Set specific DNS servers for specific clients?

[sharkus]

Hello all,
I'm currently running merlin 384.10 on an Asus RT-AC88U.

I'm unsure if the following is possible, but thought I'd ask.

Can things be configured in the router so that specific devices get automatically provided with specific DNS entries. For example, the default DNS for the router would be 1.2.3.4 and 4.3.2.1 and the majority of my devices connected via DHCP would simply use those.
However, I may have a few devices, for example an iPad and AppleTV that I'd like to automatically have different DNS entries, for example 9.8.7.6 and 6.7.8.9

Is that possible, and if it is, would I have to disable NAT accleration / CTF?

Why do I want to do this?
I have FTTH access from Bell, specifically a 1500 / 1000 plan (Yes I know I'll not get the full 1500 on any single device that I have) and thus have the "lovely" HomeHub 3000 device. I have bypassed this by putting the GPON into a TP-Link media convertor, then using my Asus to initiate the PPPoE connection.

This does work, but the download speed isn't as good as it could be, between 640 - 750 down. If I go back to just using the HomeHub 3000 then I do see better results, around 850 - 930.

I thought I'd try passthrough, whereby HomeHub 3000 has the GPON back in it, but the ASUS initiates the PPPoE connection. This did result in download speeds the same as just using the HomeHub 3000, with the advantage of the control the ASUS running merlin provides.

Everything seemed great until I tried using my AppleTV, and a couple of iPhone and iPad devices. Sometimes they'd work, other times they were unable to access certain things. For example, Netflix and the Movie app on the Apple TV would not function, but Youtube was ok. Certain sites on the iPhone and iPad could not be accessed (fabric / crashlytics for downloads of development apps - somewhat needed for my job)

I did change DNS settings on one of the devices and got it to work (trying to remember if it was switching to cloudflare dns entries, or the bell specific ones, or the other way round). If I made the change on the router to use the DNS entries that worked on the clients, then it caused slower downloads on devices that had been ok, specifically my iMac.

Now I am not 100% certain the issues I saw were DNS related, but I'd like to try and rule that out by being able to supply specific DNS entries from the router (ASUS in this case) to the devices.

Why not just edit the DNS on the devices? Ok, I could do that on my AppleTV, but the other iOS devices are work devices, and well, I'm lazy and don't want to switch DNS from Auto to manual and then enter the info, then remember to switch it back to Auto when I'm in the office. If I forget that bit then others might not think where to go to switch it from manual to auto.

 

[martinr]

Have a look on the LAN page, on the DNSFilter tab. Enable DNS Filter (Yes), set Global mode to Router and on the WAN page set the DNS Servers 1.2.3.4 and 4.3.2.1 as you suggested, and then on the DNS Filter page you list those clients to want to use specific, different DNS servers, and specify them.

You can specify up to 3 custom DNS servers and then in the Filtet Mode box for each client you select which one yiu want for that client, designated by mac address).

Will that do what you’re looking for? I think it’s exactly what you want.

 

[sharkus]

Have a look on the LAN page, on the DNSFilter tab. Enable DNS Filter (Yes), set Global mode to Router and on the WAN page set the DNS Servers 1.2.3.4 and 4.3.2.1 as you suggested, and then on the DNS Filter page you list those clients to want to use specific, different DNS servers, and specify them.

You can specify up to 3 custom DNS servers and then in the Filtet Mode box for each client you select which one yiu want for that client, designated by mac address).

Will that do what you’re looking for? I think it’s exactly what you want.

Thank you, it does sound as though that's exactly what I want. I'll give it a shot and will report back.

 

[martinr]

Thank you, it does sound as though that's exactly what I want. I'll give it a shot and will report back.

Excellent. Thanks. Yes, please do let us know how you get on. The added bonus of using DNS Filter (even if you don’t list clients at the bottom) is that, regardless of DNS settings on your individual devices, DNS Filter intercepts the DNS requests and forces then to use those settings you have specifief on the router, thereby giving you, for example, more control on sites your children’s devices can connect to. (Some special devices eg Roku, have, I believe, the DNS hard coded into the hardware, and so cannot be controlled in the same way.)

 

[skeal]

Excellent. Thanks. Yes, please do let us know how you get on. The added bonus of using DNS Filter (even if you don’t list clients at the bottom) is that, regardless of DNS settings on your individual devices, DNS Filter intercepts the DNS requests and forces then to use those settings you have specifief on the router, thereby giving you, for example, more control on sites your children’s devices can connect to. (Some special devices eg Roku, have, I believe, the DNS hard coded into the hardware, and so cannot be controlled in the same way.)

I tried the instructions above and things worked but, only for a while then stopped. If I use iptables set to run at nat-start the routing of dns works, why would dnsfilter fail after a while of running? Doesn't dnsfilter use iptables rules itself? Strange....I am running this new alpha on my AX88U and the devices I need to chose certain dns servers for are running through a OVPN client with dns set to disabled.

Example: Entire OVPN client 1 dns routed through router's dns, except for 2 devices they need 1.1.1.1

Live and Learn Edit: I had my router ip in the list of devices in my vpn client settings shown like this: 192.168.xxx.1/32 through WAN don't use the /32 notation and the above instructions work great.

 

[sharkus]

Have a look on the LAN page, on the DNSFilter tab. Enable DNS Filter (Yes), set Global mode to Router and on the WAN page set the DNS Servers 1.2.3.4 and 4.3.2.1 as you suggested, and then on the DNS Filter page you list those clients to want to use specific, different DNS servers, and specify them.

You can specify up to 3 custom DNS servers and then in the Filtet Mode box for each client you select which one yiu want for that client, designated by mac address).

Will that do what you’re looking for? I think it’s exactly what you want.

I've yet to have time to give it a full attention look, so only a brief one, but I wanted to ask a further question or so.

Under WAN -> Internet Connection -> WAN DNS Setting, is it ok that I've got it set to "Connect to DNS Server automatically"

I'm using DHCP, so under LAN -> DHCP Server -> DNS and WINS Server Setting, should I leave "DNS Server 1" and "DNS Server 2" empty, so it'll pick up the DNS from the "Connect to DNS Server automatically"? I'd also presume that would be the source of the values for the "Router" option in DNSFilter, is that correct?

One final question. As stated, I gave it a very quick try last night on my iMac. I configured DNSFilter's "Global Filter Mode" to "Router", then I set "Custom (user-defined) DNS 1" to "1.1.1.1" and "Custom (user-defined) DNS 2" to "1.0.0.1", then selected my iMac's ethernet connection from the "Client MAC address" list, set one entry to "Custom 1" and added another for "Custom 2". I applied the settings, rebooted the router, rebooted the iMac for good measure.

When I went into System Preferences -> Network -> Ethernet, I could see the DNS entry listed as "10.0.0.1" which is my router's IP address, I went into advanced settings, saw the same thing. Is this what should be happening, or should it explicitly display "1.1.1.1, 1.0.0.1"? Unsure if this is a mac specific thing, I didn't have a windows machine to check at the time, or wether it's just a router thing, or something I've not configured correctly. Is there some other way to find the actual DNS settings being used by the iMac, possibly via command line?

 

[dave14305]

I've yet to have time to give it a full attention look, so only a brief one, but I wanted to ask a further question or so.

Under WAN -> Internet Connection -> WAN DNS Setting, is it ok that I've got it set to "Connect to DNS Server automatically"

I'm using DHCP, so under LAN -> DHCP Server -> DNS and WINS Server Setting, should I leave "DNS Server 1" and "DNS Server 2" empty, so it'll pick up the DNS from the "Connect to DNS Server automatically"? I'd also presume that would be the source of the values for the "Router" option in DNSFilter, is that correct?

One final question. As stated, I gave it a very quick try last night on my iMac. I configured DNSFilter's "Global Filter Mode" to "Router", then I set "Custom (user-defined) DNS 1" to "1.1.1.1" and "Custom (user-defined) DNS 2" to "1.0.0.1", then selected my iMac's ethernet connection from the "Client MAC address" list, set one entry to "Custom 1" and added another for "Custom 2". I applied the settings, rebooted the router, rebooted the iMac for good measure.

When I went into System Preferences -> Network -> Ethernet, I could see the DNS entry listed as "10.0.0.1" which is my router's IP address, I went into advanced settings, saw the same thing. Is this what should be happening, or should it explicitly display "1.1.1.1, 1.0.0.1"? Unsure if this is a mac specific thing, I didn't have a windows machine to check at the time, or wether it's just a router thing, or something I've not configured correctly. Is there some other way to find the actual DNS settings being used by the iMac, possibly via command line?

Your clients only receive the router's IP as the DNS server. Behind the scenes, DNSFilter intercepts any DNS requests from your clients and re-routes them to the destination specified in DNSFilter -- globally your router's dnsmasq, which will forward to your ISP DNS servers, or 1.1.1.1 for your iMac. You should delete the second entry you created for the same PC. There is no redundancy available when using DNSFilter (except router mode uses WAN DNS 1 and WAN DNS 2).

 

[sharkus]

Your clients only receive the router's IP as the DNS server. Behind the scenes, DNSFilter intercepts any DNS requests from your clients and re-routes them to the destination specified in DNSFilter -- globally your router's dnsmasq, which will forward to your ISP DNS servers, or 1.1.1.1 for your iMac. You should delete the second entry you created for the same PC. There is no redundancy available when using DNSFilter (except router mode uses WAN DNS 1 and WAN DNS 2).

Thanks for the explanation, very much appreciated. I'll make sure I only add one entry for each of the clients.

 

[martinr]

I've yet to have time to give it a full attention look, so only a brief one, but I wanted to ask a further question or so.

Under WAN -> Internet Connection -> WAN DNS Setting, is it ok that I've got it set to "Connect to DNS Server automatically"

I'm using DHCP, so under LAN -> DHCP Server -> DNS and WINS Server Setting, should I leave "DNS Server 1" and "DNS Server 2" empty, so it'll pick up the DNS from the "Connect to DNS Server automatically"? I'd also presume that would be the source of the values for the "Router" option in DNSFilter, is that correct?

One final question. As stated, I gave it a very quick try last night on my iMac. I configured DNSFilter's "Global Filter Mode" to "Router", then I set "Custom (user-defined) DNS 1" to "1.1.1.1" and "Custom (user-defined) DNS 2" to "1.0.0.1", then selected my iMac's ethernet connection from the "Client MAC address" list, set one entry to "Custom 1" and added another for "Custom 2". I applied the settings, rebooted the router, rebooted the iMac for good measure.

When I went into System Preferences -> Network -> Ethernet, I could see the DNS entry listed as "10.0.0.1" which is my router's IP address, I went into advanced settings, saw the same thing. Is this what should be happening, or should it explicitly display "1.1.1.1, 1.0.0.1"? Unsure if this is a mac specific thing, I didn't have a windows machine to check at the time, or wether it's just a router thing, or something I've not configured correctly. Is there some other way to find the actual DNS settings being used by the iMac, possibly via command line?

On the LAN page, DHCP Server tab, all the DNS and WINS section is normally left at its default settings: you don’t touch it. On the WAN page, WAN DNS settings, Connect to DNS Server automatically - set it to NO, unless you want to connect to your ISP’s DNS server. Then, assuming you don’t want to use your ISP’s DNS, enter the 2 servers you want to normally use (for all those clients that are being DNS Filtered to router global made). In my case I have 1.1.1.1 and 1.0.0.1.

 

[sharkus]

On the LAN page, DHCP Server tab, all the DNS and WINS section is normally left at its default settings: you don’t touch it. On the WAN page, WAN DNS settings, Connect to DNS Server automatically - set it to NO, unless you want to connect to your ISP’s DNS server. Then, assuming you don’t want to use your ISP’s DNS, enter the 2 servers you want to normally use (for all those clients that are being DNS Filtered to router global made). In my case I have 1.1.1.1 and 1.0.0.1.

Thanks again.

 

[sharkus]

DNSFilter does indeed seem to assist with the issue I was seeing, as I've had a chance to run a few tests (ASUS initiating PPPoE connection through HomeHub 3000). With DNSFilter disabled, my appleTV refused to load Netflix or the Movie app. Speedtest app showed a download speed of zero. This is the exact behaviour I'd previously seen. I enabled DNSFilter, set the default to router, and added 1.1.1.1 as custom entry 1, then set that for my AppleTV. Hard rebooted it, it's now happy Netflix, Movies, and Speedtest show good connectivity.

The real test will be when I work from home and then I can see how the iPad and iPhone that had issues respond to things. I'm hoping that the "fix" for the AppleTV works for them too.

Quite why there is this issue with passthrough I don't know. I'd take a guess iOS / tvOS just cannot handle something, DNS resolution perhaps? or maybe it's something to do with SSL / TLS not matching up? If I have time I might have a look in the console log of one of the devices to see if there is anything meaningful in there

Finally, thanks to everyone for the responses, very much appreciated.

 

[sharkus]

Another update. I had a chance to work from home and setup the iOS devices I had in DNSFilter and all seemed ok, until this morning. The iPad was exhibiting the original issue of being unable to connect to various websites. After resetting network settings on the device, powering it off, and powering it back on, it seemed ok again.

Perhaps it's not DNS resolution that is the underlying issue here, but I'm unsure what the problem is. As mentioned, it must have something to do with the passthrough setup I have, which is a little unusual I know, most are either only using HH3K, or bypassing it completely, which is what I had previously done.

any ideas?

 

[sharkus]

Following up on my last post. It does appear DNS resolution was not the root cause of the issue. So what was it? It appears it was actually down to the MTU setting. When I had bypassed the HH3K I had set my ASUS to an MTU of 1500. A quick thread on DSLreports suggested that I try adjusting the MTU to 1492, as it was believed that was the max that can be used with passthrough. After the change, no more issues!

 

[martinr]

.....When I had bypassed the HH3K I had set my ASUS to an MTU of 1500. A quick thread on DSLreports suggested that I try adjusting the MTU to 1492, as it was believed that was the max that can be used with passthrough. After the change, no more issues!

Did you manually change the MTU to 1500 (changing 2 things at the same time - fatal!) or did the MTU get changed automatically as a result of your bypassing the HH3K?

 

[sharkus]

Did you manually change the MTU to 1500 (changing 2 things at the same time - fatal!) or did the MTU get changed automatically as a result of your bypassing the HH3K?

When I was bypassing the HH3K completely I had manually set the MTU in the ASUS to 1500. When I went to passthrough, I simply didn't think to change the MTU. It's only when someone else suggested it might be an MTU issue, and passthrough may be capped at 1492, that I then manually changed the MTU on the ASUS to 1492, and that seemed to clear things up.

 

[martinr]

When I was bypassing the HH3K completely I had manually set the MTU in the ASUS to 1500. When I went to passthrough, I simply didn't think to change the MTU. It's only when someone else suggested it might be an MTU issue, and passthrough may be capped at 1492, that I then manually changed the MTU on the ASUS to 1492, and that seemed to clear things up.

In such situations, I always kick myself for not making notes of the changes I made, especially if I made 2 or more at the same time. When I finally sort things out, it’s because I forgot I changed some setting that had unintended consequences. I spend a lot more time troubleshooting my self-inflicted cock-ups than I would have done documenting the changes I made.

 

[eibgrad]

Your clients only receive the router's IP as the DNS server. Behind the scenes, DNSFilter intercepts any DNS requests from your clients and re-routes them to the destination specified in DNSFilter -- globally your router's dnsmasq, which will forward to your ISP DNS servers, or 1.1.1.1 for your iMac. You should delete the second entry you created for the same PC. There is no redundancy available when using DNSFilter (except router mode uses WAN DNS 1 and WAN DNS 2).

Just curious. Does this mean that now local name resolution won't work for those clients (since they're now presumably bypassing the router's DNS server)?

 

[ColinTaylor]

Just curious. Does this mean that now local name resolution won't work for those clients (since they're now presumably bypassing the router's DNS server)?

In the first case DNSFilter was forcing clients to use the router's DNS server, so local name resolution would still work. In the second case the iMac was being forced to go to 1.1.1.1 so local name resolution wouldn't work.

 

[eibgrad]

In the first case DNSFilter was forcing clients to use the router's DNS server, so local name resolution would still work. In the second case the iMac was being forced to go to 1.1.1.1 so local name resolution wouldn't work.

That's what I thought. One way to maintain local name resolution would be to create a second instance of DNSMasq, with its own public DNS server(s), and reference the primary DNSMasq instance for local name resolution. Clearly overkill for most ppl, but at least something to consider for the hardcore user.