How to force different DNS server for 2 clients on network

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
momo2000
DD-WRT Novice


Joined: 15 Mar 2008
Posts: 28

PostPosted: Sat Sep 26, 2009 13:06    Post subject: How to force different DNS server for 2 clients on network Reply with quote
I am running DD-WRT v 24-sp2 micro build 12533 (on a WRT54G) and have been using DD-WRT (earlier versions) for a couple years.

I would like to use DD-WRT to force two of the clients (kids PCs) on my network to use a different DNS server (and ONLY that server, if that server/connection should fail, then they should not get a connection to the internet, NOT default to DNS2 and DNS3 provided by Comcast, my ISP). I would like for all OTHER clients on the network to continue to use the DNS severs provided now by Comcast although I’m not sure how this happens as I don’t add them manually, it just works).

I have searched and searched the forums but can’t seem to find the solution. I think it would be in the “Services/Services/DNSMasq/Additional DNS Options” field, but am not clear what to enter. Maybe I have to get into the actual config file, I am not sure.

I have set up “DNS Redirector” as the local DNS server for these clients (kids PCs) and have “DNS Redirector” on a server with the address of 192.168.2.160. The clients (kids PCs) have Static Leases (192.168.2.150 and 192.168.2.151) from the DD-WRT DHCP server. I am NOT asking for help with the “DNS Redirector” software, just how to get the two clients to ONLY use 192.168.2.160 as their DNS server.

Current settings:
My DD-WRT router is 192.168.2.1
Setup/Basic Setup I have Local DNS as 0.0.0.0
Setup/Basis Setup I have all Static DNS servers (1-3) set to 0.0.0.0
Setup/Basis Setup I have Use DNSMasq for DNS “checked”
Services/Services/DNSMasq I have DNSMasq as “enable”
Services/Services/DNSMasq I have LocalDNS as “enable”

I am not really clear on the exact functions/differences of the : DNSMasq vs. LocalDNS vs. the Static DNS server settings, so please explain if required for the solution. I would sincerely appreciate any help offered.
Sponsor
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sat Sep 26, 2009 13:48    Post subject: Reply with quote
Wiki -->tutorials-->opendns
_________________
The New Me
momo2000
DD-WRT Novice


Joined: 15 Mar 2008
Posts: 28

PostPosted: Sat Sep 26, 2009 13:56    Post subject: Reply with quote
Thanks for your reply. I would rather use OpenDNS but the way I understand it, OpenDNS can't distinguish between different Clients on my network, all it sees is the IP of my DD-WRT router and treats every client the same (because of NAT). If I am wrong, and it can treat different clients differently, please advise.
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sat Sep 26, 2009 13:59    Post subject: Reply with quote
DHC_DarkShadow wrote:
Wiki -->tutorials-->opendns


Specific instructions for your request at bottom of tutorial. I have your setup in my house for my kids.

EDIT. Sorry it doesn't say for specific ip's. Let me try to find the thread.

_________________
The New Me
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sat Sep 26, 2009 14:05    Post subject: Reply with quote
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=310196&highlight=#310196

The code is in this thread for using opendns for specific ip address.

_________________
The New Me
momo2000
DD-WRT Novice


Joined: 15 Mar 2008
Posts: 28

PostPosted: Sat Sep 26, 2009 15:46    Post subject: Reply with quote
Thanks, DHC_DarkShadow. This is right on the edge of my understanding/new learning, so let me see if I understand:

If I want to force certain clients on my lan to use the OpenDNS DNS servers, I could post this in the Administration/Commands and then “Save Firewall”, and reboot the router, and reboot the client.

I read the post a few times, and think I have it. The code that I would use to force clients in the IP range of 192.168.151 to 192.168.155 to use the OpenDNS DNS server of 208.67.222.222 is:

opendns1=208.67.222.222
iptables -t nat -I PREROUTING -p udp -s 192.168.1.151/5 --dport 53 -j DNAT --to $opendns1
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.151/5 --dport 53 -j DNAT --to $opendns1

Note: I changed the –A to –I and changed the commands to use the IP range instead of the interface.

I tried this command, but it DOES NOT seem to have any effect on the clients. Also when I run this from the C prompt command line of the client: "ipconfig /all" it shows that the DNS Server is the IP of the DD-WRT router.

What am I doing wrong?
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sat Sep 26, 2009 15:52    Post subject: Reply with quote
That's where the tutorial comes in, follow it. Then put the dns servers you use in the pc's that aren't in the range of the restriction in the script.
_________________
The New Me
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Sat Sep 26, 2009 16:38    Post subject: Reply with quote
Good Stuff;

Yesterday I was setting up my brother's network for OpenDNS so my nieces can have a "safe" internet connection.

This information will let me tweak DD-WRT with OpenDNS.

Thanks!

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
momo2000
DD-WRT Novice


Joined: 15 Mar 2008
Posts: 28

PostPosted: Sat Sep 26, 2009 18:08    Post subject: Reply with quote
OK, DHC_DarkShadow. I'll spend some time with that tonight. Thanks for the pointer. I'll let you know how it goest tomorrow.
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sat Sep 26, 2009 18:36    Post subject: Reply with quote
Updated OpenDNS tutorial to include code for forcing specific IP/range to opendns.
_________________
The New Me
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sat Sep 26, 2009 22:47    Post subject: Reply with quote
momo2000 wrote:

opendns1=208.67.222.222
iptables -t nat -I PREROUTING -p udp -s 192.168.1.151/5 --dport 53 -j DNAT --to $opendns1
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.151/5 --dport 53 -j DNAT --to $opendns1

Your netmask is way too small and includes 1/32 of all addresses, it's supposed to be a /25 mask so that it only includes 192.168.1.128 to 192.168.1.255. I cleaned up the wiki to correct this oversight.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
momo2000
DD-WRT Novice


Joined: 15 Mar 2008
Posts: 28

PostPosted: Sun Sep 27, 2009 13:25    Post subject: Reply with quote
OK, I did get it working per the tutorial. Thanks for the guidance. Of course there is just one “problem”. Having to enter the Comcast DNS (unfiltered) on all of the “adult” computers is OK for the “Desktop” clients, but is a pain on the 2 laptops, because they leave the house almost daily, and then when on a hotspot or work network, I have to manually remove the static Comcast DNS every time . . . and then re-add it when I get home.

I was wondering why I couldn’t create a firewall rule for both groups, and have the DD-WRT router do the work. So IPs over 192.168.2.200 go to OpenDNS and addresses below that go to Comcast DNS. I tried the code below in the Firewall commands, but it did not work, and all clients got routed to OpenDNS. Any thoughts on how to make this work? What do you think about this idea?

comcast1=68.87.64.196
iptables -t nat -I PREROUTING -p udp -s 192.168.2.100/99 --dport 53 -j DNAT --to $comcast1
iptables -t nat -I PREROUTING -p tcp -s 192.168.2.100/99 --dport 53 -j DNAT --to $comcast1
opendns1=208.67.222.222
iptables -t nat -I PREROUTING -p udp -s 192.168.2.200/25 --dport 53 -j DNAT --to $opendns1
iptables -t nat -I PREROUTING -p tcp -s 192.168.2.200/25 --dport 53 -j DNAT --to $opendns1
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sun Sep 27, 2009 13:39    Post subject: Reply with quote
/99 isn't a valid subnet mask so the entire rule is invalid and never gets added. Use these:

192.168.2.0/25 ============== this means 192.168.2.0 to 192.168.2.127
192.168.2.128/25 ============ this means 192.168.2.128 to 192.168.2.255

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
momo2000
DD-WRT Novice


Joined: 15 Mar 2008
Posts: 28

PostPosted: Sun Sep 27, 2009 13:50    Post subject: Reply with quote
Interesting! So in the "/X" after the starting IP address does NOT mean "the next 'X' IP addresses, it looks like it is a percentage of something, so that:
/25 = the next 128 IP addresses
/50 = the next 256 IP addresses

Is this correct?
I'm going to understand this sooner or later, thanks!
momo2000
DD-WRT Novice


Joined: 15 Mar 2008
Posts: 28

PostPosted: Sun Sep 27, 2009 14:09    Post subject: Reply with quote
*** I deleted this post. Still working to be sure I can accurately describe.

Last edited by momo2000 on Sun Sep 27, 2009 18:25; edited 1 time in total
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum