DNSFilter does not work unless "DNS Server 1" is entered on DHCP Server tab?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

DeepWoods

Occasional Visitor
I find that DNSFilter does NOT work unless I specify "DNS Server 1" or "DNS Server 2" on the DHCP Server tab?
If the router IP address is the DNS server for the client, the DNSFilter function does not work. It skips DNS filtering! Is this intended? I don't think so...

If I specify a DNS server for "DNS Server 1" on the DHCP Server tab (e.g. 1.1.1.1), the DNSFilter function works properly (either applying the global or custom filter and not actually using 1.1.1.1). If the "DNS Server 1/2" fields are empty, or even if I enter "192.168.1.1" for "DNS Server 1", it does not work (the global or custom filter mode does not apply)... Strange!

I have an AX86U which was first commissioned, from scratch, for 386.1. I am now running 386.2, but this is not new (I was just trying to resolve it).
I believe that I had entered an IP for DNS Server 1, in order to get DNSFilter to function (by trial and error, messing around), but I would really like the DNS Server to be the router... Since all clients either get the global OpenDNS filter, or a custom filter, applied I can survive with this "hack" (it does no harm). I just want to remove this strange "quirk" in my configuration. Why won't DNSFilter "kick in" when the Router's IP address is the DNS Server?

Interestingly, when I specify a DNS server for "DNS Server 1" and then a client MANUALLY assigns 192.168.1.1 as the DNS server, then the DNSFilter function works properly (as it should, capturing all DNS requests wherever a client attempts to go).

I have not reset my router configuration from scratch and would prefer not to. I was wondering if anyone had tips on how to figure out what is wrong before investing the time in a full nuke (and I don't even know if that will fix it). I have searched for this specific problem and I haven't found any other example of it.

Any ideas?
 

dave14305

Part of the Furniture
When DNS Filter is in Router mode, and the LAN DHCP DNS 1 server is blank, the router IP is used as the enforced DNS destination. This means that everything is ultimately forwarded to the WAN DNS servers.

What kind of filtering do you want to do?
 

shabbs

Senior Member
What entry do you have in your WAN DNS?
 

DeepWoods

Occasional Visitor
Some answers:
My global filter is OpenDNS home. This keeps things safe for the kids.
I have several headless devices set up with "No Filtering" (generally appliances and whatnot, so they don't pollute OpenDNS stats).
I have a few clients which are re-directed to a pihole (to turn off ads on iPhones), which is later re-directed to Open DNS.

Everything is actually working fine. I am just curious why I need to enter an IP address for DNS Server 1 in order for the DNSFilter function to work at all. Is this the case for all people using Merlin's DNSFilter function or just me? I thought that I could leave the DNS Server 1 and 2 blank, have all clients "believe" that they are using 192.168.1.1, and have them filtered to the appropriate DNS server by the DNSFilter function.

Also as explained above, if DNS Server 1 is set to the router's IP address (as a wacky test), it does not filter anything. If I have DNS Server 1 configured for 1.1.1.1 but a client enters the router DNS (192.168.1.1) in an attempt to override it, it still gets filtered. In theory, it should not be necessary for me to configure anything under DNS Server 1 or 2.

Why do I need to enter an IP address for DNS Server 1 on the DHCP server tab in order for DNSFilter to work?

I also don't know where a DNS request would go if I selected "No Filtering"? Would that go to to the IP entered into "DNS Server 1"? And what would the Filter Mode "Router" use as the DNS Server upstream (the one provided by my ISP)?

Regarding WAN DNS, here is my config:
1617826982094.png
 

dave14305

Part of the Furniture
Please post a screenshot of the DNS Filter page. You can omit the device names if you consider them sensitive, but keep the DNS filter option visible.
 

shabbs

Senior Member
I've always put DNS entries for my LAN DHCP DNS Server entries.
Is that not the standard? Why do people like to leave those blank?
 

dave14305

Part of the Furniture
I've always put DNS entries for my LAN DHCP DNS Server entries.
Is that not the standard? Why do people like to leave those blank?
When they are blank, the router IP becomes the default DNS server and allows for features like ad-blocking (e.g. Diversion), and resolution of local DNS names for clients.
 

shabbs

Senior Member
When they are blank, the router IP becomes the default DNS server and allows for features like ad-blocking (e.g. Diversion), and resolution of local DNS names for clients.
I got that, but if they don't have those components installed, won't it just end up using the WAN DNS as it's ultimate resolver?
 

dave14305

Part of the Furniture
I got that, but if they don't have those components installed, won't it just end up using the WAN DNS as it's ultimate resolver?
Yes it will, but not if you directly specify LAN DHCP DNS servers.
 

shabbs

Senior Member
Yes it will, but not if you directly specify LAN DHCP DNS servers.
OK - my understanding is in line. In DeepWoods' case the WAN DNS is getting it right from the ISP.

But even DNSFilter should catch that.
 

john9527

Part of the Furniture
I've always put DNS entries for my LAN DHCP DNS Server entries.
Is that not the standard? Why do people like to leave those blank?
In general, the LAN DHCP DNS server entries should always be left blank. If entered, these servers will be pushed to the clients during DHCP, bypassing the router for DNS requests (no local DNS resolution, no local caching by dnsmasq, unable to use addons that rely on dnsmasq like Diversion, unable to use DoT).

When these are blank, the router ip will be pushed to the clients as the DNS server. The router dnsmasq will then use either the severs specified on the WAN DNS server page (user entered or ISP default) or the DoT servers if configured while also providing local name resolution.

This behavior can then be changed on a client-by-client basis with DNSFilter.
 

shabbs

Senior Member
Guess I've been using Pi-holes on my LAN for ad blocking for so long it's just always been the way, populating those entries with the IP addresses of my Pi-hole's.
 

DeepWoods

Occasional Visitor
Is anyone successfully using the DNSFilter function without entering an IP address into "DNS Server 1" on the DHCP server page?
Since shabbs is using "DNS Server 1" as his pihole, then DNSFilter should work for him (if he uses it).

I don't know how it will help, but below is a capture of my DNSFilter tab.
Note that 192.168.1.10 is my piHole. I only re-direct things like phones and tablets to pihole, since browsers on computers can take care of their own ads (and I don't want to spend too much time tweaking the ads that I want to get past the pihole, so anyone can always resort to a browser on a PC/laptop to avoid the pihole). I mostly use "Custom 1" for stuff I want to avoid OpenDNS. I was thinking that "No Filtering" would use the DNS Server from the ISP, but with me entering an address into "DNS Server 1", I suppose it is using that IP Address for DNS (since I am giving that address to the clients). Maybe I should be specifying "Router" for the devices which I want to use the ISP proviced DNS Server?

1617887486182.png
 

shabbs

Senior Member
For "No Filtering" if you don't have an entry for the DNS Server 1 in your DHCP, they yeah, it will use the Router for DNS, which will end up being your WAN DNS from you ISP. But if the client has manually entered their own DNS entry on their system, that one will be used I believe.

You have quite the mix of filtering modes there. Is your Pi-hole working fine with that filtering mode? I've got all my Pi-holes set to "no filter" and have OpenDNS configured as the upstream in the Pi-hole settings.
 

DeepWoods

Occasional Visitor
For "No Filtering" if you don't have an entry for the DNS Server 1 in your DHCP, they yeah, it will use the Router for DNS, which will end up being your WAN DNS from you ISP. But if the client has manually entered their own DNS entry on their system, that one will be used I believe.

You have quite the mix of filtering modes there. Is your Pi-hole working fine with that filtering mode? I've got all my Pi-holes set to "no filter" and have OpenDNS configured as the upstream in the Pi-hole settings.
PiHole works just fine like this. It should be functionally equivalent to what you are doing.
 

RMerlin

Asuswrt-Merlin dev
Is anyone successfully using the DNSFilter function without entering an IP address into "DNS Server 1" on the DHCP server page?
Nearly everyone does, since by default this field is empty.
 

dave14305

Part of the Furniture
What firmware are you running? There were some oddities during the 386.2 beta phase, but all fixed before the final release. Any IPv6 on your network?
 

DeepWoods

Occasional Visitor
What firmware are you running? There were some oddities during the 386.2 beta phase, but all fixed before the final release. Any IPv6 on your network?
Running 386.2, dirty upgrade from fresh install of 386.1 on an AX86U.
No IPv6.

Merlin says that I am the outlier here, so it appears that I am going to need to reset everything to factory defaults and see if that fixes it.
 

shabbs

Senior Member
@DeepWoods is it only certain scenarios that don't work? Or is it that DNS filtering is not working for anyone when you don't have an entry there?
 

dave14305

Part of the Furniture
I’d be interested in the following output before and after removing LAN DHCP DNS entries:
Bash:
iptables -t nat -S | grep DNS
grep DNS /tmp/nat_rules
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top