DNS filter

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

damasko

Occasional Visitor
hello, I didn't find the info if DNS filter overrides the other dns settings:
- dns A set in dhcp lan
- dns B got automatically in wan

e.g. if I set a specific mac with dns filter as "no filtering", will the clients avoid using the dns set in dhcp lan?

I tried having dns C in the filter setting, both as global filter and also binding the mac address, but the client always use the wan dns (fyi: when dhcp dns is empty).

how can I have different setting for each client?
 
Last edited:

ColinTaylor

Part of the Furniture
As it explains on the DNSFilter page, "No Filtering" will disable/bypass the filter. In other words the clients DNS behaviour is the same as if DNSFilter was turned off.
 

eibgrad

Very Senior Member
If you want to filter DNS on a per client basis, then of course you have to enable the feature, but specify No Filtering at the global level. Just define your individual DNS filters in the list based on their MAC addresses.

You could also specify a filter at the global level is you wanted to change the network default. Any filters defined in the list, however, take precedence over the global filter.
 

damasko

Occasional Visitor
I don't understand, which is the difference between "no filtering" and "router".

I tried setting "no filtering" as global policy and using the custom dns for single mac address, anyway such client still passes through the wan automatic dns. FYI lan dhcp dns setting is empty
 

ColinTaylor

Part of the Furniture
I'm not sure how it can be explained any more clearly.
"No Filtering" will disable/bypass the filter, and "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined).
In other words, "Router" forces clients to use the router's DHCP->DNS server whether they want to or not. With "No Filtering" clients may choose to ignore the DHCP->DNS server.
 

damasko

Occasional Visitor
thank you Colin, now I see a difference.

btw, I can not make dns filter to work. I both tried to use the global rule, and the mac too, but it seems client is passing through same dns (dhcp) as without filter at all. do I miss something? am I checking in a wrong way?
 

ColinTaylor

Part of the Furniture
Some client devices or web browsers are using techniques (DNS over HTTPS) that can bypass DNSFilter. What clients are you trying to filter?

Other than that you'll have to provide screen shots of the WAN, LAN-DHCP and DNSFilter settings for us the be able to understand what's happening.
 

damasko

Occasional Visitor
as client I am using win10 and firefox with default settings, no DOH.
router settings below:

Immagine 2021-04-18 100814.jpg


Immagine 2021-04-18 101037.jpg


Immagine 2021-04-18 101848.jpg


how should I properly check which dns is passing?
checking http://www.whatsmydnsserver.com/ I see the Nextdns addresses (dhcp lan provided)
 
Last edited:

dave14305

Part of the Furniture
With these settings in the screenshots, all DNS would be sent to Cloudflare 1.1.1.2. If NextDNS is being shown, it must be over another transport like DoH or DoT (probably DoH from Firefox). Double check Firefox by entering about:networking#dns in the address bar and making sure there’s no TRR (DoH) active.

Also, there’s no need for the rule in client list since it’s the same as the Global mode.
 

damasko

Occasional Visitor
yes, it's always false.

what could be the reason why I got two dns shown (one of which is still NextDNS by dhcp) while i set the dnsfilter to Cloudfare?

is "Anexia 178.225.153.47" meaning Cloudfare?
 

dave14305

Part of the Furniture
it makes sense, I set also the nextdns backup ip.

at the end, maybe I found a bug in Merlin dnsfilter, it doesn't work.
Firmware Version:386.01_2-gnuton1
dsl-ac68u
You should upgrade to the latest gnuton version 386.02_1-gnuton1 which has the dnsfilter fixes from Merlin’s upstream code.
  • rc: fix pointer corruption in filter_setting()
  • rc: rewritten dnsfilter server table management
 

dave14305

Part of the Furniture
just upgraded but unfortunately nothing changed, dnsfilter seems not working yet

any suggestion?
Check if the firewall rules exist:
Code:
iptables -t nat -S | grep DNSFILTER
cat /tmp/nat_rules
in the second output, be sure to hide your WAN IP before posting the results.
 

damasko

Occasional Visitor
ASUSWRT-Merlin DSL-AC68U 386.02_1-gnuton1 Sat Apr 17 05:33:53 UTC 2021
[email protected]:/tmp/home/root# iptables -t nat -S | grep DNSFILTER
-N DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -m mac --mac-source DC:41:A9:35:xx:xx -j DNAT --to-destination 9.9.9.9
-A DNSFILTER -j DNAT --to-destination 1.1.1.2


[email protected]:/tmp/home/root# cat /tmp/nat_rules
*nat
:pREROUTING ACCEPT [0:0]
:pOSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
:LOCALSRV - [0:0]
:pUPNP - [0:0]
:VUPNP - [0:0]
:DNSFILTER - [0:0]
:pCREDIRECT - [0:0]
-A PREROUTING -d 100.105.xxx.xxx -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -m mac --mac-source DC:41:A9:35:xx:xx -j DNAT --to-destination 9.9.9.9
-A DNSFILTER -j DNAT --to-destination 1.1.1.2
-A VSERVER -j VUPNP
-A POSTROUTING -o vlan3880 -j PUPNP
-A POSTROUTING -o vlan3880 ! -s 100.105.202.154 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT
 

dave14305

Part of the Furniture
Is there any Guest network involved? If so, are the guest network clients in the 192.168.1.* range? Everything looks correct so far.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top