Assign specific DNS to only certain clients

Discussion in 'Tomato Firmware' started by jubei_nj, Aug 8, 2013.

  1. jubei_nj

    jubei_nj Addicted to LI Member

    Hi all,
    Love tomato. I want to set a specific DNS for a specific range of IP addresses. All other IP's should go to the default DNS. Is this the way I would do it? In Advanced -> DNS/DHCP -> DNSMASQ options

    Thank you!
  2. koitsu

    koitsu Network Guru Member

    Looks correct to me. Comments in passing (i.e. opinions below):

    * Could put both the DNS servers on the same dhcp-option line (comma-delimited),
    * As usual, I recommend using DHCP option names instead of numbers, i.e. dns-server instead of 6. For a list of what strings/names you can use, run dnsmasq --help dhcp.
  3. jubei_nj

    jubei_nj Addicted to LI Member

    Thank you! So this is what I've got...changed it up a little... I wanted to set this for just my Roku:

    If I ever want to add another MAC address to the red tag, can I just add it with a comma?:

    Someone else is trying to the exact same thing as me. Does this seem right?:
  4. koitsu

    koitsu Network Guru Member

    First part of your question: yes, those 2 lines look correct.

    Second part of your question: no, you cannot do that. You need a separate dhcp-host line for every entry; multiple MACs on a single line is not supported. Please read (do not skim) the dnsmasq manual for the --dhcp-host description and it will become quite apparent once you look at the usage syntax.

    For dnsmasq configuration concerns, questions, etc. please refer to the official dnsmasq site (help/etc. is at the bottom of the page).
  5. jubei_nj

    jubei_nj Addicted to LI Member

    I really appreciate your help. Thank you.
  6. koitsu

    koitsu Network Guru Member

    No problem!

    P.S. -- Love your avatar. Goonies is one of my favourite movies. :)
    jubei_nj likes this.
  7. JAC70

    JAC70 LI Guru Member

    Thanks for the tip, guys. This will save me having to enter the OpenDNS IPs manually on all the kids' devices. Should this be used with Intercept DNS port (UDP 53) to prevent them from changing DNS servers manually?
  8. jerrm

    jerrm Network Guru Member

    No, that will just redirect the opendns clients back to the default dns server on the router and effectively negate your dhcp assignment efforts.

    If the kids are savvy enough to change dns servers manually, you probably need to add firewall rules only allowing DNS traffic to opendns.
  9. JAC70

    JAC70 LI Guru Member

    Thanks, jerrm. They're not that savvy yet, thankfully. :)
  10. zavar

    zavar Networkin' Nut Member

    I came across this thread recently and it was really helpful for a similar setup that I wanted to do. Thanks to all for the contributions! In my case, what I found with using dhcp-host was that my static ip assignments would not work for IPs outside of the DHCP IP range. Hosts would still get an IP, but they would be assigned one within the DHCP IP range.

    I looked further into the Dnsmasq manual (thanks for the link koitsu) and experimented with a couple of alternate custom dnsmasq setups. The dhcp-host line in dnsmasq terms isn't just for tagging hosts to use the alternate DNS settings, it also seems to imply some configuration for the host. I ended up using the dhcp-mac option, which is just used for assigning hosts to a specific tag. My dnsmasq configuration looks like this:

    # Assign alternate DNS for select hosts
    # Set Specific Clients to be affected
    dhcp-mac=set:altdns,XX:XX:XX:XX:XX:XX #PC 1
    dhcp-mac=set:altdns,YY:YY:YY:YY:YY:YY #PC 2

    # Set Alternate DNS

    I know it's an old thread, just hoping that this might help someone else out in the future.
    Tibor1, eahm, kyphos and 4 others like this.
  11. Holy_Hunter

    Holy_Hunter Networkin' Nut Member

    Thank you sir. Helped me alot !
  12. Sunspark

    Sunspark LI Guru Member

    Resurrecting this thread again.

    Netflix,Chromecast are now performing in-app public lookups.

    In addition to the material covered in this thread which is how to assign a dns server to a specific device rather than the entire network here is a snippet of code to stuff in your firewall script tab.

    You need to edit this to reflect your device's MAC # and of course the destination dns #.

    iptables -t nat -A PREROUTING -m mac --mac-source 6c:ad:aa:aa:aa:aa -d -j DNAT --to-destination
    iptables -t nat -A PREROUTING -m mac --mac-source 6c:ad:aa:aa:aa:aa -d -j DNAT --to-destination

    Current IPs for Netflix that need redirecting in Canada are:

    Change destination IP to your own redirector. Add more lines for the rest of the blocks. You need the firewall code if you are separating 1 device for redirection.

    If you have the whole network behind then none of this thread matters. All you need to do in that case is to enter your dns server redirector ips in the basic network dns tab, and on dns/dhcp check intercept port 53 and uncheck use-received and you're done.
  13. timdd

    timdd New Member Member

    I've my router setup with this configuration:
    .eth1(wl0) main access point LAN(br0) (DHCP: 192.168.2 -
    .wl0.1 2nd access point LAN(br1) 2 DEVICES CONNECT TO THIS (DHCP: -
    What I'm trying to do is to block the 2 device on the wl0.1 to access and adult sites....
    I did put the code above with the 2 mac address of the 2 devices and also with Yandex DNS, but it does not work. Do I need to ckeck or uncheck and other option in the router setting. Please advise.
    Sorry, I'm a newbie to all this.
  14. JeffD

    JeffD Serious Server Member

    Just an idea thinking about the problem of a parent restricting children I came across this thread and have a slightly different approach to what others might consider for setting up the router's DNS values.

    It may be better to make the kid-safe DNS the router's default and add exceptions for the parent's devices. This way, as long as the parent can keep the kids from becoming admins there's less chance will accidently get access to the unrestricted DNS addresses. As new devices (xbox one replaces 360, PS3, PS4, etc) come online, by default, they are restricted until the parent white lists them into the unrestricted DNS list.
  15. sithfish

    sithfish Serious Server Member

    By using iptables you can use a transparent DNS for selected devices so even if your child knows how to change the DNS on their computer it won't be effective

    Sent from my A0001 using Tapatalk
  16. JeffD

    JeffD Serious Server Member

    I like the idea of the transparent filtering, but wouldn't this still exhibit the same problem when a kid either gets a new device or figures out how to spoof a MAC to just get around the iptable rule chain? (The MAC spoofing is a bit extreme and just mentioned as an example.)

    I guess my question is if there's any advantage to a child blacklist or parent whitelist for parents to do what they want. I suspect there is no performance difference if this is done at DHCP, and a kid without admin access shouldn't be able to change IP manually. There's also be a bit of extra work in the iptable chain for the better protection which dependent on the traffic.
  17. sithfish

    sithfish Serious Server Member

    Create a vlan for the children to connect to. Use a transparent DNS on that network?

    Sent from my Nexus 7 using Tapatalk
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice