Custom DNS filter with multiple IP's

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Morris

Senior Member
What is the syntax to enter multiple IP's for a custom DNS filter? The documentation dose not mention this important information

Thank you,

Morris
 

dave14305

Part of the Furniture
Not possible. iptables only supports one redirect target per rule (or something like that),
 

Morris

Senior Member
Thank you Dave,

The drop down filters seem to support the backup IP's. Possibly I'm asking for an enhancement. I'm could wrong about the dropdown's redundant IP and in that case an enhancement for this would be good as well.

Morris
 

dave14305

Part of the Furniture
Thank you Dave,

The drop down filters seem to support the backup IP's. Possibly I'm asking for an enhancement. I'm could wrong about the dropdown's redundant IP and in that case an enhancement for this would be good as well.

Morris
Which dropdowns? My custom fields in DNSFilter are without dropdowns.
 

Morris

Senior Member
The "Global Filter Mode" as well as the "Filter Mode" for individual hosts.
 

eibgrad

Very Senior Member
You can create multiple DNS filters for a given client based on its MAC address using multiple entries. However, it will NOT work as expected, because all the DNS filter does is create a redirect rule w/ iptables, which intercepts any DNS requests to port 53 and changes the destination IP to the requested DNS server. If that fails, the client loses DNS! It's NOT like DNSMasq, where if a given DNS server is unavailable, it will try another DNS server. That's why DNS filters are NOT a panacea. It assumes the DNS server will always be available and working. There is no backup!
 

dave14305

Part of the Furniture
Hmm. I see distinct services listed with variations for different filtering levels (e.g. OpenDNS Home vs Family, Cleanbrowsing Family vs Adult vs Security). No allusion to the backup IPs.
 

Morris

Senior Member
You can create multiple DNS filters for a given client based on its MAC address using multiple entries. However, it will NOT work as expected, because all the DNS filter does is create a redirect rule w/ iptables, which intercepts any DNS requests to port 53 and changes the destination IP to the requested DNS server. If that fails, the client loses DNS! It's NOT like DNSMasq, where if a given DNS server is unavailable, it will try another DNS server. That's why DNS filters are NOT a panacea. It assumes the DNS server will always be available and working. There is no backup!

Thank you for explaining how this works. This explains the behavior I experienced during yesterday's Internet Routing Issues. I've reconfigured around what went wrong yesterday and will review further knowing this. Open DNS appeared to survive the routing problems yet I don't know why and if I'm still venerable. That depends on what each IP actually is. I suspect global load balancers yet who knows. I can try asking someone I know at Cisco.
 

Morris

Senior Member
Hmm. I see distinct services listed with variations for different filtering levels (e.g. OpenDNS Home vs Family, Cleanbrowsing Family vs Adult vs Security). No allusion to the backup IPs.

You are correct Dave. The rest is an assumption. It would take some serious coding to do what I'm suggesting
 

chongnt

Senior Member
This got me thinking. Say all my devices has manually assigned IP using Global filter mode router. Now I set LAN DHCP ip pool from 192.168.1.225 to 192.168.1.238 for my guest. Is there anyway I can predefine 192.168.1.224/28 to Custom DNS 1? As of now it seems I can only add it once the router learned their MAC address?
 

ColinTaylor

Part of the Furniture
This got me thinking. Say all my devices has manually assigned IP using Global filter mode router. Now I set LAN DHCP ip pool from 192.168.1.225 to 192.168.1.238 for my guest. Is there anyway I can predefine 192.168.1.224/28 to Custom DNS 1? As of now it seems I can only add it once the router learned their MAC address?
As you say, clients are specified by their MAC addresses rather than IP. So to do what you want you'd have to write a nat-start script.
Code:
#!/bin/sh

iptables -t nat -I DNSFILTER -s 192.168.1.224/28 -j DNAT --to-destination 8.8.8.8
Obviously change 8.8.8.8 to be whatever DNS server you want. This rule will take priority over any clients that may be specified in the GUI.
 

ColinTaylor

Part of the Furniture
Now I set LAN DHCP ip pool from 192.168.1.225 to 192.168.1.238 for my guest. Is there anyway I can predefine 192.168.1.224/28 to Custom DNS 1?
Just to add... 192.168.1.224/28 would be 192.168.1.224 to 192.168.1.239 inclusive as it's an IP range not a network (where .224 is the network and .239 is the broadcast).
 

chongnt

Senior Member
As you say, clients are specified by their MAC addresses rather than IP. So to do what you want you'd have to write a nat-start script.
Code:
#!/bin/sh

iptables -t nat -I DNSFILTER -s 192.168.1.224/28 -j DNAT --to-destination 8.8.8.8
Obviously change 8.8.8.8 to be whatever DNS server you want. This rule will take priority over any clients that may be specified in the GUI.
Thanks @ColinTaylor , it works very well. I substitute 8.8.8.8 with $(nvram get dnsfilter_custom1).
 

chongnt

Senior Member
Just to add... 192.168.1.224/28 would be 192.168.1.224 to 192.168.1.239 inclusive as it's an IP range not a network (where .224 is the network and .239 is the broadcast).
Dumb question, in this case can I assign the first and last ip in the dhcp pool?
 

ColinTaylor

Part of the Furniture
Code:
iptables -t nat -I DNSFILTER -m iprange --src-range 192.168.1.224-238 -j DNAT --to $(nvram get dnsfilter_custom1)
Typo. ;)

Should be:
Code:
iptables -t nat -I DNSFILTER -m iprange --src-range 192.168.1.224-192.168.1.238 -j DNAT --to $(nvram get dnsfilter_custom1)
Or whatever IP range he desires.
 

chongnt

Senior Member
Typo. ;)

Should be:
Code:
iptables -t nat -I DNSFILTER -m iprange --src-range 192.168.1.224-192.168.1.238 -j DNAT --to $(nvram get dnsfilter_custom1)
Or whatever IP range he desires.
Great. In this case I can make use of nvram get dhcp_start and nvram get dhcp_end in the source range. Then I don’t need to manually edit this in nat-start next time I change the dhcp pool?
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top