DNS Director :: Add more custom options

[AndreiGuru]

Hi,

I've been using the firmware for a while, and love it. I use a remote pihole for DNS filtering, and need to add more custom DNS servers (as I match LAN clients, to PiHole Client Groups).

How can I add more custom ipv4/ipv6 DNS servers for DNS Director?

Thanks!

 

[RMerlin]

Why would your LAN need to use more than three different DNS servers (beside those already offered)?

This would increase NVRAM usage with no real useful benefit.

 

[Morris]

On the left side LAN tab you will find a top tab DHCP server. For hosts that need a unique DHCP server, you can assign it to the hose via DHCP.

 

[AndreiGuru]

Why would your LAN need to use more than three different DNS servers (beside those already offered)?

This would increase NVRAM usage with no real useful benefit.

Because I have 3 kids and we all use a different vlan IP for custom groups/identifying who's doing what. If you ever had to share DoT/DoH+LAN across 20+ devices you would understand
So, it's possible, but how?

 

[Morris]

Because I have 3 kids and we all use a different vlan IP for custom groups/identifying who's doing what. If you ever had to share DoT/DoH+LAN across 20+ devices you would understand
So, it's possible, but how?

Assign static IP's by MAC Address. You are making way too complicated.

 

[RMerlin]

Because I have 3 kids and we all use a different vlan IP for custom groups/identifying who's doing what. If you ever had to share DoT/DoH+LAN across 20+ devices you would understand

You don't need more than one custom DNS for that. Use the same Custom DNS for every devices.

 

[AndreiGuru]

Assign static IP's by MAC Address. You are making way too complicated.

Nothing to do with it… already setting devices to remote dns by mac

You don't need more than one custom DNS for that. Use the same Custom DNS for every devices.

Honestly, that’s just a personal opinion. Adding 1-2 more custom dns entries wouldn’t make or break anything in reality, with resources considered. I simply have the need to use more custom dns because that’s how I choose to group devices. The router (ac5300) can handle it just fine

 

[dave14305]

What’s your desired number? How many different DNS servers are used on your network?

You’re probably better off making your own iptables rules based on the existing DNSFILTER chains.

 

[glens]

ssh in and hand-edit /etc/resolv.conf

 

[AndreiGuru]

What’s your desired number? How many different DNS servers are used on your network?

You’re probably better off making your own iptables rules based on the existing DNSFILTER chains.

4-5.. yeah, it seems like I might as well do it manually at this point

ssh in and hand-edit /etc/resolv.conf

Wrong resolver config

 

[AndreiGuru]

Here's a bit of insight into what my network architecture looks like. Mind you, it's way more extensive than the avg bear, but covers:
- sharing a single external PiHole (1 ipv4, 1 ipv6, multiple ssl vhosts) for DoT/DoH/VPN+DNS Director across ~20 devices, with 5 client groups
- using client groups in PiHole (which works based on the source IP of the request - hence ssl hostname/dns proxying using local "client ips", so it works regardless of request origin WAN/(V)LAN) to apply different DNS blocklists
- being able to identify which devices look what up exactly, regardless of origin (external DoT/DoH, "internal" DNS over VPN with a spoofed source so they don't all show up as the router assigned VPN IP - this last part is why I need to add a couple more custom DNS entries, otherwise they show up as originating from AsusWRT VPN IP).

* pihole network interfaces also have dummy IPv6 routed over the VPN, not just 10.255.255.0/24 IPv4's

In short, I can easily just automate the iptables rules on the router to do what DNS Director does, and some, but would rather just do it in the gui. Quite frankly, in the amount of time it took to go back and forth on this thread and make a minimalistic lucidapp, I would have coded something that works across my whole infra. Idk why personal views even matter instead of sharing a simple "add_to_nvram()"

This setup is more than a suitable alternative to most parental control apps, as it lets me use "Private DNS" across all my android devices (easy to identify who's doing what when they're not on WLAN), and also carry over the same rules/origin matching LAN traffic. Origins are grouped into their own PiHole Client Groups, and all is well.

 

[jata]

Very nice setup but also very complicated. You obviously know way more than the average user (and likely more than most on this forum).

I find the views and input helpful on this forum as I am not an expert and like to keep things simple.

I have kids too but prefer to trust them rather than control (too much). I have never found a way to have any control when the kids are using the mobile/cellular network on their phones. Are you saying you can?

 

[AndreiGuru]

Very nice setup but also very complicated. You obviously know way more than the average user (and likely more than most on this forum).

Thanks! It's a bit complex but gets the job done

I find the views and input helpful on this forum as I am not an expert and like to keep things simple.

I have kids too but prefer to trust them rather than control (too much). I have never found a way to have any control when the kids are using the mobile/cellular network on their phones. Are you saying you can?

Yes, but it works easiest with Android devices using Private DNS (iOS doesn't have native support ). Private DNS is basically DoT. I have a VPS in a local DC that's ~5ms away, that VPS runs PiHole with DoT exposed through an Nginx proxy. Nginx has 1IPv4, 1IPv6, and listens for connections on port 853 using a multi-domain SSL that covers kid1-ph.xyz.com, kid2-ph.xyz.com, etc-ph.xyz.com. Each hostname, 'kid2-ph.xyz.com' is associated with a dummy IPv4/6 on the pihole interface, and the requests are proxied to pihole using the dummy IPv4/6 as the source. This way pihole always thinks it got a connection for "kid1" from "ip1", and you can set "ip1" to be part of a client group. It sounds way more complicated typing this out - you basically just take in requests from multiple sources, spoof the origins to local IPs on PiHole, then that local IP is associated with a client group. I can write up a howto at some point.

That's the external aspect - Internal I have a VPN connection on the router to the VPS with the dummy IPs routed over it (no internet over VPN just DNS). Then I set all the related kiddo devices (kid1 phone, tablet, tv, etc) to use the same internal dummy IP for DNS (this is the local client dns grouping aspect)

 

[Gary_Dexter]

Install AdGuard Home on your ASUS Router or on a Raspberry Pi.

You can do custom DNS per client, including DOH, DOT and other protocols

 

[AndreiGuru]

Why would your LAN need to use more than three different DNS servers (beside those already offered)?

This would increase NVRAM usage with no real useful benefit.

This is such a FALSE statement based on a personal misconception which I have to get back to since people might actually believe you. You cannot honestly say that NVRAM would increase at any rate that would matter by simply adding 1-2 more custom DNS options. You're literally talking bytes of "storage" here, not even 1KB.

I appreciate what you do with this firmware, but honestly, this was just a flakey opinionated response vs simply sharing a couple lines for the "preferred way" to add another custom DNS so I don't have to reverse-engineer your firmware/the bloatware addons that can be installed.

 

[AndreiGuru]

Install AdGuard Home on your ASUS Router or on a Raspberry Pi.

You're a bit behind on what's going on here. Fwiw, I already did that, and moved from local Pi to remote VPS with a PiHole instead. AdGuard on your router and Pi's don't have enough resources for large ad lists.

You can do custom DNS per client, including DOH, DOT and other protocols

I already support DoH/DoT/custom DNS client groups, and this has nothing to do with the issue at hand, which is just being able to add 1-2 more "Custom DNS" options. Simple as that. All the big leg work which most people will never go to the extent of has already been done. I've been running this setup for years, it filters/groups local/remote devices great, I'm just tired of having certain LAN devices grouped wrong and didn't want to manage more crap on my router vs simply adding a UI option.

 

[Gary_Dexter]

You're a bit behind on what's going on here. Fwiw, I already did that, and moved from local Pi to remote VPS with a PiHole instead. AdGuard on your router and Pi's don't have enough resources for large ad lists.



I already support DoH/DoT/custom DNS client groups, and this has nothing to do with the issue at hand, which is just being able to add 1-2 more "Custom DNS" options. Simple as that. All the big leg work which most people will never go to the extent of has already been done. I've been running this setup for years, it filters/groups local/remote devices great, I'm just tired of having certain LAN devices grouped wrong and didn't want to manage more crap on my router vs simply adding a UI option.

There's plenty of resources on both - you don't need blocklists with millions upon millions of blocks - it's not needed.

I run it on a router with 512 RAM and it works perfectly fine.

Sounds like you need a different router/setup - things aren't going to change just because you demand/"need" them.

 

[AndreiGuru]

There's plenty of resources on both - you don't need blocklists with millions upon millions of blocks - it's not needed.

That's a personal opinion. My blocklist consists of 11.1 million garbage domains and the VPS does way more than my router/a pihole for $3/mo

I run it on a router with 512 RAM and it works perfectly fine.

Sure, if you have ~100k blocked domains

Sounds like you need a different router/setup - things aren't going to change just because you demand/"need" them.

No, it doesn't. I don't need to change my router, or setup, just to get ~4 iptables rules added in. I just felt like asking the community for the "preferred way" to get a new custom DNS server in the list, I can get it done just fine without the "preferred way".

Most of the info I received in reply to my question is just based on personal opinions on why I should change my setup, to fit someone else's view, instead of simply addressing the question at hand "How to add another Custom DNS in the list". It's fine if you don't understand my setup, I've already been where you're at and upgraded

 

[RMerlin]

You're literally talking bytes of "storage" here, not even 1KB.

Yes, and every byte of storage DOES matter in this case. An RT-AC68U running with basic configuration typically has less than 2 KB of NVRAM space left, and users are frequently running out of NVRAM space already.

Adding a fourth custom server would add:

dnsfilter_custom4=8.8.8.8
dnsfilter_custom64=

That's 50 bytes for something that maybe 3 persons in the entire userbase could use. Make that 100 bytes for the two settings you wanted added. That's significant in a scenario where we are talking about routers actively running out of nvram space already. 100 bytes would be enough for these users running out of NVRAM to add an extra 2-3 DHCP static leases, for example.

This is not worth it.

 

[Spud]

Thanks! It's a bit complex but gets the job done

Yes, but it works easiest with Android devices using Private DNS (iOS doesn't have native support ). Private DNS is basically DoT. I have a VPS in a local DC that's ~5ms away, that VPS runs PiHole with DoT exposed through an Nginx proxy. Nginx has 1IPv4, 1IPv6, and listens for connections on port 853 using a multi-domain SSL that covers kid1-ph.xyz.com, kid2-ph.xyz.com, etc-ph.xyz.com. Each hostname, 'kid2-ph.xyz.com' is associated with a dummy IPv4/6 on the pihole interface, and the requests are proxied to pihole using the dummy IPv4/6 as the source. This way pihole always thinks it got a connection for "kid1" from "ip1", and you can set "ip1" to be part of a client group. It sounds way more complicated typing this out - you basically just take in requests from multiple sources, spoof the origins to local IPs on PiHole, then that local IP is associated with a client group. I can write up a howto at some point.

That's the external aspect - Internal I have a VPN connection on the router to the VPS with the dummy IPs routed over it (no internet over VPN just DNS). Then I set all the related kiddo devices (kid1 phone, tablet, tv, etc) to use the same internal dummy IP for DNS (this is the local client dns grouping aspect)

BTW, here’s a handy tool to create your own DoH/DoT DNS profiles for Apple devices:

DNS Profile Creator

dns.notjakob.com