DNS Filter GUI Issue

[paul0363]

I have an RT-AX88U set up using DNS filter in order to set the correct Cleanbrowsing DNS profile to specific clients. However, when I add more than 12 clients to the list any client after the 12th gets re-added to the list on a reboot (causing it to be in the list multiple times). I've tried re-adding clients several times after removing the extraneous entries but the issue persists. Has anyone else experienced this as I'm currently truncating the list to twelve clients to stop this behaviour? I'm running Merlin 386.3 firmware but the issue also existed in the previous release.

 

[SomeWhereOverTheRainBow]

I have an RT-AX88U set up using DNS filter in order to set the correct Cleanbrowsing DNS profile to specific clients. However, when I add more than 12 clients to the list any client after the 12th gets re-added to the list on a reboot (causing it to be in the list multiple times). I've tried re-adding clients several times after removing the extraneous entries but the issue persists. Has anyone else experienced this as I'm currently truncating the list to twelve clients to stop this behaviour? I'm running Merlin 386.3 firmware.

maybe your nvram is corrupt or maxed out due to other settings ?

 

[paul0363]

Good shout. I'll do a full factory reset when the family are away later in the week and see if that cures things (should have done that before posting here - doh!)

 

[dave14305]

Inspect the contents of the nvram variables with this SSH command before and after a reboot and again before and after adding a 13th entry followed by a reboot.

nvram show 2>/dev/null | grep dnsfilter_rulelist

 

[RMerlin]

You might be going over the maximum limit allowed by that nvram parameter. This is unfortunately a low-level limitation from Broadcom which I cannot override.

 

[dave14305]

You might be going over the maximum limit allowed by that nvram parameter. This is unfortunately a low-level limitation from Broadcom which I cannot override.

Each entry is maybe 23 characters and the HNDs have 255*6=1530 which I was estimating up to 66 entries.

On a reboot, could the old Norton conversion in format.c be re-writing it, since it happens after a reboot? Or maybe it’s just a display problem in the UI. Need to see his nvram content.

 

[eibgrad]

Why not try a different approach. Instead of enumerating each and every source IP, create a range of IPs defined by a single network using CIDR notation. For example, 192.168.1.128-191 could be represented as 192.168.1.128/26, giving you 64 hosts. If you specify that network in the DNS filter, and assign your CleanBrowsing clients within that range as static IPs, you only need the one rule.

You could create different ranges of course (e.g., 192.168.1.100-119), but it would likely result in more than one network. But it's still likely to require far less rules than handling each static IP individually. Just make sure to keep the DNS filter range outside the DHCP range.

CIDR to IPv4 Address Range Utility Tool | IPAddressGuide

Free IP address tool to translate IPv4 address range into CIDR (Classless Inter-Domain Routing) format and vice-versa.

ipaddressguide.com

 

[SomeWhereOverTheRainBow]

OP said he will try a factory reset. Maybe start with that to eliminate any other underlying issues. If problem still persist, then maybe it is something that needs a closer look such that @dave14305 has pointed out.

 

[SomeWhereOverTheRainBow]

Why not try a different approach. Instead of enumerating each and every source IP, create a range of IPs defined by a single network using CIDR notation. For example, 192.168.1.128-191 could be represented as 192.168.1.128/26, giving you 64 hosts. If you specify that network in the DNS filter, and assign your CleanBrowsing clients within that range as static IPs, you only need the one rule.

You could create different ranges of course (e.g., 192.168.1.100-119), but it would likely result in more than one network. But it's still likely to require far less rules than handling each static IP individually. Just make sure to keep the DNS filter range outside the DHCP range.

Not a bad idea, does the dns filter on asuswrt-merlin support CIDR notation from the gui? Nope it only supports Client MAC address address filtering.

 

[eibgrad]

Not a bad idea, does the dns filter on asuswrt-merlin support CIDR notation from the gui? Nope it only supports Client MAC address address filtering.

Oops, I see the problem here. DNS Filter only accepts MAC addresses. I had assumed you could specify a source IP or network.

 

[SomeWhereOverTheRainBow]

Oops, I see the problem here. DNS Filter only accepts MAC addresses. I had assumed you could specify a source IP or network.

it is still a good idea though and easy to implement if one understands iptables.

 

[eibgrad]

Yeah, particularly if you're desperate for a solution. All you have to do is create a couple rules like the following.

iptables -t nat -I PREROUTING -p udp --dport 53 -s 192.168.1.128/26 -j DNAT --to 185.228.168.168
iptables -t nat -I PREROUTING -p tcp --dport 53 -s 192.168.1.128/26 -j DNAT --to 185.228.168.168

... where 185.228.168.168 is the known IP for CleanBrowsing.

 

[paul0363]

Have now factory reset the router and re-setup from scratch and the issue persists.
Also double checked the amount of clients I can specify before the issue arises and it's 14 (not 12 as I said before).

NVRAM detail as follows:

Before reboot:

paul0363@Merlin:/tmp/home/root# nvram show 2>/dev/null | grep dnsfilter_rulelist
dnsfilter_rulelist=<>30:59:B7:50:3A:1D>9<>E4:8B:7F:DD:B9:FE>9<>98:90:96:CD:63:39>10<>D0:4D:2C:C8:9A:0A>1<>C8:3A:6B:A3:A0:DC>1<>70:54:B4:67:D4:2B>1<>CC:6E:A4:5D:F0:E2>1<>FC:F1:52:3C:B6:69>1<>C8:08:E9:C4:1E:F7>1<>A4:77:33:CA:90:02>1<>44:09:B8:98:A0:E7>1<>6C:02:E0:3F:44:A7>9<>
dnsfilter_rulelist1=E8:B2:FE:F9:2A:5A>0E8:B2:FE:F9:2A:5A>0<>E8:B2:FE:C9:49:26>0<>E8:B2:FE:F9:1F:C2>0
dnsfilter_rulelist2=
dnsfilter_rulelist3=
dnsfilter_rulelist4=
dnsfilter_rulelist5=


After reboot:

paul0363@Merlin:/tmp/home/root# nvram show 2>/dev/null | grep dnsfilter_rulelist
dnsfilter_rulelist=<>30:59:B7:50:3A:1D>9<>E4:8B:7F:DD:B9:FE>9<>98:90:96:CD:63:39>10<>D0:4D:2C:C8:9A:0A>1<>C8:3A:6B:A3:A0:DC>1<>70:54:B4:67:D4:2B>1<>CC:6E:A4:5D:F0:E2>1<>FC:F1:52:3C:B6:69>1<>C8:08:E9:C4:1E:F7>1<>A4:77:33:CA:90:02>1<>44:09:B8:98:A0:E7>1<>6C:02:E0:3F:44:A7>9<>E8:B2:FE:F9:2A:5A>0E8:B2:FE:F9:2A:5A<>E8:B2:FE:C9:49:26>0<>E8:B2:FE:F9:1F:C2>0
dnsfilter_rulelist1=E8:B2:FE:F9:2A:5A>0E8:B2:FE:F9:2A:5A>0<>E8:B2:FE:C9:49:26>0<>E8:B2:FE:F9:1F:C2>0
dnsfilter_rulelist2=
dnsfilter_rulelist3=
dnsfilter_rulelist4=
dnsfilter_rulelist5=

 

[SomeWhereOverTheRainBow]

Have now factory reset the router and re-setup from scratch and the issue persists. NVRAM detail as follows:

Before reboot:

paul0363@Merlin:/tmp/home/root# nvram show 2>/dev/null | grep dnsfilter_rulelist
dnsfilter_rulelist=<>30:59:B7:50:3A:1D>9<>E4:8B:7F:DD:B9:FE>9<>98:90:96:CD:63:39>10<>D0:4D:2C:C8:9A:0A>1<>C8:3A:6B:A3:A0:DC>1<>70:54:B4:67:D4:2B>1<>CC:6E:A4:5D:F0:E2>1<>FC:F1:52:3C:B6:69>1<>C8:08:E9:C4:1E:F7>1<>A4:77:33:CA:90:02>1<>44:09:B8:98:A0:E7>1<>6C:02:E0:3F:44:A7>9<>
dnsfilter_rulelist1=E8:B2:FE:F9:2A:5A>0E8:B2:FE:F9:2A:5A>0<>E8:B2:FE:C9:49:26>0<>E8:B2:FE:F9:1F:C2>0
dnsfilter_rulelist2=
dnsfilter_rulelist3=
dnsfilter_rulelist4=
dnsfilter_rulelist5=


After reboot:

paul0363@Merlin:/tmp/home/root# nvram show 2>/dev/null | grep dnsfilter_rulelist
dnsfilter_rulelist=<>30:59:B7:50:3A:1D>9<>E4:8B:7F:DD:B9:FE>9<>98:90:96:CD:63:39>10<>D0:4D:2C:C8:9A:0A>1<>C8:3A:6B:A3:A0:DC>1<>70:54:B4:67:D4:2B>1<>CC:6E:A4:5D:F0:E2>1<>FC:F1:52:3C:B6:69>1<>C8:08:E9:C4:1E:F7>1<>A4:77:33:CA:90:02>1<>44:09:B8:98:A0:E7>1<>6C:02:E0:3F:44:A7>9<>E8:B2:FE:F9:2A:5A>0E8:B2:FE:F9:2A:5A<>E8:B2:FE:C9:49:26>0<>E8:B2:FE:F9:1F:C2>0
dnsfilter_rulelist1=E8:B2:FE:F9:2A:5A>0E8:B2:FE:F9:2A:5A>0<>E8:B2:FE:C9:49:26>0<>E8:B2:FE:F9:1F:C2>0
dnsfilter_rulelist2=
dnsfilter_rulelist3=
dnsfilter_rulelist4=
dnsfilter_rulelist5=

Curious , very curious.

 

[dave14305]

Have now factory reset the router and re-setup from scratch and the issue persists.
Also double checked the amount of clients I can specify before the issue arises and it's 14 (not 12 as I said before).

NVRAM detail as follows:

Before reboot:

paul0363@Merlin:/tmp/home/root# nvram show 2>/dev/null | grep dnsfilter_rulelist
dnsfilter_rulelist=<>30:59:B7:50:3A:1D>9<>E4:8B:7F:DD:B9:FE>9<>98:90:96:CD:63:39>10<>D0:4D:2C:C8:9A:0A>1<>C8:3A:6B:A3:A0:DC>1<>70:54:B4:67:D4:2B>1<>CC:6E:A4:5D:F0:E2>1<>FC:F1:52:3C:B6:69>1<>C8:08:E9:C4:1E:F7>1<>A4:77:33:CA:90:02>1<>44:09:B8:98:A0:E7>1<>6C:02:E0:3F:44:A7>9<>
dnsfilter_rulelist1=E8:B2:FE:F9:2A:5A>0E8:B2:FE:F9:2A:5A>0<>E8:B2:FE:C9:49:26>0<>E8:B2:FE:F9:1F:C2>0
dnsfilter_rulelist2=
dnsfilter_rulelist3=
dnsfilter_rulelist4=
dnsfilter_rulelist5=


After reboot:

paul0363@Merlin:/tmp/home/root# nvram show 2>/dev/null | grep dnsfilter_rulelist
dnsfilter_rulelist=<>30:59:B7:50:3A:1D>9<>E4:8B:7F:DD:B9:FE>9<>98:90:96:CD:63:39>10<>D0:4D:2C:C8:9A:0A>1<>C8:3A:6B:A3:A0:DC>1<>70:54:B4:67:D4:2B>1<>CC:6E:A4:5D:F0:E2>1<>FC:F1:52:3C:B6:69>1<>C8:08:E9:C4:1E:F7>1<>A4:77:33:CA:90:02>1<>44:09:B8:98:A0:E7>1<>6C:02:E0:3F:44:A7>9<>E8:B2:FE:F9:2A:5A>0E8:B2:FE:F9:2A:5A<>E8:B2:FE:C9:49:26>0<>E8:B2:FE:F9:1F:C2>0
dnsfilter_rulelist1=E8:B2:FE:F9:2A:5A>0E8:B2:FE:F9:2A:5A>0<>E8:B2:FE:C9:49:26>0<>E8:B2:FE:F9:1F:C2>0
dnsfilter_rulelist2=
dnsfilter_rulelist3=
dnsfilter_rulelist4=
dnsfilter_rulelist5=

Interesting that dnsfilter_rulelist bloats from 255 chars to 333 chars after a reboot. And a couple < signs get lost.

EDIT: dnsfilter_rulelist1 is actually malformed before the reboot (missing <> after the >0).

 

[bbunge]

Why not use Clean browsing for the entire network? Or assign the clients a manual IP address with a specific DNS resolver?

 

[SomeWhereOverTheRainBow]

Why not use Clean browsing for the entire network? Or assign the clients a manual IP address with a specific DNS resolver?

Manual assignment is just a suggestion, global clean browsing filter makes more sense because it will force hard coded devices.

 

[RMerlin]

On a reboot, could the old Norton conversion in format.c be re-writing it, since it happens after a reboot?

Time I ditched that code anyway. If anyone by now still has their router configured to run Norton, then they must not have used their router for the past 18-24 months.

At a quick glance, it looks like his two dnsfilter variables were merged together in the first one. Unless he runs any script that manipulates DNSFilter, it seems like the parsed nvram is written back as a non-HND model instead of an HND model. Ain't from the format.c migration code, it correctly does nvram splitting:

#ifdef HND_ROUTER
                nvram_split_set("dnsfilter_rulelist", newstr, 255 * 6 + 1, 5);
#else
                nvram_set("dnsfilter_rulelist", newstr);
#endif

 

[paul0363]

Manual assignment is just a suggestion, global clean browsing filter makes more sense because it will force hard coded devices.

I actually have a work round in place but involves leaving the global filter as unfiltered.

I have three Cleanbrowsing profiles that I need to appy to various devices (one for the adults and one each for kids who are at different ages) - these aren't the standard free profiles but custom ones that are set up on a paid plan (each profile is assocaited wth a different DNS IP). I also have to have three cable STBs use the ISP default DNS or they don't get firmware updates. Initiallly I had the global filter set to "router" to force any unknown device to use one of the cleanbrowsing profiles (as it's the default DNS) in order to cover kids' friends when they visit etc. and the three STBs forced to the cable co's DNS. The solution now has been to remove these three from the DNS filter (as they were taking me ovr the count that's causing the issue) and set the DNS by assigning a fixed IP (on the DHCP page) and set the global filter to "no filtering". While not ideal, it works but doesn't stop new devices from using their own DNS.

 

[RMerlin]

There must be a bug in the conversion code that causes the nvram content to get corrupted. In any case the issue is gone after I remove that obsolete code block.