Using OpenDNS for select mac addresses

Discussion in 'Tomato Firmware' started by riveral, Aug 19, 2008.

  1. riveral

    riveral Addicted to LI Member

    I am currently running a Linksys WRT54GL with the latest tomato firmware.

    I have a network of 5 computers that I want to use OpenDNS with for content filtering. However, there are 2 computers in the network that I want to exclude from OpenDNS's filtering. How can I tell Tomato to only use OpenDNS for the computers that I want to mangage?
  2. kevanj

    kevanj LI Guru Member

    I am not sure it is possible with the available options in DNSMASQ.
    If you are not concerned about the other 3 computers being able to modify their TCP config to bypass the DHCP assigned DNS server info, you could just specify that the two boxes you don't want to use OpenDNS use the DNS of your choice. The others will still be assigned DNS servers via DHCP (if you have it configured that way), however you will not be able to use the 'Intercept port 53" feature in Tomato (otherwise those two machine's DNS requests will be intercepted)
  3. retrogunner

    retrogunner Guest

    Here's a hint: OpenDNS only affects those computers that use OpenDNS servers for its DNS resolution.

    So on that premise, leave your Tomato configuration using OpenDNS and use the DDNS update feature to auto-updating your OpenDNS account with your router's IP Address.

    Then on those two computers you don't wish to use OpenDNS, edit their TCP/IP properties or resolve.conf to use difference DNS Name Servers (such as your ISP's, GoDaddy's, whatever). An alternative is to also use a OpenDNS competitor for your 2 machines' DNS Resolution (such as PowerDNS) so those machines aren't subject to DNS poisoning, but not restricted by your OpenDNS settings.

    That's all there is to it. Any computer on your home network will only be affected by OpenDNS _IF_ that machine uses OpenDNS for its Name Resolution (which would be handed to a machine using your router's settings.)

    Don't forget though, this solution also means if your kids or such figure out how to change their TCP/IP DNS properties, OpenDNS won't do you any good - no way, no how. Most kids are savvy and smart. If they are determined it's just a matter of time. Educating them on the why we do & don't could help deter them from changing their DNS settings.

    Later, Retro.
  4. regular

    regular LI Guru Member

    does tomato's intercept port 53 work to prevent the workaround?
  5. TexasFlood

    TexasFlood Network Guru Member

    You could do it that way. Just make sure you don't tick "Intercept DNS Port (UDP 53)" under "Advanced -> DHCP / DNS" or all DNS requests will get intercepted and send to the router defined DNS servers. And realize with this unticked that the other computer users can also statically set their DNS if they know how.

    Oh and to make sure you're going to OpenDNS, also under "Advanced -> DHCP / DNS", either untick "Use Received DNS With Static DNS" or tick it and put "strict-order" in the "Dnsmasq Custom Configuration" box.

    FYI, if you want to see your ISP provided DNS servers, telnet/ssh in and do:
    " nvram get wan_get_dns"
  6. riveral

    riveral Addicted to LI Member

    Awesome, this is going to work perfectly. Thanks for your help.
  7. mstombs

    mstombs Network Guru Member

    You could modify the equivalent iptables command Tomato uses for dns capture/redirection - to only redirect your desired openDNS clients

    or you could use Tomato's capture/redirect and INSERT firewall rules to allow only your non-openDNS to make external requests to DNS servers.
  8. rhester72

    rhester72 Network Guru Member

    From very lightly browsing the dnsmasq man page, it looks like you can specify which upstream servers to push for DNS based on MAC, which I believe would meet your requirement (assuming you are pushing OpenDNS servers to the client rather than letting Tomato proxy for you).

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice