how to use alternate DNS for specific clients?

Discussion in 'Tomato Firmware' started by bimmerm3m5, May 16, 2018.

  1. bimmerm3m5

    bimmerm3m5 Network Guru Member

    Hi experts, I recently signed up for a trial of Unlocator which is a DNS service that attempt to avoid the geolocation challenges when being outside the US for things such as Netflix, Hulu, etc. I'll say up-front, I don't want to discuss the merits, security issues, etc of this service...

    I am not comfortable forwarding all DNS requests on my network to this provider, so I am interested in using specific DNS servers just for my media devices such as Apple TV, Roku, etc.

    I've toyed with dnsmasq commands (finding some useful things on this forum), which do set the DNS correctly on each client, however, I don't believe this works 100%, as I am using the Internal DNS in Tomato, with the Intercept DNS option selected. Especially on intercepts, it will forward to my local DNS server, which then uses my default ISP DNS servers. It also seems to conflict with the Static IP assignments.

    How would I redirect DNS requests for a specific IP or MAC? Can this be accomplished via Firewall rules?

  2. Sean B.

    Sean B. LI Guru Member

    Dnsmasq doesn't have a feature that allows forwarding queries to a specific server based on the client that sent the query. Here are the options:

    1. Add iptables rules that bypass the DNS intercept for your media devices. Add a dhcp-host directive for each media device and use the set:tag option of that directive to add a tag ( something like: media ). Then, use a dhcp-option directive matching on the media tag to configure the IP of the Unlocator server as the DNS server for the media devices when they receive their DHCP lease.

    2. If you know the domains of the sites you'll be using this for ( ie: , etc ) you can use a server directive to send all queries for specified domains to a specific DNS server. For example: server=/ would forward queries from any client for or any of it's sub domains to the DNS server .
  3. ruggerof

    ruggerof Network Guru Member

    First make static IP reservations for the hosts you want to use Unlocator, in the example below they are in the range of to

    In the DNSMasq Custom Configuration.

    # Set IP Addresses from the interval to as smartdns
    # Set DNS Servers of and for smartdns
    Change the Google DNS to Unlocator in the example above.

    I am not sure if it would work with DNS intercept checked. You might need to uncheck this option.
  4. eibgrad

    eibgrad Network Guru Member

    From my reading of the OP's post, I don't think the problem is getting specific clients to use the alternate DNS (that according to the OP is already working). The issue is the desire to continue intercepting DNS for the rest of the network, but making exceptions for those clients using the alternate DNS.

    All it should require is adding intercept rules of your own for those devices (let's assume the alternate DNS is

    iptables -t nat -I PREROUTING -p tcp -s --dport 53 -j DNAT --to
    iptables -t nat -I PREROUTING -p udp -s --dport 53 -j DNAT --to
    If you prefer, you could instead base it on the MAC address, thus eliminating the need for static leases.

    iptables -t nat -I PREROUTING -p tcp --dport 53 -m mac --mac-source 00:2A:D5:47:2A:AA -j DNAT --to
    iptables -t nat -I PREROUTING -p udp --dport 53 -m mac --mac-source 00:2A:D5:47:2A:AA -j DNAT --to
    Frankly, you don't even need to change DNSMasq in either of these examples since each will *unconditionally* change any DNS request from this client to your alternate DNS public IP. So the changes required are quite minimal. And you should be able to keep DNS interception enabled in the GUI without it or you affecting the other.
    bimmerm3m5 likes this.
  5. bimmerm3m5

    bimmerm3m5 Network Guru Member

    eibgrad has exactly what I was looking to do, however, when I apply this to the Firewall tab and reboot, it prevents any DNS requests from coming through. Does it need to applied to one of the other tabs?
  6. eibgrad

    eibgrad Network Guru Member

    Dump the firewall.

    iptables -t nat -vnL PREROUTING
  7. bimmerm3m5

    bimmerm3m5 Network Guru Member

    Chain PREROUTING (policy ACCEPT 99 packets, 5984 bytes)
    pkts bytes target prot opt in out source destination
    281 19785 WANPREROUTING all -- * * x.x.x.x #my wan IP
    0 0 DROP all -- ppp0 *
    280 19753 upnp all -- * * x.x.x.x #my wan IP
  8. eibgrad

    eibgrad Network Guru Member

    I don't see the rules in the dump. In fact, I don't see the rules automatically applied either when you check the "intercept DNS port" option in the DHCP/DNS section. Do you have that option enabled? I thought that was your intent for the rest of the network.

    Let's see the actual rules you applied.
  9. bimmerm3m5

    bimmerm3m5 Network Guru Member

    Sorry, I had dropped the setting to get things working again. Here it is:


    Strangely, I didn't use this DNS server...weird that it shows a different IP:


    EDIT: user error. I guess typing the leading zeros in the IP were not liked. I took those away, and it seems to be working better.
  10. eibgrad

    eibgrad Network Guru Member

    Don't use leading zeros, that confuses the iptables parser. Just use and it should work.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice