Selective DNS routing.

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

repeater

Occasional Visitor
Hey fellas,

I'm trying to route / filter some hosts to "safe type" DNS. I setup custom DNS 1, 2, and 3. My main DNS is using DNSsec to my VPN on the WAN. The filter does not seem to work for the nodes I choose. I have also tried to integrate a PiHole, but found setting the secure DNS to Cloudfare didn't seem to work. At one point PIA DNS leak check could tell I was on one of them monopoly ISPs.

My firmware is at the latests for the main router RTAC86U (BEAST!), and the mesh node is an RT3100.


Besides VPN client and server I keep the setup pretty simple.


Any Ideas?

Thanks,

D
 

JaimeZX

Senior Member
Two thoughts...
1) Are you in WAN > Internet Connection > WAN DNS Setting?
If you set "DNS Privacy Protocol" to "DNS over TLS," "Strict," and then pick the servers you want, I think this will achieve your aims.
2) You don't need a PiHole, look into Diversion for that task. Add Skynet while you're at it. :)

Good luck!
 

repeater

Occasional Visitor
I set that up thanks! What about the regular DNS Servers on the wan? Should I remove them? Also is there a way to have have DNS filtering with these?

The DNSFilter is setup on the Lan side, but does not seem to work. I setup my Mac and tried an adult site. I was not blocked as I'd hoped.

After I did your setup it displays this DNSFilter is enabled - anything configured there to something other than No Filtering or Router will bypass DNS Privacy servers.

I wonder what I have to change?

Thanks,
 

JaimeZX

Senior Member
I set that up thanks! What about the regular DNS Servers on the wan? Should I remove them? Also is there a way to have have DNS filtering with these?
Do you mean in the GUI: WAN > Internet Connection > WAN DNS Setting?
Going down the list: Yes, No, Yes, Yes, Yes, DNS over TLS, Strict.
Then add your desired DNS servers. I assume you would want Cleanbrowsing 1/2 [Family] and Cleanbrowsing 1/2 [Adult.] You need to add them one at a time to the list. Select the drop-down and when the data populates to the blank field, hit the +. You can also use your own servers here.

The DNSFilter is setup on the Lan side, but does not seem to work. I setup my Mac and tried an adult site. I was not blocked as I'd hoped.
Two things: first... that is a per-device filter as opposed to "global on the LAN" which is what you get with the above. Second... some browsers do their own DNS caching, so if you had already looked up that site in the same browser previously, it may have skipped doing a DNS request and just used the IP it had pulled previously.

After I did your setup it displays this DNSFilter is enabled - anything configured there to something other than No Filtering or Router will bypass DNS Privacy servers.
Right, because that is per-device. So if you set up your Mac specifically here it won't have the Global filters provided under WAN DNS Setting.

Also, if you install Diversion you'll be able to see what's going on in DNS by following the live DNSMasq log. Might also be of use.
 

bbunge

Very Senior Member
Most likely your VPN provider is overriding your DNS settings. If you do not really need to use a VPN on your entire network, don't. I have found that using a VPN on individual devices is best for me. And, DNS filtering at best is a good try. It is very easy to defeat most DNS filters and kids have already figured out how. Additionally, DNS over HTTPS (DoH) turned on in a modern web browser or OS will blow away your best DNS filtering efforts. For home routers I have not found a way to blacklist sites by IP address but a Linux firewall like IPFire does a great job. You can set up IP fire on an old PC with two LAN cards and set up the content filtering to use various blacklists that update regularly.
For your AC86U using DoT to CleanBrowsing Adult may be your best bet.
 

repeater

Occasional Visitor
I do selective routing for my VPN. I still can't get the DNSFilter to work right. I want my kids computers to be the only ones restricted to the safe DNS
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top