1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNSFilter Exclusion "Not Working"

Discussion in 'Asuswrt-Merlin' started by Toot4fun, Dec 7, 2018 at 9:00 PM.

  1. Toot4fun

    Toot4fun Occasional Visitor

    Joined:
    Dec 13, 2015
    Messages:
    21
    I recently started having trouble with DNSFilter and I'm hoping that it's something stupid on my side. I put not working in quotes because it's actually working too well. Here's my setup:
    • Running 384.8 on an RT-AC68U
    • WAN --> WAN DNS Setting DNS Server1 and Server2 are set to OpenDNS servers (my intention is to default to sending traffic there and use DNSFilter to bypass and use Google as necessary.
    • LAN --> DNSFilter is on.
      • Global Filter Mode is OpenDNS Home
      • Custom 1 is 8.8.8.8
      • Custom 2 is 8.8.4.4
      • Custom 3 is 4.2.2.5
    • My client list is long (37), but I don't exceed the 64 maximum
    • Clients are selected from the drop-down and Filter Mode is set to Custom 1 (changing this to 2 or 3 doesn't change the end result).
    For the most part, this works as designed. However, my wife's iPhone is always going to OpenDNS, regardless of the fact that the MAC is in the exception list (other devices in the list bypass as expected). I've tried removing and readding, rebooting the router, and just upgraded the firmware tonight in the off chance that would help. As soon as I turn DNSFilter off (and set the WAN DNS to Google instead of OpenDNS), her phone works without an issue. But as soon as I turn it back on, she gets blocked. I'm thinking that maybe something got borked at a lower level, but I'm not sure of which files I should be looking at to validate that the exceptions on the GUI match what's in the file (or if this is even relevant).

    As always, any help would be greatly appreciated. Thank you!!
     
    Vexira likes this.
  2. dave14305

    dave14305 Regular Contributor

    Joined:
    May 19, 2018
    Messages:
    115
    Code:
    nvram get dnsfilter_rulelist
    cat /tmp/nat_rules
    Run these with DNS filter enabled how you want it and check these commands to see if all the entries are there.
     
  3. DroidST

    DroidST Regular Contributor

    Joined:
    Apr 7, 2015
    Messages:
    99
    I have this setup essentially.

    If you want OpenDNS as the default, don't put clients in the exception list at all that you want to use the default DNS (OpenDNS).
    Unless I am reading wrong what you are wanting, remove the clients in the DNSFilter Client List that you have set to Custom1. I ran into a few odd issues doing that.

    I would then add the clients that you want to set different DNS settings to in the DNSFilter Cient List and set them to 'No Filtering'. On each of those clients, set status DNS servers for the ones you want. You still control which client bypasses the default OpenDNS (and those clients can get more than one dns if primary fails), just have to do one more step on each of those clients, setting the DNS Servers you want on that client.
     
    Last edited: Dec 7, 2018 at 9:27 PM
  4. dave14305

    dave14305 Regular Contributor

    Joined:
    May 19, 2018
    Messages:
    115
    If there are 37 exceptions for using OpenDNS, how many clients are actually using OpenDNS? Can you flip your logic around to use fewer client exceptions?
     
  5. Toot4fun

    Toot4fun Occasional Visitor

    Joined:
    Dec 13, 2015
    Messages:
    21
    @dave14305 That's a very valid question and here's the logic behind it: I have young kids/nieces/nephews that come to the house and are on my network. As they get new phones, devices, etc. I don't want to have to worry about selectively limiting them, so I'm defaulting to limiting by default and bypassing OpenDNS as needed.
     
  6. DroidST

    DroidST Regular Contributor

    Joined:
    Apr 7, 2015
    Messages:
    99
    That is why the default and Global Filtering Mode is set to OpenDNS, all clients are forced to use OpenDNS*** unless they are added to the DNSFilter Client List with 'No Filter'. I only have 10 clients in that list set to 'No Filter' and 30+ clients (and any new ones that I don't know of***) using the default.

    I am not even sure you need to set the WAN DNS servers to OpenDNS when the Global Filter Mode is set to OpenDNS Home but I manually added them under WAN.

    *** that is if the client is not using something like 1.1.1.1's android/ios app or another vpn.
     
    dave14305 likes this.
  7. dave14305

    dave14305 Regular Contributor

    Joined:
    May 19, 2018
    Messages:
    115
    So back to the issue of the rule set, did your check those commands to see if all your entries are there?

    I’d also be interested in the output of:
    Code:
    nvram get dnsfilter_rulelist | wc -c
    which will count the characters in that variable to see if you’re hitting the hard max for nvram.
     
  8. Toot4fun

    Toot4fun Occasional Visitor

    Joined:
    Dec 13, 2015
    Messages:
    21
    Yes, and here are my results:
    Code:
    nvram get dnsfilter_rulelist
    
    <>98:9E:XX:XX:XX:XX>8<>3C:D9:XX:XX:XX:XX>8<> ... C4:98:XX:XX:XX:XX>8
    
    Code:
    cat /tmp/nat_rules (MACs are scrubbed)
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :VSERVER - [0:0]
    :LOCALSRV - [0:0]
    :PUPNP - [0:0]
    :VUPNP - [0:0]
    :DNSFILTER - [0:0]
    :PCREDIRECT - [0:0]
    -A PREROUTING -d 24.194.###.### -j VSERVER
    -A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
    -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
    -A DNSFILTER -m mac --mac-source 98:9E: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 3C:D9: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 00:13: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 68:54: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source F0:03: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 74:75: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 18:B4: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source B0:72: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 18:B4: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 18:B4: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 18:B4: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 00:24: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 60:33: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 5C:AA: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 94:9F: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 94:9F: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 10:AE: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 64:52: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 04:C9: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 00:19: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 02:1C: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 00:21: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source C8:3A: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source B8:3E: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 08:05: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source CC:6E: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source C0:A6: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 00:E0: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 3C:D9: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source D8:31: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -m mac --mac-source C4:98: -j DNAT --to-destination 8.8.8.8
    -A DNSFILTER -j DNAT --to-destination 208.67.222.222
    -A VSERVER  -p tcp -m tcp --dport 57331 -j DNAT --to 192.168.1.151
    -A VSERVER -j VUPNP
    -A POSTROUTING -o eth0 -j PUPNP
    -A VSERVER -j LOCALSRV
    -A VSERVER -j DNAT --to 192.168.1.203
    -A POSTROUTING  -o eth0 ! -s 24.194.###.### -j MASQUERADE
    -A POSTROUTING  -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
    COMMIT
    Code:
    nvram get dnsfilter_rulelist | wc -c
    820
    And yes, the device I'm having issues with is the last C4:98: entry.

    As a side note, I updated my WAN --> WAN DNS Setting --> Connect to DNS Server automatically to Yes, which based on DroidST's comment shouldn't matter.
     
    Last edited: Dec 7, 2018 at 10:00 PM
    Vexira likes this.
  9. DroidST

    DroidST Regular Contributor

    Joined:
    Apr 7, 2015
    Messages:
    99
    I have that set to 'No' as I don't want to get the ISP's (Comcast) DNS servers or the ones they want. Been setup like that for 4 years on the 68U before copying on the 86U.

    I do have OpenDNS servers entered under WAN but I don't think it matters as DNSFilter's Global settings is set to OpenDNS which I assume had their DNS servers hard coded by @RMerlin in DNSFilter's 'OpenDNS Home' Global Filter Mode preset.

    .
     
    Last edited: Dec 7, 2018 at 10:13 PM
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,963
    Location:
    UK
    You could issue the following command and see if it matches the /tmp/nat_rules file.

    iptables-save -t nat
     
    dave14305 likes this.
  11. Toot4fun

    Toot4fun Occasional Visitor

    Joined:
    Dec 13, 2015
    Messages:
    21
    I actually just changed it to No and set the Google DNS servers (8.8.8.8 and 8.8.4.4), but if I'm understanding correctly, that shouldn't matter with my DNSFilter issue.
     
  12. Toot4fun

    Toot4fun Occasional Visitor

    Joined:
    Dec 13, 2015
    Messages:
    21
    They don't match exactly (nat_rules has 61 lines, iptables has 67), but the DNSFILTER entries are the same.
     
    Vexira likes this.
  13. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,963
    Location:
    UK
    They won't be exactly the same but so long as the DNSFILTER entries are the same it should be OK.
     
    Vexira likes this.
  14. dave14305

    dave14305 Regular Contributor

    Joined:
    May 19, 2018
    Messages:
    115
    You can verify if her rule is getting fired at all by running
    Code:
    iptables -t nat -v -L DNSFILTER
    and looking for the packet counts in the first columns to be non zero.
     
  15. Toot4fun

    Toot4fun Occasional Visitor

    Joined:
    Dec 13, 2015
    Messages:
    21
    As I was working on this, I noticed that my laptop was experiencing the same issue as the wife's iPhone. As a test, I changed the laptop to use the Router filter mode to see if that changed anything. It didn't and when I run your command above, packets and bytes are both 0 (which based on my minimal understanding isn't good).
     
  16. dave14305

    dave14305 Regular Contributor

    Joined:
    May 19, 2018
    Messages:
    115
    You’re also a better man than me because I don’t trust my wife to go “unfiltered” on the interweb. She’s too likely to click something she shouldn’t. ;)
     
    Vexira and Toot4fun like this.
  17. Toot4fun

    Toot4fun Occasional Visitor

    Joined:
    Dec 13, 2015
    Messages:
    21
    HAHA!! When I want to screw with her, I put her in the blocked group, or just pick a site like Facebook and have it show a picture of my face. I remind her all the time how lucky she is. :)
     
    dave14305 likes this.
  18. DroidST

    DroidST Regular Contributor

    Joined:
    Apr 7, 2015
    Messages:
    99
    What happens if you config static dns servers on your wife's client and have her DNSFilter entry set to 'No Filtering'?

    And for the heck of it, reboot the router and her client.
     
    Vexira likes this.
  19. Toot4fun

    Toot4fun Occasional Visitor

    Joined:
    Dec 13, 2015
    Messages:
    21
    No dice. I just did that with my laptop, flushed DNS, and I'm still getting OpenDNS. It's like it's ignoring anything on that page.
     
  20. dave14305

    dave14305 Regular Contributor

    Joined:
    May 19, 2018
    Messages:
    115
    So the global rule is working then since it’s intercepting all 53/udp dns traffic, ignoring your laptops ipconfig settings.
    But why not the exceptions that precede it? Is your laptop MAC near the end of the list as well? Maybe tinker with reducing the client list to see if there’s some unintended limitation (backup router settings first).