Adding Unblock-Us DNS using DNSMasq

[ThoseGuys]

Ok so I need a smarter person to chime in here. Clearly mlb.tv and mlb.mlb.com are not sufficient as dnsmasq.conf.add entries. How do I go about determining what domain the roku mlb tv app is connecting to. Is there a network/traffic snooping tool I can use to see domains that are being streamed somehow?

 

[ryzhov_al]

Good news to whom who was using Pandora via Tunlr before. There is a free alternative created by Alexander Bykov.

1) Enable JFFS,
2) Create /jffs/configs/dnsmasq.conf.add with following content:

### Portaller support
server=/pandora.com/107.170.15.247
server=/spotify.com/107.170.15.247

3) Restart dnsmasq:

service restart_dnsmasq

Here is history of service (in Russian) and here is how to make your own Tunlr-like service on VPS (in English).

 

[F1nchy]

Hi guys

Just jumping on to the back of this thread....

I want to set up my RT-AC68U so I can use my Chromecast with it via Unlocator (similar to Unblockus, which doesn't work where I am).

Looking on the Unlocator website they give instructions for adding settings for DD-WRT routers here;
https://support.unlocator.com/custo...7-how-to-setup-dd-wrt-to-work-with-chromecast

I have Merlin's firmware running on mine, so presumably I have to create a script file to add the DNSMasq info? Is that correct? And will that script still work or will it need more included?

iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 185.37.37.37
iptables -t nat -A PREROUTING -d 8.8.4.4 -j DNAT --to-destination 185.37.37.185

Don't really know what I'm doing at all but with some help I might get there! I'm presumably this will direct any traffic going to Google DNS to Unlocator instead? I would rather stick with Merlin's firmware than go down the DD-WRT route if I can avoid it.

Does anyone have a kind of template script I can use and try to modify for DNS redirection with DNSMasq?

Thanks!

 

[RMerlin]

Try just using DNSFilter to force your Chromecast (through its MAC address) to the two DNS servers you listed. Will be far simpler than messing with scripts and iptables IMHO.

 

[F1nchy]

Ah, ok. I hadn't seen that before.

So I set one of the Unlocator addresses as custom 1 and then I can add the MAC address for any devices I want going through Unlocator's DNS? Might try my Sonos as well if that works!

 

[F1nchy]

Hi again Merlin

Unfortunately that does not work - when I log in to Unlocator up update my IP address I get a message saying that the UAE is known for hijacking DNS and to use the advanced method. They only give instructions for adding it to DDWRT routers;

Add the following commands to the IP firewall:

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 185.37.37.37:54
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 185.37.37.185:54

or us this command instead to force Google DNS to go to our servers. This is not to prevent DNS hijacking by your ISP but to send Google DNS traffic to us.

iptables -t nat -I PREROUTING --destination 8.8.8.8 -j DNAT --to 185.37.37.37
iptables -t nat -I PREROUTING --destination 8.8.4.4 -j DNAT --to 185.37.37.185

Don’t forget to restart the router afterwards.

I'm not sure where to start with putting together a script. Is there a template I can use to modify?

Thanks

 

[RMerlin]

Hi again Merlin

Unfortunately that does not work - when I log in to Unlocator up update my IP address I get a message saying that the UAE is known for hijacking DNS and to use the advanced method. They only give instructions for adding it to DDWRT routers;



I'm not sure where to start with putting together a script. Is there a template I can use to modify?

Thanks

If your ISP is fudging with DNS queries, then you might have a hard time working around it indeed.

That "185.37.37.37:54" syntax looks wrong to me tho if their intention is to specify port 54.

You can customize iptables through a nat-start script. See the wiki for description.

 

[F1nchy]

AH, ok, thanks, I'll have a look in the wiki and see if I can suss it out

 

[F1nchy]

Ooh! I think it's actually working. A couple of reboots of the router and my laptop and I'm getting iPlayer. Not sure how long before the local ISP block these (they've blocked all the others) but hopefully I'll get some use for a while!

Cool feature, especially for most people who aren't in the UAE!

 

[RMerlin]

Ooh! I think it's actually working. A couple of reboots of the router and my laptop and I'm getting iPlayer. Not sure how long before the local ISP block these (they've blocked all the others) but hopefully I'll get some use for a while!

Cool feature, especially for most people who aren't in the UAE!

Did you do it via DNSFilter, or via a user script?

 

[F1nchy]

Just using the DNS filter. Wouldn't have a clue with a script!

 

[chriscolden]

Seems right to me except I don't understand why you have
server=/unblock-us/208.122.23.23
Not needed as far as I know. I use "unblock-us" as well but for netflix and amazon. All I have for those is

server=/netflix.com/208.122.23.22
server=/netflix.com/208.122.23.23
server=/netflix.net/208.122.23.22
server=/netflix.net/208.122.23.23
server=/amazon.com/208.122.23.22
server=/amazon.com/208.122.23.23"

unblock-us is included so that when you go to the website and check if the service is configured correctly it will show that it is. They do a lookup on the unblock-us to get this info. I guess they give out a different ip or have a txt record associated with it, I'm not sure.

 

[saffron]

My 2c. Chromecast uses wifi so add it to a guest network which routes port 53 lookups through Unblock-us. Saves having to specifiy individual websites and better for your own privacy. Something like this

dnsmasq.conf.add

interface=wl0.1
dhcp-range=wl0.1,192.168.2.1,192.168.2.254,255.255.255.0,12h
dhcp-option=wl0.1,3,192.168.2.1

wan-start

ifconfig wl0.1 192.168.2.1 netmask 255.255.255.0

ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

iptables -I INPUT -i wl0.1 -j ACCEPT
iptables -I FORWARD -i wl0.1 -j ACCEPT


unblockus="111.118.175.56 118.127.33.48"
for dns in $unblockus
do
iptables -t nat -A PREROUTING -i wl0.1 -p tcp --dport 53 -j DNAT --to $dns
iptables -t nat -A PREROUTING -i wl0.1 -p udp --dport 53 -j DNAT --to $dns
done

#might need this too?
iptables -I FORWARD -i wl0.1 -d 8.8.8.8 -j DROP
iptables -I FORWARD -i wl0.1 -d 8.8.4.4 -j DROP

 

[roastchickens]

Just thought I'd sign up and post this here to save somebody else a bit of hassle..

I was adding stuff to the /jffs/configs/dnsmasq.conf.add - but it wasn't updating the /etc/dnsmasq.conf file.. This was on Merlin 378.53

Anyway, if you see this in /tmp/syslog.log:
Jun 6 10:26:59 custom config: Found /jffs/configs/dnsmasq.conf.add, but custom configs are disabled!

You will need to change the nvram setting.

prompt# nvram set jffs2_scripts=1

----
At this point you can restart dnsmasq, and it should work

prompt# service restart_dnsmasq