Only Redirect DNS via DNSFilter if Request Sent to Router?

[HarryMuscle]

My understanding is that VPNFilter/Director will force all DNS traffic for a specified client to be sent to a specified DNS server, regardless where the DNS request was actually directed to.

What I'm hoping to do though is change the iptable rule that does this forced redirecting and only change which DNS server gets used when a specified client sends the DNS request to the routers IP address.

Anyone done something like this before? Or maybe know which iptable rule I should be looking at changing? I know there's a DNSFILTER chain in the iptable that contains rules for sending traffic to the various servers but I'm not sure which rule actually intercepts the DNS request and sends it to the DNSFILTER chain for processing.

Thanks,
Harry

 

[drinkingbird]

My understanding is that VPNFilter/Director will force all DNS traffic for a specified client to be sent to a specified DNS server, regardless where the DNS request was actually directed to.

What I'm hoping to do though is change the iptable rule that does this forced redirecting and only change which DNS server gets used when a specified client sends the DNS request to the routers IP address.

Anyone done something like this before? Or maybe know which iptable rule I should be looking at changing? I know there's a DNSFILTER chain in the iptable that contains rules for sending traffic to the various servers but I'm not sure which rule actually intercepts the DNS request and sends it to the DNSFILTER chain for processing.

Thanks,
Harry

Just set the DNS server you want those clients to use on your WAN settings page. Any request to the router will use those DNS servers.

If you want nobody to use the router for DNS then just specify DNS servers in your DHCP settings and disable the router advertising itself as a DNS server.

DNS filter will apply no matter what DNS IP the client targets, so you can prevent the router IP from being used at all using that also.

Guess it isn't entirely clear what you want to do.

 

[HarryMuscle]

Just set the DNS server you want those clients to use on your WAN settings page. Any request to the router will use those DNS servers.

If you want nobody to use the router for DNS then just specify DNS servers in your DHCP settings and disable the router advertising itself as a DNS server.

DNS filter will apply no matter what DNS IP the client targets, so you can prevent the router IP from being used at all using that also.

Guess it isn't entirely clear what you want to do.

The goal is to control all DNS related settings for all clients from the router but allow a client to bypass this control if they want to. Different clients need to go to different servers. DNSFilter gets me almost there, just need to allow a client to bypass it if a client wants to.

 

[ColinTaylor]

DNSFilter gets me almost there, just need to allow a client to bypass it if a client wants to.

Set the client's rule to "No Redirection" in DNS Director.

 

[HarryMuscle]

Set the client's rule to "No Redirection" in DNS Director.

That would require the client's user to let me know. The idea is to send different clients to different servers but they on their own can override the default setup if they choose so.

 

[RMerlin]

That would require the client's user to let me know. The idea is to send different clients to different servers but they on their own can override the default setup if they choose so.

Assign them a specific DNS server on the DHCP static lease page. That will make them default to the DNS you specify there, and if they want to use something else, they can change it manually.

The idea behind DNS Director is specifically to enforce the use of a specific DNS, preventing clients from bypassing it.

 

[drinkingbird]

That would require the client's user to let me know. The idea is to send different clients to different servers but they on their own can override the default setup if they choose so.

There are a few different ways to redirect and do customized DNS servers. Merlin's suggestion works if you are ok with setting manual bindings for clients. You can also have a "default" setup then override it for clients that you want set differently, etc.

There is going to be some amount of manual intervention somewhere if you want different clients to get different DNS servers.

The way I have it set up is DNS Filter forces all clients to hit the router. The router WAN is then set to use cleanbrowsing (thus clients are forced to use cleanbrowsing no matter what they specify). I have exceptions configured for my own PCs (no filtering) so that I can still do nslookup to servers other than the router for troubleshooting should I want to, but since my DHCP hands out the router IP, even my own devices default to use the router and thus cleanbrowsing unless I override it.

These are all different features which can be combined to do different things.

DNS filter invisibly sets clients to use a specific DNS server (which can be the router or something else you specify). This can't be overridden without an exception rule being created. No matter what the client specifies or thinks they're seeing, it is using whatever you set them to use, they just don't know it. You can set per-client rules (up to a certain number) in addition to the global rule.

Main DHCP visibly assigns a certain DNS server to all clients. They can override it if they want (assuming DNS filter is not enabled)

DHCP manual bindings lets you assign DNS servers to specific clients. Again they can see it and override it if they want unless you have DNS filter enabled.

WAN DNS settings specify what the router (and and clients that are using the router DNS) use. Clients won't see these IPs. It can be overridden by the client unless DNS filter is enabled.

Note that if a client does a lookup to a DNS server on your LAN (doesn't pass through the router) then DNS filter doesn't do anything to them (however it can filter what that DNS server then looks up to the WAN). Similarly, if they use DOT or DOH, DNS filter can't do anything there either.

You should be able to do what you're looking to do using these features and not having to mess with IPTables or scripts etc.

 

[Crimliar]

The only way to stop my main TV from performing certain shenanigans is to use the following:

So this takes any requests for Google's DNS and redirects them to my Raspberry Pi at 192.168.127.5
Not fully what the OP is looking for...

 

[drinkingbird]

The only way to stop my main TV from performing certain shenanigans is to use the following:
View attachment 47642
So this takes any requests for Google's DNS and redirects them to my Raspberry Pi at 192.168.127.5
Not fully what the OP is looking for...

Your TV must be using DOT or DOH with Google if that works but dnsfilter doesn't (probably fails back to regular DNS with your pi since it can't establish encrypted connection).