Force guest-network to use OpenDNS?

Discussion in 'Tomato Firmware' started by philess, Apr 4, 2013.

  1. philess

    philess Networkin' Nut Member

    Hello guys,

    i am trying to setup a guest-network (wireless) br1 which is forced
    to use OpenDNS (for filtering purposes, e.g. block torrent sites),
    but at the same time have a private network br0 that can use a
    different DNS provider.

    Should that work by using custom dnsmasq config?

    To have br0 use Google´s DNS and br1 OpenDNS.
    I expect that to conflict with the "Intercept DNS" option tho,
    but if i disable that, there is nothing stopping the user in br1
    from simply adding his own DNS provider.

    Also, i assume the dnsmasq config is processed from top to
    bottom, so when i add the custom part, it will overwrite the
    options that are already added from the gui?

    Edit: As i assumed, the "Intercept DNS" option is making this difficult.
    I think the easiest and also efficient way is by doing this through iptables:

    iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to
    iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to
    That should redirect all DNS requests from br1 (guests) to OpenDNS,
    and everyone else on br0 will use whatever DHCP is giving them etc.
  2. jerrm

    jerrm Network Guru Member

    Correct - you will need to turn off intercept. You can prevent average users from accessing other DNS rules by blocking access to any other dns servers (including the router) on tcp/udp port 53. Crafty users will be able to come up with work arounds, but hopefully they are the exception.

    A little questionable on the processing order at the moment. Not sure how this option would be impacted. See
    philess likes this.
  3. philess

    philess Networkin' Nut Member

    Thank you jerrm!

    Yes i read about that dnsmasq bug, but i am currently using Victec´s R1.1f
    which has dnsmasq v2.61 and it all seems to be working fine right now.
    (to sum up: intercept disabled, instead redirecting br1 dns with iptables).
    Actually by using iptables i dont need dnsmasq to give out another dns at all,
    it will get redirected anyway. But i tried adding the dhcp option at the bottom,
    and it was worked (client received opendns as dns)...
  4. koitsu

    koitsu Network Guru Member

    FYI -- you should really use the names of the dhcp options (in this case, DHCP option 6 is called dns-server), as it makes the rules much more clear. Example:
    You can get a map of the option numbers-to-names by doing dnsmasq --help dhcp.
    philess likes this.
  5. philess

    philess Networkin' Nut Member

    I know koitsu, i read your comment about that in the other thread too :)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice