter.

 

[JohnD5000]

Those may be valid points. But *why* the OP has chosen to do this is an entirely different subject. And maybe worthy of discussion if the OP feels compelled to address it. All @Zastoff and I were attempting to address is the immediate problem.

My reason for doing this is that I want to keep my son off Youtube, Netflix, etc after hours (10 pm school days 11 pm weekends).

I set up OpenDNS Home to block those. Daytime, it will run through CleanBrowsing_Family, which should allow those. Nighttime, it will run through OpenDNS which should block those.

Then I assign the DNS to my son's devices.