Menu
What's new
By:
Filters Better Search

Custom DNS filter with multiple IP's

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

Morris

Very Senior Member
What is the syntax to enter multiple IP's for a custom DNS filter? The documentation dose not mention this important information

Thank you,

Morris
 
Not possible. iptables only supports one redirect target per rule (or something like that),
 
Thank you Dave,

The drop down filters seem to support the backup IP's. Possibly I'm asking for an enhancement. I'm could wrong about the dropdown's redundant IP and in that case an enhancement for this would be good as well.

Morris
 
Morris said:
Thank you Dave,

The drop down filters seem to support the backup IP's. Possibly I'm asking for an enhancement. I'm could wrong about the dropdown's redundant IP and in that case an enhancement for this would be good as well.

Morris
Click to expand...
Which dropdowns? My custom fields in DNSFilter are without dropdowns.
 
The "Global Filter Mode" as well as the "Filter Mode" for individual hosts.
 
You can create multiple DNS filters for a given client based on its MAC address using multiple entries. However, it will NOT work as expected, because all the DNS filter does is create a redirect rule w/ iptables, which intercepts any DNS requests to port 53 and changes the destination IP to the requested DNS server. If that fails, the client loses DNS! It's NOT like DNSMasq, where if a given DNS server is unavailable, it will try another DNS server. That's why DNS filters are NOT a panacea. It assumes the DNS server will always be available and working. There is no backup!
 
Hmm. I see distinct services listed with variations for different filtering levels (e.g. OpenDNS Home vs Family, Cleanbrowsing Family vs Adult vs Security). No allusion to the backup IPs.
 
eibgrad said:
You can create multiple DNS filters for a given client based on its MAC address using multiple entries. However, it will NOT work as expected, because all the DNS filter does is create a redirect rule w/ iptables, which intercepts any DNS requests to port 53 and changes the destination IP to the requested DNS server. If that fails, the client loses DNS! It's NOT like DNSMasq, where if a given DNS server is unavailable, it will try another DNS server. That's why DNS filters are NOT a panacea. It assumes the DNS server will always be available and working. There is no backup!
Click to expand...

Thank you for explaining how this works. This explains the behavior I experienced during yesterday's Internet Routing Issues. I've reconfigured around what went wrong yesterday and will review further knowing this. Open DNS appeared to survive the routing problems yet I don't know why and if I'm still venerable. That depends on what each IP actually is. I suspect global load balancers yet who knows. I can try asking someone I know at Cisco.
 
dave14305 said:
Hmm. I see distinct services listed with variations for different filtering levels (e.g. OpenDNS Home vs Family, Cleanbrowsing Family vs Adult vs Security). No allusion to the backup IPs.
Click to expand...

You are correct Dave. The rest is an assumption. It would take some serious coding to do what I'm suggesting
 
This got me thinking. Say all my devices has manually assigned IP using Global filter mode router. Now I set LAN DHCP ip pool from 192.168.1.225 to 192.168.1.238 for my guest. Is there anyway I can predefine 192.168.1.224/28 to Custom DNS 1? As of now it seems I can only add it once the router learned their MAC address?
 
chongnt said:
This got me thinking. Say all my devices has manually assigned IP using Global filter mode router. Now I set LAN DHCP ip pool from 192.168.1.225 to 192.168.1.238 for my guest. Is there anyway I can predefine 192.168.1.224/28 to Custom DNS 1? As of now it seems I can only add it once the router learned their MAC address?
Click to expand...
As you say, clients are specified by their MAC addresses rather than IP. So to do what you want you'd have to write a nat-start script.
Code: 
#!/bin/sh

iptables -t nat -I DNSFILTER -s 192.168.1.224/28 -j DNAT --to-destination 8.8.8.8
Obviously change 8.8.8.8 to be whatever DNS server you want. This rule will take priority over any clients that may be specified in the GUI.
 
chongnt said:
Now I set LAN DHCP ip pool from 192.168.1.225 to 192.168.1.238 for my guest. Is there anyway I can predefine 192.168.1.224/28 to Custom DNS 1?
Click to expand...
Just to add... 192.168.1.224/28 would be 192.168.1.224 to 192.168.1.239 inclusive as it's an IP range not a network (where .224 is the network and .239 is the broadcast).
 
ColinTaylor said:
As you say, clients are specified by their MAC addresses rather than IP. So to do what you want you'd have to write a nat-start script.
Code: 
#!/bin/sh

iptables -t nat -I DNSFILTER -s 192.168.1.224/28 -j DNAT --to-destination 8.8.8.8
Obviously change 8.8.8.8 to be whatever DNS server you want. This rule will take priority over any clients that may be specified in the GUI.
Click to expand...
Thanks @ColinTaylor , it works very well. I substitute 8.8.8.8 with $(nvram get dnsfilter_custom1).
 
ColinTaylor said:
Just to add... 192.168.1.224/28 would be 192.168.1.224 to 192.168.1.239 inclusive as it's an IP range not a network (where .224 is the network and .239 is the broadcast).
Click to expand...
Dumb question, in this case can I assign the first and last ip in the dhcp pool?
 
eibgrad said:
Code: 
iptables -t nat -I DNSFILTER -m iprange --src-range 192.168.1.224-238 -j DNAT --to $(nvram get dnsfilter_custom1)
Click to expand...
Typo. ;)

Should be:
Code: 
iptables -t nat -I DNSFILTER -m iprange --src-range 192.168.1.224-192.168.1.238 -j DNAT --to $(nvram get dnsfilter_custom1)
Or whatever IP range he desires.
 
ColinTaylor said:
Typo. ;)

Should be:
Code: 
iptables -t nat -I DNSFILTER -m iprange --src-range 192.168.1.224-192.168.1.238 -j DNAT --to $(nvram get dnsfilter_custom1)
Or whatever IP range he desires.
Click to expand...
Great. In this case I can make use of nvram get dhcp_start and nvram get dhcp_end in the source range. Then I don’t need to manually edit this in nat-start next time I change the dhcp pool?
 
You must log in or register to reply here.

Similar threads

url004
NXDOMAIN on server but the router can resolve queries
Replies
1
Views
153
url004
url004
Maverickcdn
hostapd custom config
Replies
4
Views
237
Maverickcdn
Maverickcdn
R
Wireless MAC (Band filter filtering out Guest network)
Replies
2
Views
95
recharging
R
icanfly
custom domains report NXDOMAIN for IPv6 DNS and fail to resolve in Alpine OS
Replies
2
Views
505
sfx2000
sfx2000
C
Need help with GT-AXE11000 and DNS Director
Replies
0
Views
125
corruptus
C
Similar threads
Thread starter Title Forum Replies Date
icanfly custom domains report NXDOMAIN for IPv6 DNS and fail to resolve in Alpine OS Asuswrt-Merlin 2
P Custom DNS for Guest Network Possible? Asuswrt-Merlin 15
Gary_Dexter Custom WAN DNS not working Asuswrt-Merlin 35
R Problem with my New ASUS RT-88U PRO Merlin and NordVPN pre-configured/custom configuration and DNS settings . Asuswrt-Merlin 36
Z ASUS RT-86U Merlin and NordVPN pre-configured/custom configuration and DNS settings ? Asuswrt-Merlin 53
P dnsmasq custom domain doesn't work on windows 10 Asuswrt-Merlin 1
Maverickcdn hostapd custom config Asuswrt-Merlin 4
L Custom DDNS vs Drop Down List for Same Provider Asuswrt-Merlin 3
K Lower refresh rate for custom DDNS update on failure, do avoid update loop Asuswrt-Merlin 0
J Solved OpenVPN clients can't resolve custom domains defined in dnsmasq config Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 754 (members: 30, guests: 724)
Top