OpenDNS selective restriction

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
nkaufman
DD-WRT User


Joined: 21 Jun 2015
Posts: 259

PostPosted: Fri Jul 03, 2015 22:37    Post subject: OpenDNS selective restriction Reply with quote
Hello,

Have been looking at this and keep finding conflicting information. Or maybe I'm not understanding the materials correctly (always a possibility with me Smile ).

Need to filter content of specific devices via OpenDNS and need to have others go without this restriction. Wondering if this is possible and if so, if you can provide me with information/links.

Thank you for your assistance.
Sponsor
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Sat Jul 04, 2015 0:11    Post subject: Reply with quote
supposed to be doable try http://www.linksysinfo.org/index.php?threads/assign-specific-dns-to-only-certain-clients.68865/
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

nkaufman
DD-WRT User


Joined: 21 Jun 2015
Posts: 259

PostPosted: Sat Jul 04, 2015 9:40    Post subject: Reply with quote
[quote="tatsuya46"]supposed to be doable try http://www.linksysinfo.org/index.php?threads/assign-specific-dns-to-only-certain-clients.68865/[/quote]

Thank you for the link. That could be a good source but I need more like a "beginner's guide".

I found something that uses adding some code to Firewall but a quick question that arises is - Do I need to open an account with OpenDNS?

If as the tutorial - http://www.dd-wrt.com/wiki/index.php/OpenDNS - mentions that "Since most of us have DHCP assigned WAN IP addresses that change periodically"

what is the reason to open account with OpenDNS and not just use its server IP in our DNS entries?

Thanks,
nkaufman
DD-WRT User


Joined: 21 Jun 2015
Posts: 259

PostPosted: Sun Jul 05, 2015 12:21    Post subject: Reply with quote
Found some more info while googling. I am using FamilyShield DNS resolvers at 208.67.222.123 and 208.67.220.123 from OpenDNS and wanted to exclude one PC from it - MyPC - from this restriction. Following are my steps:

(1) Added first DNS to Local DNS in DD-WRT
(2) Added both DNS to static DNS1 and DNS2 respectively
(3) Created static lease for My-PC with mac address
(4) Added following code to Firewall:
# For My-PC, use WAN DNS
##############################################
iptables -t nat -A PREROUTING -i br0 -s My-PC -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')
iptables -t nat -A PREROUTING -i br0 -s My-PC -p udp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')

# For every other client, use LAN DNS.
################################################
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

while testing I found that My-PC is also blocked from sites as are other devices.


Any thoughts/suggestions?

Thank you
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Tue Jul 07, 2015 8:36    Post subject: Re: OpenDNS selective restriction Reply with quote
nkaufman wrote:
Hello,

Have been looking at this and keep finding conflicting information. Or maybe I'm not understanding the materials correctly (always a possibility with me Smile ).

Need to filter content of specific devices via OpenDNS and need to have others go without this restriction. Wondering if this is possible and if so, if you can provide me with information/links.

Thank you for your assistance.


You can exclude forced dns redirection on machine(s) using (!) which means "not" in Linux and netmask... First make static lease to your PC machine(s). Then try:

Code:
iptables -t nat -I PREROUTING -i br0 -s !192.168.1.30/32 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -s !192.168.1.30/32 -p tcp --dport 53 -j DNAT --to 208.67.222.222



This command will redirect all dns (tcp/upd 53) queris except for IP 192.168.1.30...
nkaufman
DD-WRT User


Joined: 21 Jun 2015
Posts: 259

PostPosted: Tue Jul 07, 2015 19:40    Post subject: Re: OpenDNS selective restriction Reply with quote
[quote="Mile-Lile"]You can exclude forced dns redirection on machine(s) using (!) which means "not" in Linux and netmask... First make static lease to your PC machine(s). Then try:

[code]iptables -t nat -I PREROUTING -i br0 -s !192.168.1.30/32 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -s !192.168.1.30/32 -p tcp --dport 53 -j DNAT --to 208.67.222.222[/code]


This command will redirect all dns (tcp/upd 53) queris except for IP 192.168.1.30...[/quote]

Thank you.

So basically you are stating this command will redirect all dns (tcp/upd 53) queris except for IP 192.168.1.30 through 32.

what should I do if I have devices whose IP are not sequential? i.e. 30, 45, 87 etc.

Thanks

P.S. Why does my "quote" functionality like it does right now?
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Wed Jul 08, 2015 6:04    Post subject: Re: OpenDNS selective restriction Reply with quote
nkaufman wrote:
what should I do if I have devices whose IP are not sequential? i.e. 30, 45, 87 etc.


put static IP leases to machines that you want to be excluded but out of the DHCP pool... e.g. your DHCP pool is 192.168.1.100-150. Asign static leases 192.168.1.17-30 using http://www.subnet-calculator.com/ it should be like this:

Code:
iptables -t nat -I PREROUTING -i br0 -s ! 192.168.1.30/28 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -s ! 192.168.1.30/28 -p tcp --dport 53 -j DNAT --to 208.67.222.222
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Wed Jul 08, 2015 6:11    Post subject: Reply with quote
here is another solution:

https://forum.openwrt.org/viewtopic.php?id=58330
nkaufman
DD-WRT User


Joined: 21 Jun 2015
Posts: 259

PostPosted: Wed Jul 08, 2015 12:12    Post subject: Reply with quote
[quote="Mile-Lile"]here is another solution:

https://forum.openwrt.org/viewtopic.php?id=58330[/quote]


Thank you for your continued help.

I'm afraid your original recommendation did not work for me (I think the above link's OP also had an issue with that).

Using the solution from the above link, I still get my PC blocked. That tells me that perhaps I'm doing something wrong before adding the code to Firewall.

Here are the exact steps that I took:
FamilyShield DNS 208.67.222.123 and 208.67.220.123
(1) Added first DNS to Local DNS in DD-WRT
(2) Added both DNS to static DNS1 and DNS2 respectively
(3) Created static lease for My-PC with mac address
(4) Added code to Firewall

Am I missing some other step like - enabling Local DNS etc. somewhere?

Thank you again for your help and guidance.
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Wed Jul 08, 2015 13:12    Post subject: Reply with quote
Ok. Lets do it like this. On Basic/Setup page enter this values. Do not enter any dns, local dns etc... Router will grab it from your ISP.
Your Ip pool will be 192.168.1.97-192.168.1.127. 30 IPs. Hope you do not have more than 30 machines?



Then put static lease to your PC



Then save these iptables firewall rules

Code:
iptables -t nat -I PREROUTING -i br0 -s 192.168.1.97/27 -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -I PREROUTING -i br0 -s 192.168.1.97/27 -p tcp --dport 53 -j DNAT --to 208.67.220.123




reboot router and clear caches of web browsers...

Now, your PC with static lease (192.168.1.30) will use your ISP DNS... and people from DHCP pool will use OpenDNS family shield...
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Wed Jul 08, 2015 13:13    Post subject: Reply with quote
hope you have latest build?
nkaufman
DD-WRT User


Joined: 21 Jun 2015
Posts: 259

PostPosted: Wed Jul 08, 2015 17:44    Post subject: Reply with quote
[quote="Mile-Lile"]hope you have latest build?[/quote]

Thank you.

That WORKS!!

I set the router to factory configuration and just did the basic settings that KrypteX had suggested. Made a backup of these settings.

Now applied your code and see that OpenDNS is bypassed on the machine and is working on others.

Would you mind if I asked you another question since this is all tied together? With your code for OpenDNS, how do I now set up my router for AdBlock? The regular approach does not seem to be working for me.

My router info:
Router - ModelTP-Link TL-WR841ND v9
Firmware Version - DD-WRT v3.0-r27456 (06/27/15) std
Kernel Version - Linux 3.18.16 #3271

Thank you again for your assistance. Couldn't have done this without your help.
h8red
DD-WRT Guru


Joined: 28 Jun 2011
Posts: 580
Location: Vilnius, Lithuania

PostPosted: Wed Jul 08, 2015 20:26    Post subject: Reply with quote
It is not presented nice, but should give you a clue

Startup Script:
_rogue=0.0.0.0

echo -e "n=1\nwhile ! wget -q -O /tmp/hsts http://winhelp2002.mvps.org/hosts.txt ; do\n\t[ \$n -gt 5 ] && break\n\tlet n+=1\n\tsleep 60\ndone\ngrep \"^0.0.0.0\" /tmp/hsts | grep \"^0.0.0.0\" | grep -v localhost | awk '{print \"$_rogue\\\t\"\$2}' | tr -d '\\\015' >/tmp/dlhosts\nrm /tmp/hsts\nkillall -HUP dnsmasq" >/tmp/wh

sh /tmp/wh &


Additional DNS Masquerade options:
addn-hosts=/tmp/dlhosts


Additional CronJobs:
0 12 * * * root /tmp/.rc_startup

_________________
[Ramips] Nexx WT3020F Openwrt @kernel #4.14.167 (OpenVPN server, Wireguard server, AD blocking, SQM QOS, USB)
nkaufman
DD-WRT User


Joined: 21 Jun 2015
Posts: 259

PostPosted: Wed Jul 08, 2015 22:06    Post subject: Reply with quote
Thank you for your help.

Applied your Adblock code. Following is the result;

C:\Windows\system32>nslookup a.abnad.net
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1

Name: a.abnad.net
Address: 0.0.0.0


C:\Windows\system32>nslookup a.abnad.net
Server: DD-WRT
Address: 192.168.1.1

Name: a.abnad.net
Address: 0.0.0.0

I think the above shows that Adblock is working. Would you agree? Or should I do some other test to really be sure?

Thank you again for your assistance.
nkaufman
DD-WRT User


Joined: 21 Jun 2015
Posts: 259

PostPosted: Wed Jul 08, 2015 22:22    Post subject: Reply with quote
[quote="Mile-Lile"]Ok. Lets do it like this. .....

[code]iptables -t nat -I PREROUTING -i br0 -s 192.168.1.97/27 -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -I PREROUTING -i br0 -s 192.168.1.97/27 -p tcp --dport 53 -j DNAT --to 208.67.220.123[/code] [/quote]

@Mile-Lile
Since there are 2 DNS addresses, should I not have both applied to each udp and tcp codes above? Or am I mistaken in my understanding? Please advise.

Thanks,
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum