DNS Server Settings and Priority with Guest Network Pro?

[jksmurf]

Apologies if this has been covered before, I didn’t quite find a simple explanation for my feeble brain, it’s 3am, can’t sleep.

This came about because I happened to be on my IoT SSID and noted I was getting adverts (I use Diversion). I don’t get these on my main network.

• I currently do not have any values in LAN/DHCP as the tool tip says you can leave it blank.
• I currently have WAN DNS set to cloudflare and I have the same cloudflare settings as DNS for my IoT network.

With GNP, the presence of the ads on the IoT network had me starting to wonder if I’ve configured one or more of these three locations incorrectly?

Is my understanding correct, that if you route the IoT network via the primary lan that will also block ads? If so, which settings should I change? Should I leave the IoT DNS blank and assume it goes through primary? I’m a wee bit confused as to order and priority. I do not recall the old Guest Network having DNS settings.

 

[bennor]

What does the IoT client indicate it's DNS server(s) are? Do they match what you have configured in the Guest Network Pro Profile's DNS fields? It would appear that by using the same DNS addresses in the Guest Network Pro Profile's DNS fields you may be bypassing the router's Diversion. Try removing those Guest Network Pro Profile DNS values and see what happens. Or set them to the router to see if Diversion kicks in and blocks ads on the IoT devices.

Are you using DNS Director? You can enable DNS Director and set the DNS redirection rule for Guest Network Pro Profile(s) to router which I assume would then route to Diversion.

 

[ColinTaylor]

Apologies if this has been covered before, I didn’t quite find a simple explanation for my feeble brain, it’s 3am, can’t sleep.

This came about because I happened to be on my IoT SSID and noted I was getting adverts (I use Diversion). I don’t get these on my main network.

• I currently do not have any values in LAN/DHCP as the tool tip says you can leave it blank.
• I currently have WAN DNS set to cloudflare and I have the same cloudflare settings as DNS for my IoT network.

With GNP, the presence of the ads on the IoT network had me starting to wonder if I’ve configured one or more of these three locations incorrectly?

Is my understanding correct, that if you route the IoT network via the primary lan that will also block ads? If so, which settings should I change? Should I leave the IoT DNS blank and assume it goes through primary? I’m a wee bit confused as to order and priority. I do not recall the old Guest Network having DNS settings.

IIRC this has already been discussed in the addons forum. I think @dave14305 provided a workaround for the problem.

 

[jksmurf]

What does the IoT client indicate it's DNS server(s) are?

Not sure where I find these?

Do they match what you have configured in the Guest Network Pro Profile's DNS fields?

It would appear that by using the same DNS addresses in the Guest Network Pro Profile's DNS fields you may be bypassing the router's Diversion. Try removing those Guest Network Pro Profile DNS values and see what happens. Or set them to the router to see if Diversion kicks in and blocks ads on the IoT devices.

Will do and will get back to this thread.
[EDIT] that’s a no, it doesn’t work. Set it to Default, hit apply, joined IoT SSID again, got ads.

Are you using DNS Director? You can enable DNS Director and set the DNS redirection rule for Guest Network Pro Profile(s) to router which I assume would then route to Diversion.

Nope not using that. Never found the need to.

 

[jksmurf]

IIRC this has already been discussed in the addons forum. I think @dave14305 provided a workaround for the problem.

Thanks will try to find it if Dave hasn’t cropped up by then.

 

[bennor]

Not sure where I find these?

You would check the network settings of the client device connected to the IoT network to see what it indicates for DNS servers. Some IoT devices hard code their own DNS servers which can potentially cause the IoT device to bypass the router. One solution to that bypass issue is to use DNS Director to force all Guest Network Pro Profile client to use a specific DNS server or use the router.

 

[ColinTaylor]

Thanks will try to find it if Dave hasn’t cropped up by then.

This is probably the thread I was thinking about:

Diversion - [SOLVED] Diversion Guest Network Pro - blocklist applied to multiple SSID

Does Diversion work with Guest Network Pro Profiles / Vlan? If yes, is there any additional configuration outside of what the Diversion script does? Reason I ask is, it appears Diversion works as expected for the Wireless Network SSID (Main Network), but not for the additional SSID / VLAN...

www.snbforums.com

 

[snapieee]

This is probably the thread I was thinking about:

Diversion - [SOLVED] Diversion Guest Network Pro - blocklist applied to multiple SSID

Does Diversion work with Guest Network Pro Profiles / Vlan? If yes, is there any additional configuration outside of what the Diversion script does? Reason I ask is, it appears Diversion works as expected for the Wireless Network SSID (Main Network), but not for the additional SSID / VLAN...

www.snbforums.com

I applied this solution and it worked great BUT it took me a VERY LONG to time to do it as I couldn't locate the file dnsmasq-sdn.postconf at first.

Here is what I did for future reference for anyone to use:
==================================
ssh to router

cd /jffs/scripts

check if dnsmasq-sdn.postconf already exists: ls -la or ll

if not found: create one

nano dnsmasq-sdn.postconf

<---- to create a file

then enter the following:

#!/bin/sh

CONFIG="$1"
. /usr/sbin/helper.sh
pc_delete "servers-file=" "$CONFIG"
pc_append "server=192.168.x.1" "$CONFIG" # make sure to change "x" to your router ip

press ctrl+x to exit
y to save
press enter to confirm file name to write to: dnsmasq-sdn.postconf

restart dnsmasq:

service restart_dnsmasq

if file "dnsmasq-sdn.postconf" already exists, i would guess we would just add the following: anyone can correct me if i am wrong

CONFIG="$1"
. /usr/sbin/helper.sh
pc_delete "servers-file=" "$CONFIG"
pc_append "server=192.168.x.1" "$CONFIG" # make sure to change "x" to your router ip

Note:
dns set to default in both guest networks
I don't have have dns director enabled. I only use the DOT configured manually in WAN

Downsides of this workaround:
- mem utilization went up a bit, just 2% (58% to 60%) <---- but hey, as they say in linux "unused memory is wasted memory, so!! lol"

- dns queries for guest networks (2.4ghz and 5 ghz) are showing fine in diversion, BUT it is showing that is coming from the router ip rather than the client ip

i hope there will be a simpler solution that can be implemented in the future.

 

[jksmurf]

i hope there will be a simpler solution that can be implemented in the future.

Me too, but thanks for that all the same. Just a quick q, if you have (as I do) your DHCP reservations in dnsmasq-1.conf.add and dnsmasq-2.conf.add in /jffs/config/ instead of using dnsmasq-sdn.postconf (I onyl see dnsmasq.postconf in /jffs/scripts/, then I guess this all looks very different?

 

[snapieee]

Me too, but thanks for that all the same. Just a quick q, if you have (as I do) your DHCP reservations in dnsmasq-1.conf.add and dnsmasq-2.conf.add in /jffs/config/ instead of using dnsmasq-sdn.postconf (I onyl see dnsmasq.postconf in /jffs/scripts/, then I guess this all looks very different?

I never touched anything under /jffs/configs/, and I don’t have dnsmasq-2.conf.add or dnsmasq-1.conf.add there. Honestly, I’m not even sure what the dnsmasq-#.conf.add files is really for. I’ve only worked under /jffs/scripts/.

Same here — the only file I had in /jffs/scripts/ was dnsmasq.postconf, and I didn’t touch that either. I ended up creating dnsmasq-sdn.postconf manually. From what I can tell, dnsmasq-sdn.postconf and dnsmasq.postconf are completely different. At first, I was confused too — I only saw dnsmasq.postconf, so I assumed that was the one I needed. I added the workaround, restarted dnsmasq, but nothing worked. I must’ve tried it a dozen times, lol.

When I re-read the referenced post, I noticed they mentioned dnsmasq-sdn.postconf, not dnsmasq.postconf. I remembered seeing dnsmasq-sdn.postconf mentioned somewhere before and eventually found it in Merlin’s 3006.102.1 (28-Jun-2024) changelog. That’s when I realized that was the file I needed to work with. Since it didn’t exist, I created it — and I wasn’t totally sure where it should go, but seeing dnsmasq.postconf under /jffs/scripts/ made me put it there.

Everything is work great so far except the two downsides I mentioned previously. The memory remark isn't a big deal for me really, BUT the other one is confusing only for tracking purposes.

 

[jksmurf]

Everything is work great so far except the two downsides I mentioned previously.

Thank you for the detailed explanation, much appreciated..

 

[bennor]

Honestly, I’m not even sure what the dnsmasq-#.conf.add files is really for.

The Asus-Merlin 3006.102.4 Beta thread has a lot of discussion on the dnsmasq-sdn.postconf and dnsmasq-x.conf.add files.

Beta - Asuswrt-Merlin 3006.102.4 Beta is now available

Somewhere within the multiple levels of Makefiles - no idea where specifically. The processing is done by a tool written by Asus if I remember. Do you agree that something during build is modifying client_function.js to remove the times symbol used in the client dropdown to delete offline...

www.snbforums.com

One use for the dnsmasq-x.conf.add file is to set manual IP reservations for Guest Network Pro clients rather than using the Guest Network Pro profile GUI to set those reservations. Made it simple to bring over the manual IP reservations I had under YazFi 3004.388.x firmware, to the Guest Network Pro profiles since YazFi isn't supported on the 3006.102.x firmware. There is some discussion in that Beta thread on why I ended up using dnsmasq-x.conf.add over dnsmasq-sdn.postconf.

If I remember right, there is a Asus-Merlin Wiki page somewhere that mentions the dnsmasq-sdn.postconf and dnsmasq-x.conf.add file usage in the 3006 firmware. Edit: The wiki page:
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Custom-config-files