1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[SOLVED] How to define custom hosts in tomato?

Discussion in 'Tomato Firmware' started by vmixus, Jan 7, 2014.

  1. vmixus

    vmixus Serious Server Member

    How can I define custom hosts directly on the router as opposed to editing the hosts file locally for each machine?

    For example, I would enter "modem/" into the browser and it would go to the modem web interface.

    I'd like to know:
    a.) Where in the gui or which file on the router to add/edit to input the ip / hostname?
    b.) any additional config/settings to make sure the custom host names get used?

    So far I've tried inputting the following into /tmp/etc/hosts and /tmp/etc/dnsmasq/hosts with no success.
    Code:
    192.168.100.1 modem
     
    Last edited: Jan 9, 2014
  2. gfunkdave

    gfunkdave LI Guru Member

    Go to the Advanced -> DNS page. In the Advanced text box, add lines of the form:

    Code:
    address=/modem/192.168.100.1
    Although, it will do this automatically for any devices with static IPs defined in the Basic->DHCP page.

    Check out the manpage for DNSMasq for full info.
     
  3. vmixus

    vmixus Serious Server Member

    I've tried adding the code you provided under "Advanced -> DHCP/DNS -> Dnsmasq custom configuration" but no luck.

    Also, I wasn't sure if the preceding "--" shown on the man page was necessary but I've tried both ways and rebooted in between attempts and still can't get the hostname to show up in the browser.

    Any other suggestions?
     
  4. tomatosoup

    tomatosoup Serious Server Member

    Go to Basic - Static DHCP/ARP/IPT - enter the IP address and hostname (no need to enter a MAC address) and save. This will do the trick.
     
    darkknight93 likes this.
  5. vmixus

    vmixus Serious Server Member

    tomatosoup: I tried your suggestion as well but no dice.

    For the benefit of anyone else that comes along this thread in the future.

    References:
    After reading the above here's what is/isn't working:

    "Advanced -> DHCP/DNS -> Dnsmasq custom configuration"
    Code:
    address=/modem/192.168.100.1
    Then from a client connected to the router:
    Code:
    C:\>ping modem
    Ping request could not find host modem. Please check the name and try again.
    
    C:\>ping modem.
    
    Pinging modem [192.168.100.1] with 32 bytes of data:
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=4ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=4ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=6ms TTL=63
    
    Ping statistics for 192.168.100.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 1ms, Maximum = 6ms, Average = 3ms
    
    So the trailing "." has to be there!

    The trailing "." wasn't necessary when using a local hosts file so I'd like to know how to be able to use the host names without the "." through tomato?

    I'm sorta new at this, so unless I'm interpreting it incorrectly, according to the 3rd link posted above the solution involves setting any value for "Basic -> Identification -> Domain Name" but this hasn't worked for me either.
    Any suggestions?

    Also, does this affect clients that don't get their IP from the router?
    i.e. the modem's web config is http://192.168.1.100 and there's a static route setup to reach it.
     
  6. gfunkdave

    gfunkdave LI Guru Member

    Oh. Right. You need to put fully qualified domain names in there. It should really be modem.<whatever you set your LAN domain to in the Identification page>
     
    koitsu likes this.
  7. vmixus

    vmixus Serious Server Member

    Here's what I did:
    • "Basic -> Identification -> Domain" set to: primary
    • Then the hostname is setup like so:
      Code:
      address=/modem/primary/192.168.100.1
    Here's the ping results:
    Code:
    C:\>ping modem
    
    Pinging modem.primary [192.168.100.1] with 32 bytes of data:
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=2ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    
    Ping statistics for 192.168.100.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 1ms, Maximum = 2ms, Average = 1ms
    
    C:\>ping modem.
    
    Pinging modem [192.168.100.1] with 32 bytes of data:
    Reply from 192.168.100.1: bytes=32 time=5ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=3ms TTL=63
    
    Ping statistics for 192.168.100.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 1ms, Maximum = 5ms, Average = 2ms
    
    C:\>ping garbage12345
    
    Pinging garbage12345.primary [192.168.100.1] with 32 bytes of data:
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
    
    Ping statistics for 192.168.100.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 1ms, Maximum = 1ms, Average = 1ms
    
    We're somewhat closer but now it's confusing as to why anything I try to ping is responding that way.
     
  8. vmixus

    vmixus Serious Server Member

    Oops --
    just re read your post and updated the host entry like so:
    Code:
    address=/modem.primary/192.168.100.1
    The wired ping issue is now gone and I can only access hosts without the tailing "."

    :D
    -- Thanks everyone

    tldr;
    • Set any value for "Basic -> Identification -> Domain Name"
    • Then setup hosts under "Advanced -> DHCP/DNS -> Dnsmasq custom configuration":
      Code:
      # Format
      address=/<host name>.<domain name>/<ip>
      
      #Example
      address=/modem.primary/192.168.100.1
     
    Last edited: Jan 7, 2014
  9. jerrm

    jerrm Network Guru Member

    Hosts files should work. The address directive isn't really meant for this.

    Paste this into system tools or the command line to test:
    Code:
    echo $(nvram get lan_ipaddr) hostfilehost > /etc/dnsmasq/hosts/hostfile.test
    kill -HUP $(pidof dnsmasq)
    ping -c4 hostfilehost
     
    vmixus likes this.
  10. vmixus

    vmixus Serious Server Member

    Yes, your test works and this solution seems much cleaner and closer to what I was originally looking for. Editing the /etc/hosts file didn't work for me before because I incorrectly assumed the changes would be taken into account right away. Your suggestion to first kill dnsmasq, was the correct answer.

    I have some questions:
    • How / where do I implement custom changes for the hosts file so they will be permanent and survive a reboot? Similar to how the firewall settings can be saved in [Administration-> Scripts -> Firewall] -- is there something similar for hosts file settings?
    • Are there any naming conventions / restrictions I need to follow?
      i.e. name of host file, number of entries per file, etc.
    I tried using [Administration -> Scripts -> Init] like so:
    Code:
    echo "1.2.3.4 test" >> /etc/dnsmasq/hosts/custom
    But this isn't working as I don't see the custom file after reboot.
     
    Last edited: Jan 8, 2014
  11. jerrm

    jerrm Network Guru Member

    Just place the file under /etc/dnsmasq/hosts/. Any name should do. Standard hosts file syntax. Only limit is memory.

    I'd probably put it in the gui init script. Something like:
    Code:
    mask=$(umask)
    umask 0000
    mkdir -p /tmp/etc/dnsmasq/hosts
    umask $mask
    echo "1.2.3.4 host4
    1.2.3.5 host5
    1.2.3.6 host6
    " > /tmp/etc/dnsmasq/hosts/myhosts
    You could also look at the nvram setfile/getfile functions, but the gui init is easy to edit. If you have code that waits for system initialization in init, you could probably leave out the mkdir. Alternatively add an "addn-hosts=/tmp/myhosts" line in the dnsmasq custom box place the file there.

    If you create or edit the file after dnsmasq is running, then you need to send HUP to dnsmasq to force it to reload the hosts files.
     
  12. vmixus

    vmixus Serious Server Member

    I'm was able to successfully create the file /etc/dnsmasq/hosts/custom using the init scripts through the gui; it worked after I included mkdir -p /etc/dnsmasq/hosts before trying to create the custom file.

    But now the bigger problem is that clients connected to the router aren't able to ping the custom host names. While I'm ssh'ed into the router I can ping by host name but not from pc's connected to the router. I repeated your previous test from a client and I'm unable to ping whether the changes are in /etc/hosts or /etc/dnsmasq/hosts/custom
    Any suggestions?

    fyi. while undoing the previous setup in this thread I also removed the entries under "Basic -> Identification" for "Host Name" and "Domain Name' -- should there be something there or is it ok if those are blank?

    I also looked at the "addn-hosts" setting and it's already defined in /etc/dnsmasq.conf as:
    Code:
    addn-hosts=/etc/dnsmasq/hosts
    According to the dnsmasq man page:
    So since it's a directory I believe it's ok.
     
  13. jerrm

    jerrm Network Guru Member

    You probably still need a domain name defined.

    You can have multiple addn-hosts lines, but if you're OK with the mkdir, don't worry about it.
     
  14. vmixus

    vmixus Serious Server Member

    :)
    Finally solved!
    -- Thank you everyone, especially jerrm

    For future reference in case someone stumbles upon this thread...
    Correct answer:
    To set custom hostnames in Tomato:
    • Make sure "Basic -> Identification -> Domain Name" is defined
    • Under "Administration -> Scripts -> Init" use the following to create a custom host file:
      Code:
      mkdir -p /tmp/etc/dnsmasq/hosts
      echo "1.2.3.4 example
      123.456.789.10 test" > /tmp/etc/dnsmasq/hosts/custom
     
  15. gfunkdave

    gfunkdave LI Guru Member

    Seems a lot more complicated than just creating a static entry in DNSMasq's config...but if you like it this way then I suppose it's your NVRAM... :)
     
  16. vmixus

    vmixus Serious Server Member

    Being able to use a custom file vs several individual static entries is a more appealing solution as it's easier to maintain.

    It might not make a huge difference for a few entries but the flexibility to store one or more large custom host file, for example on a cifs share in conjunction with a single custom static setting for addn-hosts to point to the file, seems like a better option.

    Could you please elaborate? Are there adverse side effects to the solution described above?
     
  17. jerrm

    jerrm Network Guru Member

    The init code, with the mkdir and echo statement overhead, would use a few more bytes nvram than the address syntax if you only have two or three entries. Once you get to four or five entries, hosts file syntax is shorter.

    The address directive is fine, as long as you understand how it works. It is not the same as a host file entry. If you have an entry for "testnet.mydomain," that will also match host1.testnet.mydomain, host2.testnet.mydomain, etc.

    Changes to the conf file also require a full dnsmasq restart, hosts file updates only require sending SIGHUP with no restart.
     
  18. vmixus

    vmixus Serious Server Member

    Thanks for the clarification.
    Also, using a addn-hosts entry to point to a custom file on a cifs share would eliminate the need to put anything in the init block all together (though this is still theoretical and I haven't tried it out yet)
     
  19. jerrm

    jerrm Network Guru Member

    Should be fine, probably want an execute when mounted script to send HUP to dnsmasq.

    This is a clear advantage of the hosts file approach. In theory you could use the conf-file option to similarly load an additional conf file of address entries, but dnsmasq will refuse to start if cifs is not mounted and the conf-file is missing.
     
    Last edited: Jan 8, 2014
    gfunkdave likes this.
  20. lollekatt

    lollekatt Reformed Router Member

    This really seems too complicated.. manually one does it in dnsmasq indeed. But the GUI allows to simply click on static, which takes one to the static arp page... there bound to (ip), bind the mac, done.

    What does this do?

    It adds to the dnsmasq.conf file (dhcp) an entry along the lines of:

    dhcp-host=aa:bb:cc:dd:ee:ff,192.168.0.1
     
  21. vmixus

    vmixus Serious Server Member

    How about devices not using the router's dhcp?
    For example in my case the modem (on the router's wan side) comes pre-configured with the web admin interface @ 192.168.100.1 when my network is 10.x.x.x. and it's accessible via a static route or if you wanted to redirect some web domain for ad blocking.
     
  22. koitsu

    koitsu Network Guru Member

    You don't even need to add an addn-hosts entry to dnsmasq.conf. The TomatoUSB default contains the following line already in dnsmasq.conf:

    Code:
    addn-hosts=/etc/dnsmasq/hosts
    
    And if you look closely, that's a directory, not a file. If addn-hosts points to a directory, dnsmasq will read the contents of all the files in that directory.

    Within that directory is a file called hosts (ex. /etc/dnsmasq/hosts/hosts) which you should not touch (TomatoUSB manages this file itself!). The syntax of that file is identical to /etc/hosts on a normal *IX system, ex:

    Code:
    a.b.c.d hostname ...
    
    E.g.

    Code:
    127.0.0.1 idontlikesnakes.com www.idontlikesnakes.com
    127.0.0.1 foo bar blat
    127.0.0.1 donotwant
    127.0.0.1 yahoo.com www.yahoo.com
    
    You can make your own file in that directory (ex. /etc/dnsmasq/hosts/mystuff) and then send a HUP to dnsmasq and it will automatically read the contents.

    The only thing to remember is that the files within that directory are not retained after a reboot, so you will need to add something to Scripts / Init that places entries into that file. For example the following would work:

    Code:
    cat > /etc/dnsmasq/hosts/mystuff <<EOF
    127.0.0.1 idontlikesnakes.com www.idontlikesnakes.com
    127.0.0.1 foo
    127.0.0.1 donotwant
    EOF
    
    Then you'd need to sit around in a small while + sleep loop waiting for dnsmasq to start so you could run kill -HUP `cat /var/run/dnsmasq.pid` or the like.

    Otherwise if you want something persistent that isn't managed via Scripts / Init, then you need a router with a USB port, or you get to use a CIFS share pointing to a machine somewhere on your LAN.

    Finally, you cannot use wildcards (*) or regex within that file (e.g. you cannot say 127.0.0.1 *.yahoo.com). You need to know the shorthand hostname or the FQDN of what you want to return a falsified DNS A record for. That's what makes this method of "ad blocking" absolutely worthless, if you ask me.

    I wish people would understand that dnsmasq is not a DNS server. Its goal is not to, say, replace ISC BIND or unbound or anything like that. Yet people try to use it for all kinds of crazy things... :/

    I really do not know why you people horse around with this crap instead of just using Adblock Plus in your browsers. Really, I'm quite serious. That addon stops the TCP session from even being made in the first place -- it saves on resources all over the board, in exchange for some added memory footprint in the browser itself.

    I won't be commenting past this point, but just wanted to let folks know of the above.
     
    Last edited: Jan 9, 2014
  23. mstombs

    mstombs Network Guru Member

    A bit unfair koitsu, I have had a couple of simple address entries (.lan) in my dnsmasq custom config for ever - NTL, now VirginMedia always seem to use 192.168.100.1. really no need to muck about with scripts for just those!

    OT:
    I also do use adblockplus in Firefox and Chrome, but still do a lot of adblocking using dnsmasq domain level dns poisoning (effectively uses wildcards) which has big benefit for most mobile users and others who still use MS Internet Exploder... but some adsites now using server side dns (web pages get ip addresses) and many moving to https. My stats since I last rebooted router

    Code:
    Jan  9 20:30:01 rtn66u daemon.info pixelserv[13995]: 223745 req, 33587 err, 4643 gif, 184 bad, 159074 txt, 76 jpg, 106 png, 113 swf, 25962 ssl
     
  24. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Hi..
    I am bit of a noob at this so please bare with me.
    I have been trying to figure out how to create a host file and upload it to Tomato. I have no idea of where to start. What I am trying to do is force Google Safe Search on my network.

    The way I am forcing it now is by adding addresses to the Dnsmasq Custom configuration text box like this:

    address=/www.google.com/216.239.38.120
    address=/www.google.co.uk/216.239.38.120
    address=/www.google.ca/216.239.38.120
    address=/www.google.fr/216.239.38.120
    address=/www.google.it/216.239.38.120
    address=/www.google.es/216.239.38.120
    address=/www.google.nl/216.239.38.120

    So far it works, but if I want to add all of googles domains I get an error saying I need to "reduce the length of characters to be 2058 or less"

    So, I have been reading and found I need to create a host file and add it (upload it) to Tomato, but I get no information on how to do that.

    Can anyone here please help me on that?

    thanks.
     
  25. moffa

    moffa Serious Server Member

    Your solution should work but remove the www. as its not needed and will only use it if the www is provided.

    I use the addn-hosts option. So in the dnsmasq configuration text box, I enter addn-hosts=/tmp/myhosts
    then in your startup script have:

    echo '216.239.38.120 google.com' >> /tmp/myhosts
     
    Last edited: Apr 12, 2015
  26. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    @mofia..
    you didn't type anything on your comment.. you just referenced my post.
     
  27. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I guess what I need to know is if there s a script or iptable I can use to block access to websites and to be able to add those addresses I am using for google in the script.. I have been looking for days and nobody knows how to do that.
     
  28. moffa

    moffa Serious Server Member

    Google's help page recommends using CNAME. You can try dnsmasq cname:

    cname google.com,forcesafesearch.google.com

    for each google name.

    Also maybe add these to your firewall scripts (from http://www.dd-wrt.com/phpBB2/viewtopic.php?t=175005&sid=f23d2a827d3bb90ef17c9e24d1e3e9df)


    iptables -I PREROUTING -d 193.105.163.208 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.212 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.216 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.218 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.219 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.223 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.227 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.229 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.230 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.234 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.238 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.240 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.241 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.245 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.249 -j DNAT --to-destination 216.239.32.20
    iptables -I PREROUTING -d 193.105.163.251 -j DNAT --to-destination 216.239.32.20
     
  29. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    They way I have it now does work.. I get the message up top that says:
    "Your network has turned on SafeSearch to filter explicit content."

    But what I need help is to be able to add all of Google's domains which are:
    address=/www.google.com/216.239.38.120
    address=/www.google.ac/216.239.38.120
    address=/www.google.ad/216.239.38.120
    address=/www.google.ae/216.239.38.120
    address=/www.google.com.af/216.239.38.120
    address=/www.google.com.ag/216.239.38.120
    address=/www.google.com.ai/216.239.38.120
    address=/www.google.al/216.239.38.120
    address=/www.google.am/216.239.38.120
    address=/www.google.co.ao/216.239.38.120
    address=/www.google.com.ar/216.239.38.120
    address=/www.google.as/216.239.38.120
    address=/www.google.at/216.239.38.120
    address=/www.google.com.au/216.239.38.120
    address=/www.google.az/216.239.38.120
    address=/www.google.ba/216.239.38.120
    address=/www.google.com.bd/216.239.38.120
    address=/www.google.be/216.239.38.120
    address=/www.google.bf/216.239.38.120
    address=/www.google.bg/216.239.38.120
    address=/www.google.com.bh/216.239.38.120
    address=/www.google.bi/216.239.38.120
    address=/www.google.bj/216.239.38.120
    address=/www.google.com.bn/216.239.38.120
    address=/www.google.com.bo/216.239.38.120
    address=/www.google.com.br/216.239.38.120
    address=/www.google.bs/216.239.38.120
    address=/www.google.bt/216.239.38.120
    address=/www.google.co.bw/216.239.38.120
    address=/www.google.by/216.239.38.120
    address=/www.google.com.bz/216.239.38.120
    address=/www.google.ca/216.239.38.120
    address=/www.google.com.kh/216.239.38.120
    address=/www.google.cc/216.239.38.120
    address=/www.google.cd/216.239.38.120
    address=/www.google.cf/216.239.38.120
    address=/www.google.cat/216.239.38.120
    address=/www.google.cg/216.239.38.120
    address=/www.google.ch/216.239.38.120
    address=/www.google.ci/216.239.38.120
    address=/www.google.co.ck/216.239.38.120
    address=/www.google.cl/216.239.38.120
    address=/www.google.cm/216.239.38.120
    address=/www.google.cn/216.239.38.120
    address=/www.g.cn/216.239.38.120address=/www.google.com.co/216.239.38.120
    address=/www.google.co.cr/216.239.38.120
    address=/www.google.com.cu/216.239.38.120
    address=/www.google.cv/216.239.38.120
    address=/www.google.com.cy/216.239.38.120
    address=/www.google.cz/216.239.38.120
    address=/www.google.de/216.239.38.120
    address=/www.google.dj/216.239.38.120
    address=/www.google.dk/216.239.38.120
    address=/www.google.dm/216.239.38.120
    address=/www.google.com.do/216.239.38.120
    address=/www.google.dz/216.239.38.120
    address=/www.google.com.ec/216.239.38.120
    address=/www.google.ee/216.239.38.120
    address=/www.google.com.eg/216.239.38.120
    address=/www.google.es/216.239.38.120
    address=/www.google.com.et/216.239.38.120
    address=/www.google.fi/216.239.38.120
    address=/www.google.com.fj/216.239.38.120
    address=/www.google.fm/216.239.38.120
    address=/www.google.fr/216.239.38.120
    address=/www.google.ga/216.239.38.120
    address=/www.google.ge/216.239.38.120
    address=/www.google.gf/216.239.38.120
    address=/www.google.gg/216.239.38.120
    address=/www.google.com.gh/216.239.38.120
    address=/www.google.com.gi/216.239.38.120
    address=/www.google.gl/216.239.38.120
    address=/www.google.gm/216.239.38.120
    address=/www.google.gp/216.239.38.120
    address=/www.google.gr/216.239.38.120
    address=/www.google.com.gt/216.239.38.120
    address=/www.google.gy/216.239.38.120
    address=/www.google.com.hk/216.239.38.120
    address=/www.google.hn/216.239.38.120
    address=/www.google.hr/216.239.38.120
    address=/www.google.ht/216.239.38.120
    address=/www.google.hu/216.239.38.120
    address=/www.google.co.id/216.239.38.120
    address=/www.google.ir/216.239.38.120
    address=/www.google.iq/216.239.38.120
    address=/www.google.ie/216.239.38.120
    address=/www.google.co.il/216.239.38.120
    address=/www.google.im/216.239.38.120
    address=/www.google.co.in/216.239.38.120
    address=/www.google.io/216.239.38.120
    address=/www.google.is/216.239.38.120
    address=/www.google.it/216.239.38.120
    address=/www.google.je/216.239.38.120
    address=/www.google.com.jm/216.239.38.120
    address=/www.google.jo/216.239.38.120
    address=/www.google.co.jp/216.239.38.120
    address=/www.google.co.ke/216.239.38.120
    address=/www.google.ki/216.239.38.120
    address=/www.google.kg/216.239.38.120
    address=/www.google.co.kr/216.239.38.120
    address=/www.google.com.kw/216.239.38.120
    address=/www.google.kz/216.239.38.120
    address=/www.google.la/216.239.38.120
    address=/www.google.com.lb/216.239.38.120
    address=/www.google.com.lc/216.239.38.120
    address=/www.google.li/216.239.38.120
    address=/www.google.lk/216.239.38.120
    address=/www.google.co.ls/216.239.38.120
    address=/www.google.lt/216.239.38.120
    address=/www.google.lu/216.239.38.120
    address=/www.google.lv/216.239.38.120
    address=/www.google.com.ly/216.239.38.120
    address=/www.google.co.ma/216.239.38.120
    address=/www.google.md/216.239.38.120
    address=/www.google.me/216.239.38.120
    address=/www.google.mg/216.239.38.120
    address=/www.google.mk/216.239.38.120
    address=/www.google.ml/216.239.38.120
    address=/www.google.com.mm/216.239.38.120
    address=/www.google.mn/216.239.38.120
    address=/www.google.ms/216.239.38.120
    address=/www.google.com.mt/216.239.38.120
    address=/www.google.mu/216.239.38.120
    address=/www.google.mv/216.239.38.120
    address=/www.google.mw/216.239.38.120
    address=/www.google.com.mx/216.239.38.120
    address=/www.google.com.my/216.239.38.120
    address=/www.google.co.mz/216.239.38.120
    address=/www.google.com.na/216.239.38.120
    address=/www.google.ne/216.239.38.120
    address=/www.google.com.nf/216.239.38.120
    address=/www.google.com.ng/216.239.38.120
    address=/www.google.com.ni/216.239.38.120
    address=/www.google.nl/216.239.38.120
    address=/www.google.no/216.239.38.120
    address=/www.google.com.np/216.239.38.120
    address=/www.google.nr/216.239.38.120
    address=/www.google.nu/216.239.38.120
    address=/www.google.co.nz/216.239.38.120
    address=/www.google.com.om/216.239.38.120
    address=/www.google.com.pa/216.239.38.120
    address=/www.google.com.pe/216.239.38.120
    address=/www.google.com.ph/216.239.38.120
    address=/www.google.com.pk/216.239.38.120
    address=/www.google.pl/216.239.38.120
    address=/www.google.com.pg/216.239.38.120
    address=/www.google.pn/216.239.38.120
    address=/www.google.com.pr/216.239.38.120
    address=/www.google.ps/216.239.38.120
    address=/www.google.pt/216.239.38.120
    address=/www.google.com.py/216.239.38.120
    address=/www.google.com.qa/216.239.38.120
    address=/www.google.ro/216.239.38.120
    address=/www.google.rs/216.239.38.120
    address=/www.google.ru/216.239.38.120
    address=/www.google.rw/216.239.38.120
    address=/www.google.com.sa/216.239.38.120
    address=/www.google.com.sb/216.239.38.120
    address=/www.google.sc/216.239.38.120
    address=/www.google.se/216.239.38.120
    address=/www.google.com.sg/216.239.38.120
    address=/www.google.sh/216.239.38.120
    address=/www.google.si/216.239.38.120
    address=/www.google.sk/216.239.38.120
    address=/www.google.com.sl/216.239.38.120
    address=/www.google.sn/216.239.38.120
    address=/www.google.sm/216.239.38.120
    address=/www.google.so/216.239.38.120
    address=/www.google.st/216.239.38.120
    address=/www.google.com.sv/216.239.38.120
    address=/www.google.td/216.239.38.120
    address=/www.google.tg/216.239.38.120
    address=/www.google.co.th/216.239.38.120
    address=/www.google.com.tj/216.239.38.120
    address=/www.google.tk/216.239.38.120
    address=/www.google.tl/216.239.38.120
    address=/www.google.tm/216.239.38.120
    address=/www.google.to/216.239.38.120
    address=/www.google.tn/216.239.38.120
    address=/www.google.com.tn/216.239.38.120
    address=/www.google.com.tr/216.239.38.120
    address=/www.google.tt/216.239.38.120
    address=/www.google.com.tw/216.239.38.120
    address=/www.google.co.tz/216.239.38.120
    address=/www.google.com.ua/216.239.38.120
    address=/www.google.co.ug/216.239.38.120
    address=/www.google.co.uk/216.239.38.120
    address=/www.google.us/216.239.38.120
    address=/www.google.com.uy/216.239.38.120
    address=/www.google.co.uz/216.239.38.120
    address=/www.google.com.vc/216.239.38.120
    address=/www.google.co.ve/216.239.38.120
    address=/www.google.vg/216.239.38.120
    address=/www.google.co.vi/216.239.38.120
    address=/www.google.com.vn/216.239.38.120
    address=/www.google.vu/216.239.38.120
    address=/www.google.ws/216.239.38.120
    address=/www.google.co.za/216.239.38.120
    address=/www.google.co.zm/216.239.38.120
    address=/www.google.co.zw/216.239.38.120

    I am unable to input all of them because I guess I dont have enough memory?
    So that's why I thought that by creating a host file or script or iptable..or something I would be able to add them all.. I don't know how to do this ----> echo '216.239.38.120 google.com' >> /tmp/myhosts

    Everywhere I have looked, all I find is.. "you need to create this or that"... but nobody says HOW to do it.
     
  30. moffa

    moffa Serious Server Member

  31. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I do not.. this Linksys E2000 does not have USB port.
     
  32. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I've been thinking of getting a router with USB option... would that be what I need?
    if that's the case.. what do I need to do to get the script or to point the script to the USB..
    but I also need to know how to create the script or host file.
     
  33. moffa

    moffa Serious Server Member

    If you have a computer on your network you can use CIFS/Samba/Windows File Sharing to grab the file. Hopefully you have enough ram.

    What you would add is addn-conf=/tmp/filename to the dnsmasq configuration and have the startup script get the file and then restart dnsmasq. If you don't reboot often you can manually do that.
     
  34. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I use OpenDNS as well, I use their Family Filter 208.67.222.123 - 208.67.220.123, but OpenDNs does not filter web searches, that's why I need to force Safe Serach through my router.
     
  35. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    hahaha... again, that's letting me know what I need to do, but not saying HOW to do it... keep in mind, I am a noob at this and have no idea of what you are referring to.
     
  36. moffa

    moffa Serious Server Member

    Can you try this on the dnsmasq configuration:
    addn-conf=/tmp/addnaddress

    and in the wanup page:

    echo 'address=/google.com/216.239.38.120
    address=/google.ac/216.239.38.120
    address=/google.ad/216.239.38.120
    address=/google.ae/216.239.38.120
    address=/google.com.af/216.239.38.120
    address=/google.com.ag/216.239.38.120
    address=/google.com.ai/216.239.38.120
    address=/google.al/216.239.38.120
    address=/google.am/216.239.38.120
    address=/google.co.ao/216.239.38.120' > /tmp/addnaddress
    service dnsmasq restart

    by the way you are missing a newline after g.cn so make sure you have a newline there.
     
  37. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Yeah.. that's just the complete list I want to add.. right now my dnsmasq looks like this... dnsmasq.JPG

    and Safe Search is working, but only on those google sites on that list.. I cannot use the full list because I do not have enough memory on my router so I need to create the list elsewhere, maybe in my computer and have the router point to it.. I am thinking of having a computer ON 24/7 so the host file is always accessible..but I need to know how to make that host file and for the router to point to it.
     
  38. jerrm

    jerrm Network Guru Member

    addn-conf is incorrect, it would be conf-file.

    Even then, a hosts file is the better solution for the google entries. No dnsmasq config changes needed. Using address= is like using a sledge hammer on a thumbtack.

    Also, dnsmasq will refuse to start if conf-file points to a non-existent file. Use of it needs to be deliberate and careful.
     
  39. moffa

    moffa Serious Server Member

    Thanks for that catch. I was thinking addn-hosts.

    The file only needs to be accessible during boot-up. If you leave your router on it should be fine.

    Setup Administration > CIFS Client to point to where the file is.
    Under Execute When Mounted add:
    Code:
    if [ -f /mnt/cifs1/sharename/filename ] ; then cp /mnt/cifs1/sharename/filename /tmp/filename; service dnsmasq restart; fi
    
    Which checks if cifs1/sharename/filename exists and if so, copies the file to your RAM (/tmp) and reloads dnsmasq.

    edit: fixed spacing

    edit 2:

    Yeah using the addn-hosts might be better where you setup the file with
    [ip address] [hostname]
    e.g. 216.239.38.120 google.com

    I still suggest having an conf file with cname because it's what google suggests. It might not be needed but might help anyways.
     
  40. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Guys.. I'm still very confused.. you guys are talking about CIFS and CNAME, but I don't know what those terms mean or are... also, the location of the hosts file needs to be at my computer?.. Sorry to be such a noob, but Im trying my best to understand what you guys are talking about.

    I guess I need step by step on how to create a host file for what I need and have it point to the router or have the router point to the file in my computer... Thanks for your patience.
     
  41. jerrm

    jerrm Network Guru Member

    cname is pointless in this case.

    For a more bind-like dns server, a CNAME record would allow the target ip to be looked up dynamically, so if google changes the ip it would be picked up automatically.

    But...

    Dnsmasq's cname is crippled. The "target" host in dnsmasq must be one defined locally in a hosts file/dhcp/as an interface/etc, eliminating any benefit of using a cname record.
     
    moffa likes this.
  42. moffa

    moffa Serious Server Member

    The problem is that RAM is erased when your router is restarted. I thought on an easier way. Just upload your configuration to pastebin and then download it on startup. So forgetting everything else, paste the into there and get the RAW link.
    1) setup your hosts file on pastebin get the url, set expiry to never
    2) Under Administration, scrips, WAN UP paste (fixing the url):
    Code:
    if [ ! -f /tmp/addr ]; then wget -O /tmp/addr http://pastebin.com/raw.php?i=SwPRHyJk
    if [ -f /tmp/addr ]; then echo 'conf-file=/tmp/addr' >> /tmp/etc/dnsmasq.conf; dnsmasq reload; fi
    
    hopefully that'll do it
     
  43. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Im gonna do some research on what pastebin is.. gotta learn how to use it..
    is this what you mean .. http://pastebin.com/?

    when you say.."download it on startup"... what do you mean by that?
    Also, is the hosts file supposed to look or have a certain code inside or is it just a text document with something like this in it?

    address=/google.ac/216.239.38.120
    address=/google.ad/216.239.38.120
    address=/google.ae/216.239.38.120
    address=/google.com.af/216.239.38.120
    address=/google.com.ag/216.239.38.120
    address=/google.com.ai/216.239.38.120
    address=/google.al/216.239.38.120
    address=/google.am/216.239.38.120

    sorry, is that I need specifics on each step because Im at a loss here.. thanks for your time.
     
  44. moffa

    moffa Serious Server Member

    Can you post an attachment with all of the servers you want? I'll set it up and then explain what I did.
     
  45. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    That would be super awesome! :)
    Thank you.!!
    Im thinking of buying a router with USB capability.. do I need one?-- would it make it easier?

    address=/www.google.com/216.239.38.120
    address=/www.google.ac/216.239.38.120
    address=/www.google.ad/216.239.38.120
    address=/www.google.ae/216.239.38.120
    address=/www.google.com.af/216.239.38.120
    address=/www.google.com.ag/216.239.38.120
    address=/www.google.com.ai/216.239.38.120
    address=/www.google.al/216.239.38.120
    address=/www.google.am/216.239.38.120
    address=/www.google.co.ao/216.239.38.120
    address=/www.google.com.ar/216.239.38.120
    address=/www.google.as/216.239.38.120
    address=/www.google.at/216.239.38.120
    address=/www.google.com.au/216.239.38.120
    address=/www.google.az/216.239.38.120
    address=/www.google.ba/216.239.38.120
    address=/www.google.com.bd/216.239.38.120
    address=/www.google.be/216.239.38.120
    address=/www.google.bf/216.239.38.120
    address=/www.google.bg/216.239.38.120
    address=/www.google.com.bh/216.239.38.120
    address=/www.google.bi/216.239.38.120
    address=/www.google.bj/216.239.38.120
    address=/www.google.com.bn/216.239.38.120
    address=/www.google.com.bo/216.239.38.120
    address=/www.google.com.br/216.239.38.120
    address=/www.google.bs/216.239.38.120
    address=/www.google.bt/216.239.38.120
    address=/www.google.co.bw/216.239.38.120
    address=/www.google.by/216.239.38.120
    address=/www.google.com.bz/216.239.38.120
    address=/www.google.ca/216.239.38.120
    address=/www.google.com.kh/216.239.38.120
    address=/www.google.cc/216.239.38.120
    address=/www.google.cd/216.239.38.120
    address=/www.google.cf/216.239.38.120
    address=/www.google.cat/216.239.38.120
    address=/www.google.cg/216.239.38.120
    address=/www.google.ch/216.239.38.120
    address=/www.google.ci/216.239.38.120
    address=/www.google.co.ck/216.239.38.120
    address=/www.google.cl/216.239.38.120
    address=/www.google.cm/216.239.38.120
    address=/www.google.cn/216.239.38.120
    address=/www.g.cn/216.239.38.120
    address=/www.google.com.co/216.239.38.120
    address=/www.google.co.cr/216.239.38.120
    address=/www.google.com.cu/216.239.38.120
    address=/www.google.cv/216.239.38.120
    address=/www.google.com.cy/216.239.38.120
    address=/www.google.cz/216.239.38.120
    address=/www.google.de/216.239.38.120
    address=/www.google.dj/216.239.38.120
    address=/www.google.dk/216.239.38.120
    address=/www.google.dm/216.239.38.120
    address=/www.google.com.do/216.239.38.120
    address=/www.google.dz/216.239.38.120
    address=/www.google.com.ec/216.239.38.120
    address=/www.google.ee/216.239.38.120
    address=/www.google.com.eg/216.239.38.120
    address=/www.google.es/216.239.38.120
    address=/www.google.com.et/216.239.38.120
    address=/www.google.fi/216.239.38.120
    address=/www.google.com.fj/216.239.38.120
    address=/www.google.fm/216.239.38.120
    address=/www.google.fr/216.239.38.120
    address=/www.google.ga/216.239.38.120
    address=/www.google.ge/216.239.38.120
    address=/www.google.gf/216.239.38.120
    address=/www.google.gg/216.239.38.120
    address=/www.google.com.gh/216.239.38.120
    address=/www.google.com.gi/216.239.38.120
    address=/www.google.gl/216.239.38.120
    address=/www.google.gm/216.239.38.120
    address=/www.google.gp/216.239.38.120
    address=/www.google.gr/216.239.38.120
    address=/www.google.com.gt/216.239.38.120
    address=/www.google.gy/216.239.38.120
    address=/www.google.com.hk/216.239.38.120
    address=/www.google.hn/216.239.38.120
    address=/www.google.hr/216.239.38.120
    address=/www.google.ht/216.239.38.120
    address=/www.google.hu/216.239.38.120
    address=/www.google.co.id/216.239.38.120
    address=/www.google.ir/216.239.38.120
    address=/www.google.iq/216.239.38.120
    address=/www.google.ie/216.239.38.120
    address=/www.google.co.il/216.239.38.120
    address=/www.google.im/216.239.38.120
    address=/www.google.co.in/216.239.38.120
    address=/www.google.io/216.239.38.120
    address=/www.google.is/216.239.38.120
    address=/www.google.it/216.239.38.120
    address=/www.google.je/216.239.38.120
    address=/www.google.com.jm/216.239.38.120
    address=/www.google.jo/216.239.38.120
    address=/www.google.co.jp/216.239.38.120
    address=/www.google.co.ke/216.239.38.120
    address=/www.google.ki/216.239.38.120
    address=/www.google.kg/216.239.38.120
    address=/www.google.co.kr/216.239.38.120
    address=/www.google.com.kw/216.239.38.120
    address=/www.google.kz/216.239.38.120
    address=/www.google.la/216.239.38.120
    address=/www.google.com.lb/216.239.38.120
    address=/www.google.com.lc/216.239.38.120
    address=/www.google.li/216.239.38.120
    address=/www.google.lk/216.239.38.120
    address=/www.google.co.ls/216.239.38.120
    address=/www.google.lt/216.239.38.120
    address=/www.google.lu/216.239.38.120
    address=/www.google.lv/216.239.38.120
    address=/www.google.com.ly/216.239.38.120
    address=/www.google.co.ma/216.239.38.120
    address=/www.google.md/216.239.38.120
    address=/www.google.me/216.239.38.120
    address=/www.google.mg/216.239.38.120
    address=/www.google.mk/216.239.38.120
    address=/www.google.ml/216.239.38.120
    address=/www.google.com.mm/216.239.38.120
    address=/www.google.mn/216.239.38.120
    address=/www.google.ms/216.239.38.120
    address=/www.google.com.mt/216.239.38.120
    address=/www.google.mu/216.239.38.120
    address=/www.google.mv/216.239.38.120
    address=/www.google.mw/216.239.38.120
    address=/www.google.com.mx/216.239.38.120
    address=/www.google.com.my/216.239.38.120
    address=/www.google.co.mz/216.239.38.120
    address=/www.google.com.na/216.239.38.120
    address=/www.google.ne/216.239.38.120
    address=/www.google.com.nf/216.239.38.120
    address=/www.google.com.ng/216.239.38.120
    address=/www.google.com.ni/216.239.38.120
    address=/www.google.nl/216.239.38.120
    address=/www.google.no/216.239.38.120
    address=/www.google.com.np/216.239.38.120
    address=/www.google.nr/216.239.38.120
    address=/www.google.nu/216.239.38.120
    address=/www.google.co.nz/216.239.38.120
    address=/www.google.com.om/216.239.38.120
    address=/www.google.com.pa/216.239.38.120
    address=/www.google.com.pe/216.239.38.120
    address=/www.google.com.ph/216.239.38.120
    address=/www.google.com.pk/216.239.38.120
    address=/www.google.pl/216.239.38.120
    address=/www.google.com.pg/216.239.38.120
    address=/www.google.pn/216.239.38.120
    address=/www.google.com.pr/216.239.38.120
    address=/www.google.ps/216.239.38.120
    address=/www.google.pt/216.239.38.120
    address=/www.google.com.py/216.239.38.120
    address=/www.google.com.qa/216.239.38.120
    address=/www.google.ro/216.239.38.120
    address=/www.google.rs/216.239.38.120
    address=/www.google.ru/216.239.38.120
    address=/www.google.rw/216.239.38.120
    address=/www.google.com.sa/216.239.38.120
    address=/www.google.com.sb/216.239.38.120
    address=/www.google.sc/216.239.38.120
    address=/www.google.se/216.239.38.120
    address=/www.google.com.sg/216.239.38.120
    address=/www.google.sh/216.239.38.120
    address=/www.google.si/216.239.38.120
    address=/www.google.sk/216.239.38.120
    address=/www.google.com.sl/216.239.38.120
    address=/www.google.sn/216.239.38.120
    address=/www.google.sm/216.239.38.120
    address=/www.google.so/216.239.38.120
    address=/www.google.st/216.239.38.120
    address=/www.google.com.sv/216.239.38.120
    address=/www.google.td/216.239.38.120
    address=/www.google.tg/216.239.38.120
    address=/www.google.co.th/216.239.38.120
    address=/www.google.com.tj/216.239.38.120
    address=/www.google.tk/216.239.38.120
    address=/www.google.tl/216.239.38.120
    address=/www.google.tm/216.239.38.120
    address=/www.google.to/216.239.38.120
    address=/www.google.tn/216.239.38.120
    address=/www.google.com.tn/216.239.38.120
    address=/www.google.com.tr/216.239.38.120
    address=/www.google.tt/216.239.38.120
    address=/www.google.com.tw/216.239.38.120
    address=/www.google.co.tz/216.239.38.120
    address=/www.google.com.ua/216.239.38.120
    address=/www.google.co.ug/216.239.38.120
    address=/www.google.co.uk/216.239.38.120
    address=/www.google.us/216.239.38.120
    address=/www.google.com.uy/216.239.38.120
    address=/www.google.co.uz/216.239.38.120
    address=/www.google.com.vc/216.239.38.120
    address=/www.google.co.ve/216.239.38.120
    address=/www.google.vg/216.239.38.120
    address=/www.google.co.vi/216.239.38.120
    address=/www.google.com.vn/216.239.38.120
    address=/www.google.vu/216.239.38.120
    address=/www.google.ws/216.239.38.120
    address=/www.google.co.za/216.239.38.120
    address=/www.google.co.zm/216.239.38.120
    address=/www.google.co.zw/216.239.38.120
     
  46. moffa

    moffa Serious Server Member

    1) On the page: Advanced > DHCP/DNS in the dnsmasq Custom Configuration:
    Code:
    addn-hosts=/tmp/addr
    2) Under Administration, scrips, WAN UP paste (fixing the url):
    Code:
    if [ ! -f /tmp/addr ]; then wget -O /tmp/addr "http://pastebin.com/raw.php?i=6zZ7HRH8"; service dnsmasq restart; fi
    Hopefully it'll work
     
  47. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Thanks so much.. I have copied and pasted what you posted, but it doesn't seem to be working?
    what did you mean by "(fixing the url)"?

    Do I need to do anything besides copy and paste?
     
  48. moffa

    moffa Serious Server Member

    Nope, I matched the URL to the customized hosts file.

    if you login to the router and type ping google.com which IP shows up?

    Firefox / Chrome likes to skip hosts file, which is another problem. Maybe the Intercept DNS port(UDP 53) needs to enabled to stop it.
     
  49. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    This is what I got..
    dnsmasq code.JPG
    wanup.JPG

    google ping.JPG

    After inputing those codes in there, I rebooted the router, but SafeSearch is not activated.
     
  50. moffa

    moffa Serious Server Member

    Can you go to System Commands, can you see if
    Code:
    cat /tmp/addr
    shows the file was added?
     
  51. moffa

    moffa Serious Server Member

    double post...
     
  52. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Nothing there...
    commands.JPG
     
  53. jerrm

    jerrm Network Guru Member

    Pretty sure it needs to be "www.google." and not just "google."

    umask in wanup can be problematic in some circumstances with ppp connections. The hosts file must be readable by "nobody," not sure if this will impact @Magdiel1975 or not, but probably safest to chmod the file appropriately.

    I still think building it via script makes the most since if @Magdiel1975 can get up to speed on the basic edits required.
     
  54. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Can you elaborate with specific details on how to create the script.. I know it's been explained on the OP, but I just don't get it and do not understand.. there is a lot of wording I am not familar with and that throws me off completely.

    Let me ask this.. Can't I have the hosts file on another pc that's ON 24/7 on my network?
    if yes, we can go that route and point the router to that PC?
     
  55. moffa

    moffa Serious Server Member

    It seems that the file isn't downloading. Can you try running the command manually and see if there is an error.

    try this url then (with the www) http://pastebin.com/raw.php?i=G0AbESTE

    In any case it's not downloading so that needs to be fixed first.
     
  56. jerrm

    jerrm Network Guru Member

    Yes it does.

    "google.com" and "www.google.com" can be different hosts. A hosts file will be very specific in how the names are resolved, and google is very specific on which host's address should be changed.

    "Google.com" will not work, it needs to be "www.google.com." This is tested, confirmed and in daily use at most of our sites where we disable ssl search using the same method..

    You may be thinking of the dnsmasq address directive. If the address directive is used to re-point "google.com" it will use the supplied address for ANYTHING that ends in "google.com." Again, this is the wrong thing to do as it will redirected too much traffic and break things.

    Below is a snippet of google queries from a site that has ssl search disabled. Many are the same, many are not. All would be identical if the address directive had been used on only "google.com"
    Code:
    googleapis.l.google.com 74.125.196.95
    www.google.com 216.239.32.20
    safebrowsing-cache.google.com <CNAME>
    safebrowsing.google.com <CNAME>
    add 173.194.219.136
    safebrowsing.cache.l.google.com 64.233.185.100
    sb.l.google.com 173.194.219.136
    clients4.google.com 208.67.222.222
    clients.l.google.com 173.194.219.100
    youtube-ui.l.google.com 173.194.219.136
    clients2.google.com 208.67.220.220
    android.clients.google.com 208.67.222.222
    android.l.google.com 64.233.185.100
    clients5.google.com 208.67.220.220
    tools.google.com 208.67.220.220
    tools.l.google.com 64.233.185.100
    googleadapis.l.google.com 64.233.185.95
    gstaticadssl.l.google.com 64.233.185.94
    apis.google.com 208.67.220.220
    plus.google.com 208.67.220.220
    plus.l.google.com 64.233.185.100
    support.google.com 208.67.220.220
    www3.l.google.com 64.233.185.100
    accounts.google.com 208.67.220.220
    books.google.com 208.67.220.220
    docs.google.com 208.67.220.220
    drive.google.com 208.67.220.220
    mail.google.com 208.67.220.220
    maps.google.com 208.67.220.220
    news.google.com 208.67.220.220
    play.google.com 208.67.220.220
    translate.google.com 208.67.220.220
    wallet.google.com 208.67.220.220
    accounts.l.google.com 64.233.185.84
    blogger.l.google.com 64.233.185.191
    googlemail.l.google.com 64.233.185.17
    news.l.google.com 64.233.185.100
    play.l.google.com 64.233.185.100
    clients1.google.com 208.67.220.220
    clients3.google.com 208.67.222.222
    id.google.com 208.67.222.222
    id.l.google.com 74.125.196.94
    nosslsearch.google.com 208.67.220.220
    appspot.l.google.com 173.194.219.141
    gmail-imap.l.google.com 173.194.219.108
    alt3-safebrowsing.google.com 208.67.222.222
    encrypted.google.com 0.0.0.0
    checkout.google.com 208.67.222.222
    checkout.l.google.com 173.194.219.115
    bks7.books.google.com 208.67.220.220
    bks9.books.google.com 208.67.220.220
    gmail-smtp-msa.l.google.com 2607:f8b0:4002:c03::6c
    google.com 208.67.222.222
    clients1.google.com.mylan 208.67.222.222
     
    moffa likes this.
  57. moffa

    moffa Serious Server Member

    Yup I was thinking of the address and server features.

    Fixed the pastebin file above
     
  58. peyton

    peyton LI Guru Member

    Could it be possible to edit the host file directly (with ssh nano or winscp) to add them in it or it is write protected ?
     
  59. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    @moffa
    This code worked like a charm..Placed it under Init.

    tlds="com ae af ag off.ai am ar as at au az ba bd be bg bi bo br bs bw bz ca cd cg ch ci co.ck cl co co.cr cu de dj dk dm do ec es et fi fj fm fr gg gi gl gm gr gt hk hn hr co.hu co.id ie co.il co.im co.in is it co.je jm jo co.jp co.ke kg co.kr kz li lk co.ls lt lu lv ly mn ms mt mu mw mx my na nf ni nl no np nr nu co.nz om pa pe ph pk pl pn pr pt py ro ru rw sa sb sc se sg sh sk sn sm sv co.th tj tm totp tr tt tw ua co.ug co.uk uy uz vc co.ve vg co.vi vn vu ws co.za co.zm"

    mkdir -m 777 -p /tmp/etc/dnsmasq/hosts


    {

    for tld in $tlds

    do

    echo "216.239.38.120 www.google.$tld"

    done

    } > /tmp/etc/dnsmasq/hosts/safesearh.hosts


    The only thing is that I just realized is that it seems Tomato does not block HTTPS sites. I have a a few sites listed under "Access Restrictions" and if I type the url and try to go, it is blocked, but if I change the http to https I can go right in... Any idea of how to make Tomato block both... maybe this is for another forum no?
     
  60. moffa

    moffa Serious Server Member

    Glad you finally got it working. You don't need the mkdir command though.

    It can't block https because it can't read the page, https is encrypted. There are other ways to append the url. I"ll post it after.
     
    Last edited: Apr 15, 2015
  61. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    wow.. so there's no way around huh?
    Basically making all this for nothing lol - all my kids have to do is add an "s" to http and they can access anything they pretty much want.
     
  62. lancethepants

    lancethepants Network Guru Member

    That's what we'd do 10 years ago in high school to get around the district's gmail block.
     
  63. jerrm

    jerrm Network Guru Member

    The mkdir is needed.

    Init is run before Tomato initializes dnsmasq, the folder will not exist and must be created.
     
  64. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Well guys, I was so bumed out because of the https issue, but I started using OpenDns Home and blocked access to all search engines, except google.com and now I am back in business.
    I was using Family Shield which is also OpenDns, but it was only blocking 4 categories. I used to use opendns Home, but It was conflicting with youtube apps and a few other android apps preventing the from connecting, so I stopped using the Home version a while back and to went Family Shield..but now, I am back with the Home version which lets you add a bounch of categories and allows for blacklist/whitelist. I added a few domains to whitellst so Youtube app and other apps would work.. everything seems to be working and NO ACCESS TO HTTPS BLOCKED DOMAINS.. Im back to being a happy camper :)
     
  65. peyton

    peyton LI Guru Member

    Any news about blocking https website ?
     
  66. peyton

    peyton LI Guru Member

    [double post]
     
  67. Dr Strangelove

    Dr Strangelove Networkin' Nut Member

    Sorry to jump in mid queue, but are we loosely saying, that if you have a long list of say:

    dhcp-host=0E:99:99:99:99:02, host002
    dhcp-host=0E:99:99:99:99:03, host003
    dhcp-host=0E:99:99:99:99:04, host004
    ......
    dhcp-host=0E:99:99:99:99:99, host099

    typed into:

    [GUI] Advanced -> DHCP/DNS

    And then because of the length of entries you'll get a text input string length error when you attempt to save this long list of DHCP entries at the GUI interface.

    Then..

    You can't use any of the existing /etc/dnsmasq files as they'll be overwritten on a reboot.

    So...

    If you want to enter a long list of host dhcp entries you have to write your own startup script to add the long list of dhcp entries.????

    Is there an option in the dnsmasq TomatoUSB start-up that can point to a file that remains after a reboot which can load the long list of dhcp entries without having to write a script to loop through the entries to add them???

    From what I'm reading it looks like I'm just asking the same thing as the OP.
     
  68. jerrm

    jerrm Network Guru Member

    Some script will be involved. Nothings outside of NVRAM survives a reboot. If you have persistent storage available, create the file and copy it to /etc/dnsmasq.custom at startup. Dnsmasq.custom will be appended to dnsmasq.conf anytime the service is restarted.
     
    Dr Strangelove likes this.
  69. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    use OpenDns for that.. works great.
     
  70. koitsu

    koitsu Network Guru Member

    It cannot easily be done with reliability. The full details are hashed out here: http://www.linksysinfo.org/index.ph...ccess-restriction-block-https-websites.45988/

    The netfilter module in question (which can match raw strings, hence SSL SNI header) does work, but the chance of false positives are extremely high -- which is why Shibby, Toastman, etc. do not use it as a replacement for xt_web. (xt_web works fine for HTTP because it actually parses out header and some payload data. A module that parses SSL data is more complicated because of the varying nature of SSL payload -- it is not as easy as "always look for packets on port X, byte offset Y")

    That's the entire point of SSL anyway -- to do encryption as much as possible so the payload/etc. cannot be examined "in the middle" (between client and server)... :p

    A proxy server (ex. squid) would be able to do what you want, but the performance hit tends to be quite high (squid is mainly intended for desktop or server-grade PCs given its CPU, disk space, and RAM requirements).
     
  71. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I use a cobination of Shibby Tomato and OpenDns.. so far, it's been working great...so basically the websites that cannot be blocked in Tomato, OpenDns blocks them.

    Koitsu.. I have a question.. google SafeSearch is working great with my settings, per previous posts...but I would like to do the same thing for Bing..

    Right now, I have
    address=/www.bing.com/204.79.197.220 inside Dnsmasq Custom configuration and it is working fine.. it is forcing safe search on Bing.com...but bing says to use a CNAME approach instead, but I have never worked CNAMES before.. can you help me point www.bing.com to bing.safesearch.com

    Bing says..."To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for www.bing.com to be a CNAME for strict.bing.com. You’ll want to use a CNAME rather than the strict.bing.com IP as the CNAME will continue to work even if the IP for strict.bing.com changes. "

    can you help me with this?
     
  72. gfunkdave

    gfunkdave LI Guru Member

    See the DNSMasq manpage.

    Code:
    --cname=<cname>,<target>[,<TTL>]
    Return a CNAME record which indicates that <cname> is really <target>. There are significant limitations on the target; it must be a DNS name which is known to dnsmasq from /etc/hosts (or additional hosts files), from DHCP, from --interface-name or from another --cname. If the target does not satisfy this criteria, the whole cname is ignored. The cname must be unique, but it is permissable to have more than one cname pointing to the same target.
    
    If the time-to-live is given, it overrides the default, which is zero or the value of -local-ttl. The value is a positive integer and gives the time-to-live in seconds.
    
    So adding

    Code:
    cname=www.bing.com,strict.bing.com
    to Advanced DNSMasq options should do it.
     
  73. jerrm

    jerrm Network Guru Member

    Unfortunately not. The target must be locally defined.
     
  74. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    No.. that didn't work :(
     
  75. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Hi jerm..
    Do you mean, this is something I would define if I had a server or can I do this within the router? if so, how do I go about doing that?
     
  76. jerrm

    jerrm Network Guru Member

    It can't be done with dnsmasq as a cname.

    Schedule something like this at a reasonable interval:
    Code:
    host=strict.bing.com
    hostfile=/etc/dnsmasq/hosts/safebing.host
    newip="$(nslookup $host | tail -n 1 | cut -d' ' -f 3)"
    oldip="$(head -n 1 $hostfile 2>/dev/null | cut -d' ' -f 1)"
    [ "$newip" = "$oldip" ] && exit
    echo "$newip www.bing.com" > $hostfile
    kill -HUP $(pidof dnsmasq)
    
     
  77. gfunkdave

    gfunkdave LI Guru Member

    Sorry, yes I realized that after the fact. You can add a static map in the static dhcp page for strict.bing.com and 204.79.197.220, which will put it in your hosts file. Assuming Microsoft doesn't change the IP, you shouldn't need anything more.
     
  78. jerrm

    jerrm Network Guru Member

    Hardcoding an IP defeats the purpose of setting it as a cname. The whole point of using a cname is that if MS changes the IP for strict.bing.com it gets picked up automatically.
     
  79. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    I guess Im a bit confused.. not sure exaclty what you mean by scheduling.. and where do I do that in the router?
     
  80. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Isn't there an iptable I can use to redirect a cname?
     
  81. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    isn't that pretty much the same as putting
    address=/www.bing.com/204.79.197.220 in Dnsmasq?
     
  82. jerrm

    jerrm Network Guru Member

    Under the Administration menu item.
     
  83. jerrm

    jerrm Network Guru Member

    No.
     
  84. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    you mean under Init?
    if so, I already have something in there for Google SafeSearch.. will it matter if I put your code in there as well?
     
  85. jerrm

    jerrm Network Guru Member

    No under Admistration->Scheduler.

    It won't work under init because the wan needs to be active to lookup the IP.

    If you have persistent storage save it as a script, call it from wan-up and also schedule every 30 minutes or so.
     
  86. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    so adding this to Init wont' work?

    tlds="com"

    mkdir -m 777 -p /tmp/etc/dnsmasq/hosts


    {

    for tld in $tlds

    do

    echo "204.79.197.220 www.bing.$tld"

    done

    } > /tmp/etc/dnsmasq/hosts/strict.bing.hosts


    It seems to be working... but Im in the same boat right?.... meaning if the IP changes, that command in Init will stop working right?
     
  87. jerrm

    jerrm Network Guru Member

    Exactly. May be a non-issue, but if it does change and you want to emulate the cname functionality you need to schedule updates.
     
  88. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    So does that mean that adding that command in Init would be the same as adding
    "address=/www.bing.com/204.79.197.220"
    in Dnsmasq?

    What would be the benefit of adding the command in Init and adding it in DnsMasq, if they both do the same thing?
     
  89. jerrm

    jerrm Network Guru Member

    Probably functionally the same in practice, with the exception the address directive will catch ALL hosts ending in www.bing.com (if any others exist), not just "www.bing.com" itself, so could potentially have unintended consequences.
     
  90. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    got it..
    I think Im just going to put it back how I had it in DnsMasq because to think of it, how often do they change their ip address to safe or strtict search?.. I mean, google has had the same IP for SafeSearch for years now...

    I also have a Linksys e2000 which doesn't have much memory.

    Thanks for your help and patience jerm.. really appreciate it.
     

Share This Page