What's new

DNSFilter Exclusion "Not Working"

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Toot4fun

Occasional Visitor
I recently started having trouble with DNSFilter and I'm hoping that it's something stupid on my side. I put not working in quotes because it's actually working too well. Here's my setup:
  • Running 384.8 on an RT-AC68U
  • WAN --> WAN DNS Setting DNS Server1 and Server2 are set to OpenDNS servers (my intention is to default to sending traffic there and use DNSFilter to bypass and use Google as necessary.
  • LAN --> DNSFilter is on.
    • Global Filter Mode is OpenDNS Home
    • Custom 1 is 8.8.8.8
    • Custom 2 is 8.8.4.4
    • Custom 3 is 4.2.2.5
  • My client list is long (37), but I don't exceed the 64 maximum
  • Clients are selected from the drop-down and Filter Mode is set to Custom 1 (changing this to 2 or 3 doesn't change the end result).
For the most part, this works as designed. However, my wife's iPhone is always going to OpenDNS, regardless of the fact that the MAC is in the exception list (other devices in the list bypass as expected). I've tried removing and readding, rebooting the router, and just upgraded the firmware tonight in the off chance that would help. As soon as I turn DNSFilter off (and set the WAN DNS to Google instead of OpenDNS), her phone works without an issue. But as soon as I turn it back on, she gets blocked. I'm thinking that maybe something got borked at a lower level, but I'm not sure of which files I should be looking at to validate that the exceptions on the GUI match what's in the file (or if this is even relevant).

As always, any help would be greatly appreciated. Thank you!!
 
Code:
nvram get dnsfilter_rulelist
cat /tmp/nat_rules

Run these with DNS filter enabled how you want it and check these commands to see if all the entries are there.
 
I have this setup essentially.

If you want OpenDNS as the default, don't put clients in the exception list at all that you want to use the default DNS (OpenDNS).
Unless I am reading wrong what you are wanting, remove the clients in the DNSFilter Client List that you have set to Custom1. I ran into a few odd issues doing that.

I would then add the clients that you want to set different DNS settings to in the DNSFilter Cient List and set them to 'No Filtering'. On each of those clients, set status DNS servers for the ones you want. You still control which client bypasses the default OpenDNS (and those clients can get more than one dns if primary fails), just have to do one more step on each of those clients, setting the DNS Servers you want on that client.
 
Last edited:
If there are 37 exceptions for using OpenDNS, how many clients are actually using OpenDNS? Can you flip your logic around to use fewer client exceptions?
 
@dave14305 That's a very valid question and here's the logic behind it: I have young kids/nieces/nephews that come to the house and are on my network. As they get new phones, devices, etc. I don't want to have to worry about selectively limiting them, so I'm defaulting to limiting by default and bypassing OpenDNS as needed.
 
If there are 37 exceptions for using OpenDNS, how many clients are actually using OpenDNS? Can you flip your logic around to use fewer client exceptions?
@dave14305 That's a very valid question and here's the logic behind it: I have young kids/nieces/nephews that come to the house and are on my network. As they get new phones, devices, etc. I don't want to have to worry about selectively limiting them, so I'm defaulting to limiting by default and bypassing OpenDNS as needed.

That is why the default and Global Filtering Mode is set to OpenDNS, all clients are forced to use OpenDNS*** unless they are added to the DNSFilter Client List with 'No Filter'. I only have 10 clients in that list set to 'No Filter' and 30+ clients (and any new ones that I don't know of***) using the default.

I am not even sure you need to set the WAN DNS servers to OpenDNS when the Global Filter Mode is set to OpenDNS Home but I manually added them under WAN.

*** that is if the client is not using something like 1.1.1.1's android/ios app or another vpn.
 
So back to the issue of the rule set, did your check those commands to see if all your entries are there?

I’d also be interested in the output of:
Code:
nvram get dnsfilter_rulelist | wc -c
which will count the characters in that variable to see if you’re hitting the hard max for nvram.
 
So back to the issue of the rule set, did your check those commands to see if all your entries are there?

I’d also be interested in the output of:
Code:
nvram get dnsfilter_rulelist | wc -c
which will count the characters in that variable to see if you’re hitting the hard max for nvram.

Yes, and here are my results:
Code:
nvram get dnsfilter_rulelist

<>98:9E:XX:XX:XX:XX>8<>3C:D9:XX:XX:XX:XX>8<> ... C4:98:XX:XX:XX:XX>8

Code:
cat /tmp/nat_rules (MACs are scrubbed)
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
:LOCALSRV - [0:0]
:PUPNP - [0:0]
:VUPNP - [0:0]
:DNSFILTER - [0:0]
:PCREDIRECT - [0:0]
-A PREROUTING -d 24.194.###.### -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A DNSFILTER -m mac --mac-source 98:9E: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 3C:D9: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 00:13: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 68:54: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source F0:03: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 74:75: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 18:B4: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source B0:72: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 18:B4: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 18:B4: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 18:B4: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 00:24: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 60:33: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 5C:AA: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 94:9F: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 94:9F: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 10:AE: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 64:52: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 04:C9: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 00:19: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 02:1C: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 00:21: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source C8:3A: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source B8:3E: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 08:05: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source CC:6E: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source C0:A6: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 00:E0: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 3C:D9: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source D8:31: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source 52:C7: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -m mac --mac-source C4:98: -j DNAT --to-destination 8.8.8.8
-A DNSFILTER -j DNAT --to-destination 208.67.222.222
-A VSERVER  -p tcp -m tcp --dport 57331 -j DNAT --to 192.168.1.151
-A VSERVER -j VUPNP
-A POSTROUTING -o eth0 -j PUPNP
-A VSERVER -j LOCALSRV
-A VSERVER -j DNAT --to 192.168.1.203
-A POSTROUTING  -o eth0 ! -s 24.194.###.### -j MASQUERADE
-A POSTROUTING  -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT

Code:
nvram get dnsfilter_rulelist | wc -c
820

And yes, the device I'm having issues with is the last C4:98: entry.

As a side note, I updated my WAN --> WAN DNS Setting --> Connect to DNS Server automatically to Yes, which based on DroidST's comment shouldn't matter.
 
Last edited:
As a side note, I updated my WAN --> WAN DNS Setting --> Connect to DNS Server automatically to Yes, which based on DroidST's comment should matter.

I have that set to 'No' as I don't want to get the ISP's (Comcast) DNS servers or the ones they want. Been setup like that for 4 years on the 68U before copying on the 86U.

I do have OpenDNS servers entered under WAN but I don't think it matters as DNSFilter's Global settings is set to OpenDNS which I assume had their DNS servers hard coded by @RMerlin in DNSFilter's 'OpenDNS Home' Global Filter Mode preset.

.
 
Last edited:
I have that set to No as I don't want to get the ISP's (Comcast) DNS servers or the ones they want.

.
I actually just changed it to No and set the Google DNS servers (8.8.8.8 and 8.8.4.4), but if I'm understanding correctly, that shouldn't matter with my DNSFilter issue.
 
You can verify if her rule is getting fired at all by running
Code:
iptables -t nat -v -L DNSFILTER
and looking for the packet counts in the first columns to be non zero.
 
You can verify if her rule is getting fired at all by running
Code:
iptables -t nat -v -L DNSFILTER
and looking for the packet counts in the first columns to be non zero.
As I was working on this, I noticed that my laptop was experiencing the same issue as the wife's iPhone. As a test, I changed the laptop to use the Router filter mode to see if that changed anything. It didn't and when I run your command above, packets and bytes are both 0 (which based on my minimal understanding isn't good).
 
You’re also a better man than me because I don’t trust my wife to go “unfiltered” on the interweb. She’s too likely to click something she shouldn’t. ;)
 
You’re also a better man than me because I don’t trust my wife to go “unfiltered” on the interweb. She’s too likely to click something she shouldn’t. ;)
HAHA!! When I want to screw with her, I put her in the blocked group, or just pick a site like Facebook and have it show a picture of my face. I remind her all the time how lucky she is. :)
 
What happens if you config static dns servers on your wife's client and have her DNSFilter entry set to 'No Filtering'?

And for the heck of it, reboot the router and her client.
 
What happens if you config static dns servers on your wife's client and have her DNSFilter entry set to 'No Filtering'?

And for the heck of it, reboot the router and her client.
No dice. I just did that with my laptop, flushed DNS, and I'm still getting OpenDNS. It's like it's ignoring anything on that page.
 
No dice. I just did that with my laptop, flushed DNS, and I'm still getting OpenDNS. It's like it's ignoring anything on that page.
So the global rule is working then since it’s intercepting all 53/udp dns traffic, ignoring your laptops ipconfig settings.
But why not the exceptions that precede it? Is your laptop MAC near the end of the list as well? Maybe tinker with reducing the client list to see if there’s some unintended limitation (backup router settings first).
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top