DNS Filtering problem

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

robbo56

Occasional Visitor
I need some guidance please on correctly setting up the following scenario:

I want all clients on my LAN to use Open DNS by default with the exception of a couple of specified clients using DNSFilter on MAC address. I have set custom DNS 1 2 and 3 to 8.8.8.8 and set DNS Server 1 under DHCP Server to 208.67.222.222 and DNS Server 2 to 208.67.220.220. Enable DNS filtering is ON and Global Filter Mode is router

Problem is that the clients I want to bypass Open VPN do not. What should I set for advertise routers IP in addition to user specified DNS? There is also some option under WAN for DNS which currently I set to No. I used to have this working ! so i think i set something incorrectly
 

eibgrad

Very Senior Member
If you're asking for clients bound to the OpenVPN client using Routing Policy to bypass the VPN solely for the purposes of name resolution, that's not possible, at least as currently configured. ALL the traffic from a given source IP bound to the VPN is routed over the tunnel, DNS or otherwise.

That said, if you want those particular clients to use a specific DNS server (e.g., Cloudflare, 1.1.1.1), you can create a DNS filter for that purpose for those clients. However, that DNS server for those clients will still be routed over the VPN *unless* you add a Routing Policy rule to bind that destination IP (1.1.1.1) to the WAN. Or else create a static route binding that IP to the WAN, which can be done w/ a remote directive in the custom config field of the OpenVPN client.

Code:
route 1.1.1.1 255.255.255.255 net_gateway

Note, you'll probably have to use the NON strict version of Routing Policy for this to work. Normally the strict version strips out all routes to the WAN.
 

ColinTaylor

Part of the Furniture
I think you made a typo in your post. You said "Problem is that the clients I want to bypass Open VPN do not". I believe you meant to say OpenDNS. I don't think your question has anything to do with VPNs or does it?
 

robbo56

Occasional Visitor
I think I should be putting Open DNS Primary and Secondary in WAN settings, leave fields blank for DNS under DHCP and just set the filter rules for clients that should bypass Open DNS by using Custom 1 (google 8.8.8.8). Is this correct? I do not host a DNS on my LAN
 

ColinTaylor

Part of the Furniture
I think I should be putting Open DNS Primary and Secondary in WAN settings, leave fields blank for DNS under DHCP and just set the filter rules for clients that should bypass Open DNS by using Custom 1 (google 8.8.8.8). Is this correct? I do not host a DNS on my LAN
Yes that is correct.

You also have a choice for "Global Filter Mode". The normal behaviour is with that set to No Filtering. But clients can choose to ignore the router's DNS settings. If you want to try and force clients to use the router's DNS (and therefore also OpenDNS) you can set the option to "Router".
 
Last edited:

robbo56

Occasional Visitor
The routers DNS setting being the WAN fields? as opposed to the DHCP DNS? I assume that by specifying WAN DNS then all clients whether static or dynamic allocated will all effectively use the WAN field unless DNS filtering is applied
 

ColinTaylor

Part of the Furniture
The routers DNS setting being the WAN fields? as opposed to the DHCP DNS? I assume that by specifying WAN DNS then all clients whether static or dynamic allocated will all effectively use the WAN field unless DNS filtering is applied
No, that's not how it works. It is preferable for clients to use the router as their DNS server (via the LAN settings) because a) it is faster and caches frequent queries, and b) you retain the ability to resolve local client names. Any non-local or non-cached DNS requests sent to the router are still forwarded on to the DNS servers specified in the WAN settings.
 

robbo56

Occasional Visitor
I have attached some screenshots - would appreciate if you can tell me if I have this correct - many thanks . Also when I add device to the filter table it does not seem to kick in - do i need to reboot the client or router before it will take effect?
DNS Filter.JPG
DHCP_01.JPG
WAN_NEW.JPG
 

ColinTaylor

Part of the Furniture
No. Leave LAN - DHCP Server, DNS Server 1 & 2 blank. The clients will then be told to use the router as their DNS server (regardless of the setting of Advertise router's IP...).

Clients need to refresh their DNS settings for it to take effect. The easiest way to do that is to reboot the client, or disconnect/reconnect its network interface.
 
Last edited:

robbo56

Occasional Visitor
So I am wanting to go one step further now and use Pi-Hole to implement ad-filtering. I understand how to do this globally - but is there a way to still have ALL clients directed to Pi Hole for the junk filtering but still allow the selected clients to use 8.8.8.8 as WAN DNS as opposed to other clients being directed to Open DNS ?

By the way I appreciate how much knowledge is available on these forums and peoples willingness to help out
 

shabbs

Senior Member
So I am wanting to go one step further now and use Pi-Hole to implement ad-filtering. I understand how to do this globally - but is there a way to still have ALL clients directed to Pi Hole for the junk filtering but still allow the selected clients to use 8.8.8.8 as WAN DNS as opposed to other clients being directed to Open DNS ?

By the way I appreciate how much knowledge is available on these forums and peoples willingness to help out
For that config, I think you'd need to use the "Custom" DNSFilter setting. The "Custom" entry would be the IP of your Pi-hole. You can then have OpenDNS as your upstream provider on the Pi-hole.

For clients that you want to by-pass the DNSFilter, you'd add them to the Client List and specify "No Filtering". They'd then default to the Router DNS entry. Your WAN DNS would then need to be 8.8.8.8 if you want the by-passing clients to use it.

Also make sure to include your Pi-hole in the "no filtering" list or else it will try to filter itself endlessly.

I have two Pi-holes on my system but use the Router's LAN DHCP handout to give their DNS Entries out. My DNSFilter mode is set to "Router" and I have OpenDNS as my upstream. My Router's WAN DNS is set to Quad9 DNS.

EDIT: Some good info here: https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245

It's generally recommended to NOT Pi-hole your WAN. The WAN DNS entries should be outside your local network.
 
Last edited:

robbo56

Occasional Visitor
makes sense what you said shabbs, but what i want is best of both worlds - all clients to benefit from ad filtering of pi hole, but some clients then go to open DNS whilst others can go to google. Mot sure if that was clear in my question. I can't actually see how this can be achieved because once queries go to PiHole then router loses ability to do filtering. May be there is some other approach?
 

shabbs

Senior Member
makes sense what you said shabbs, but what i want is best of both worlds - all clients to benefit from ad filtering of pi hole, but some clients then go to open DNS whilst others can go to google. Mot sure if that was clear in my question. I can't actually see how this can be achieved because once queries go to PiHole then router loses ability to do filtering. May be there is some other approach?
Ahhh... yes, I see now. So you want all requests initially filtered by Pi-hole (via DNSFilter) and then you want conditional upstream DNS depending on the client.

You may be able to achieve that using two different Pi-holes. Have one Pi-hole configured for OpenDNS upstream and the other configured for Google DNS upstream.

You'd have to control it using manual assigned IPs and give specific clients the DNS for the pi-hole they need.

That may do it. Not very elegant. There may be a better way. That's just off the top of my head.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top