Whitelist Specific MAC from DNS

Discussion in 'Tomato Firmware' started by threehappypenguins, Feb 28, 2018.

  1. threehappypenguins

    threehappypenguins Networkin' Nut Member

    I read this thread, but I am unsure on how to "reverse" it: http://www.linksysinfo.org/index.php?threads/assign-specific-dns-to-only-certain-clients.68865/

    One person said:

    "It may be better to make the kid-safe DNS the router's default and add exceptions for the parent's devices. This way, as long as the parent can keep the kids from becoming admins there's less chance will accidently get access to the unrestricted DNS addresses. As new devices (xbox one replaces 360, PS3, PS4, etc) come online, by default, they are restricted until the parent white lists them into the unrestricted DNS list."

    That is exactly what I want to do. Have everything use OpenDNS by default, but add a specific device to be whitelisted and use a different/default DNS.

    If I go to Basic > DHCP/DNS > Dnsmasq custom configuration, and put some IP Tables or something there, that should work, right? I don't know how to go about this. Can someone please help?
  2. threehappypenguins

    threehappypenguins Networkin' Nut Member

    I looked around more and saw a suggestion, but it was for an IP address and not MAC. And the person didn't know if it would work. So I modified it. It's not working. I put it in Administration > Scripts > Firewall.

    iptables -t nat -I PREROUTING 2 -p udp -s -m mac --mac-source 6c:ad:aa:aa:aa:aa --dport 53 -j ACCEPT

    I had checked off "Intercept DNS port" in Basic > DHCP/DNS because I don't want any other device to be able to bypass DNS. But I want a specific device to be able to bypass it automatically.
  3. kille72

    kille72 LI Guru Member

    If the computers use DHCP. Dnsmasq Custom configuration:

    Not just as you want, but I hope it can be helpful...
    Last edited: Feb 28, 2018
  4. threehappypenguins

    threehappypenguins Networkin' Nut Member

    This is my current configuration. The first MAC address is for my ethernet card, the second is for wi-fi. It's the same laptop. It's not working, unfortunately. I tested some websites that are blocked by OpenDNS, and they're still blocked.

    Attached Files:

  5. threehappypenguins

    threehappypenguins Networkin' Nut Member

    Got it figured out. I had to uncheck "Intercept DNS port." Is there any way to then prevent all other devices from being able to bypass OpenDNS by changing their DNS on their device? That's why I had it checked off.
  6. koitsu

    koitsu Network Guru Member

    Intercept DNS port should not be interfering with this; I'm about 98% positive on that. You should be able to leave that checkbox checked -- it will ensure that clients on your LAN (including wireless) can't use their own chosen DNS servers and instead said packets will get sent to dnsmasq.

    The syntax of those dnsmasq rules looks wrong. Please use compliant syntax per dnsmasq's documentation. They should look like this:

    Caveat: if the MACs in question are statically-assigned to IPs in the TomatoUSB GUI (per Basic -> Static DHCP/ARP/IPT), then this won't work. I can explain why if asked (it has to do with TomatoUSB using tags for interface association, which then conflict with/trump said tags in said rules).

    The workaround is to remove those static allocations in the GUI and instead do them manually in the Dnsmasq Custom Configuration section with dnsmasq directives like so:

    It's very important you get the syntax of the dhcp-host lines correct; it's very sensitive and mistakes are often silently ignored/permitted and weird behaviour happens. Pay close attention to the syntax in the documentation.

    Doing this, however, has a side-effect: some other areas of the TomatoUSB GUI might not have "names/labels" on things like what one might expect. I forget where in the GUI this happens, and "how" it manifests, but the point is to be aware of it. I'd rather not go into details about why, but yes, it's a known issue that has no easy/quick solution.

    I can confirm this works -- because I myself use it -- but I went and tested it on a new system anyway. :)

    If something isn't working, please provide contents of /etc/dnsmasq.conf here in a code block. You can XXX out MAC addresses as you see fit, or other identifying information, but please leave IPs and other bits alone. If you're extremely concerned, you can send me the contents in a private message.
    AndreDVJ likes this.
  7. threehappypenguins

    threehappypenguins Networkin' Nut Member

    Ok! I will test this out shortly! Thanks!!!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice