What's new

DNS filter

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

damasko

Occasional Visitor
hello, I didn't find the info if DNS filter overrides the other dns settings:
- dns A set in dhcp lan
- dns B got automatically in wan

e.g. if I set a specific mac with dns filter as "no filtering", will the clients avoid using the dns set in dhcp lan?

I tried having dns C in the filter setting, both as global filter and also binding the mac address, but the client always use the wan dns (fyi: when dhcp dns is empty).

how can I have different setting for each client?
 
Last edited:
As it explains on the DNSFilter page, "No Filtering" will disable/bypass the filter. In other words the clients DNS behaviour is the same as if DNSFilter was turned off.
 
If you want to filter DNS on a per client basis, then of course you have to enable the feature, but specify No Filtering at the global level. Just define your individual DNS filters in the list based on their MAC addresses.

You could also specify a filter at the global level is you wanted to change the network default. Any filters defined in the list, however, take precedence over the global filter.
 
I don't understand, which is the difference between "no filtering" and "router".

I tried setting "no filtering" as global policy and using the custom dns for single mac address, anyway such client still passes through the wan automatic dns. FYI lan dhcp dns setting is empty
 
I'm not sure how it can be explained any more clearly.
"No Filtering" will disable/bypass the filter, and "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined).
In other words, "Router" forces clients to use the router's DHCP->DNS server whether they want to or not. With "No Filtering" clients may choose to ignore the DHCP->DNS server.
 
thank you Colin, now I see a difference.

btw, I can not make dns filter to work. I both tried to use the global rule, and the mac too, but it seems client is passing through same dns (dhcp) as without filter at all. do I miss something? am I checking in a wrong way?
 
Some client devices or web browsers are using techniques (DNS over HTTPS) that can bypass DNSFilter. What clients are you trying to filter?

Other than that you'll have to provide screen shots of the WAN, LAN-DHCP and DNSFilter settings for us the be able to understand what's happening.
 
as client I am using win10 and firefox with default settings, no DOH.
router settings below:

Immagine 2021-04-18 100814.jpg


Immagine 2021-04-18 101037.jpg


Immagine 2021-04-18 101848.jpg


how should I properly check which dns is passing?
checking http://www.whatsmydnsserver.com/ I see the Nextdns addresses (dhcp lan provided)
 
Last edited:
With these settings in the screenshots, all DNS would be sent to Cloudflare 1.1.1.2. If NextDNS is being shown, it must be over another transport like DoH or DoT (probably DoH from Firefox). Double check Firefox by entering about:networking#dns in the address bar and making sure there’s no TRR (DoH) active.

Also, there’s no need for the rule in client list since it’s the same as the Global mode.
 
yes, it's always false.

what could be the reason why I got two dns shown (one of which is still NextDNS by dhcp) while i set the dnsfilter to Cloudfare?

is "Anexia 178.225.153.47" meaning Cloudfare?
 
is "Anexia 178.225.153.47" meaning Cloudfare?
I have seen servernames like Anexia, Estnoc and Zepto in NextDNS, so that's my guess.
 
it makes sense, I set also the nextdns backup ip.

at the end, maybe I found a bug in Merlin dnsfilter, it doesn't work.
Firmware Version:386.01_2-gnuton1
dsl-ac68u
You should upgrade to the latest gnuton version 386.02_1-gnuton1 which has the dnsfilter fixes from Merlin’s upstream code.
  • rc: fix pointer corruption in filter_setting()
  • rc: rewritten dnsfilter server table management
 
just upgraded but unfortunately nothing changed, dnsfilter seems not working yet

any suggestion?
Check if the firewall rules exist:
Code:
iptables -t nat -S | grep DNSFILTER
cat /tmp/nat_rules
in the second output, be sure to hide your WAN IP before posting the results.
 
ASUSWRT-Merlin DSL-AC68U 386.02_1-gnuton1 Sat Apr 17 05:33:53 UTC 2021
admin@DSL-AC68U-93C0:/tmp/home/root# iptables -t nat -S | grep DNSFILTER
-N DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -m mac --mac-source DC:41:A9:35:xx:xx -j DNAT --to-destination 9.9.9.9
-A DNSFILTER -j DNAT --to-destination 1.1.1.2


admin@DSL-AC68U-93C0:/tmp/home/root# cat /tmp/nat_rules
*nat
:pREROUTING ACCEPT [0:0]
:pOSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
:LOCALSRV - [0:0]
:pUPNP - [0:0]
:VUPNP - [0:0]
:DNSFILTER - [0:0]
:pCREDIRECT - [0:0]
-A PREROUTING -d 100.105.xxx.xxx -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -m mac --mac-source DC:41:A9:35:xx:xx -j DNAT --to-destination 9.9.9.9
-A DNSFILTER -j DNAT --to-destination 1.1.1.2
-A VSERVER -j VUPNP
-A POSTROUTING -o vlan3880 -j PUPNP
-A POSTROUTING -o vlan3880 ! -s 100.105.202.154 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT
 
Is there any Guest network involved? If so, are the guest network clients in the 192.168.1.* range? Everything looks correct so far.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top