Alternate DNS filtered by LAN IP?

I have kids at home, so I use an alternate DNS to block adult content. However, we have a long-term guest staying who said her Spotify wasn't working. I removed the alternate DNS and it started working again.

So my question is whether I can keep the alternate DNS, but set one IP to use the default name servers. Is this possible?

I do this by having a separate 'kidsafe' network which uses one set of DNS servers, and then another network for 'everything else', each using separate dnsmasq instances. There may be a simpler solution, but this works well for my purposes. Here's my dhcp config:

/etc/config/dhcp

config dnsmasq 'main'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option noresolv '1'
	option dnssec '1'
	option serversfile '/tmp/adb_list.overall'
	list server '127.0.0.1#5453'
	list server '0::1#5453'

config dnsmasq 'family'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/family/'
	option domain 'family'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.family'
	option serversfile '/tmp/adb_list.overall'
	option localservice '1'
	option noresolv '1'
	list interface 'family'
	list notinterface 'lo'
	option dnssec '1'
	list server '185.228.168.168'
	list server '185.228.169.168'
	list server '2a0d:2a00:1::'
	list server '2a0d:2a00:2::'

config dhcp 'lan'
	option instance 'main'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option force '1'
	option leasetime '168h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'familysafe'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'family'
	option instance 'family'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option force '1'
``
1 Like

Some parental control ideas in the wiki.
Also per host dhcp settings.

1 Like

Hello,
good idea with separate network, but I am looking for more complicate solution:
I use OpenDNS Family shield service (they provide dedicated DNS server to be used for it) and ADBlock list. Is it posible somehow redirect DNS queries from specific mac to OpenDNS server IP and filter same request with adblock list?

I did redirection to OpenDNS server using firwall:

config redirect
        option target 'DNAT'
        option src 'lan'
        option dest 'lan'
        option proto 'udp'
        option src_dip '192.168.1.1'
        option src_dport '53'
        option name 'Notebook Family Shield'
        option dest_ip '208.67.222.123'
        option src_ip '192.168.1.4'
        option enabled '0'

but in that case DNS request resolved by OpenDNS, and do not filtered with dnsmaq.
I read somewhere, that dnsmasq can redirect dns queries to specific dns server, but can't configure dnamasq to do it.
Or , if it possible - redirect dns responses from opedns server to dnsmasq to filter them with adblock list.
Please, help to configure router for that.

You can work with a second instance of dnsmasq but this is a per interface option.

Thanks for the replies. Trendy, I think the solution in your per-host dhcp link might be better than what I was thinking:

uci add_list dhcp.@dnsmasq[0].server="/example.com/192.168.2.1"
uci commit dhcp
/etc/init.d/dnsmasq restart

I don't really understand the format of the server specified in the example. Why would you enter ="/domain/IP" like that?

I would want to use an alternate DNS server for everything, except Spotify which would use the standard ISP DNS servers. Do you think it's possible to do this by modifying these commands?

You can specify that for example.com domain nameserver 192.168.2.1 will be used.
If you don't specify a domain, it will be the default.