Assigning different HTTPS DNS proxy ports to specific MAC addresses in OpenWRT - how?

todoj · February 19, 2025, 8:00pm

I am using HTTPS DNS Proxy on OpenWRT and have configured two separate DNS resolvers running on different ports.
I need to configure device with MAC1 to use DNS on Port1, and device with MAC2 to use DNS on Port2.

How can I achieve this? Please help! Thank you!

eduperez · February 19, 2025, 8:54pm

You can identify devices by their MAC address, and send them specific information from the DHCP server:

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#client_classifying_and_individual_options

todoj · February 20, 2025, 10:19am

Thank you for your reply! I tried this yesterday, but with no luck. Unfortunately I'm not experienced in this topic. Looks like something overwrite these rule

Could you please clarify,
it should be like this?
uci add_list dhcp.mac1.dhcp_option="6,127.0.0.1#5053" ?
instead of:
uci add_list dhcp.mac1.dhcp_option="6,192.168.1.3"

frollic · February 20, 2025, 10:21am

this is a setting for the client(s), and they'll stick to port 53, your 2nd example is valid

127.0.0.1#5053 would apply to dnsmasq itself.

you could intercept DNS request from a specific IP/MAC in the firewall, and forward them to a secondary DNS, running on some random port, like 5053.

todoj · February 20, 2025, 11:30am

But how to specify port in this example?
uci add_list dhcp.mac1.dhcp_option="6,192.168.1.3"

my resolver (to witch I would like to point device with "mac1" ) is on 127.0.0.1:5053
I tried setting up iptables rule - did not work

frollic · February 20, 2025, 11:42am

like I said, you can't.

did it look anything like this ?

eduperez · February 20, 2025, 12:38pm

As @frollic commented, you can only send an IP address using option 6, not a port number, and this complicates things...

pavelgl · February 20, 2025, 2:00pm

You need to make the https-dns-proxy instances listen on all interfaces and disable automatic creation of firewall rules.

# /etc/config/https-dns-proxy

config main 'config'
        option force_dns '0'
        ...

config https-dns-proxy
        option listen_addr '0.0.0.0'
        option listen_port '5053'
        ...

config https-dns-proxy
        option listen_addr '0.0.0.0'
        option listen_port '5054'
        ...

Then manually create the necessary firewall rules (the order of the DNAT rules matters).

# /etc/config/firewall
...
config redirect
        option target 'DNAT'
        option name 'DNS-Redirect-MAC1'
        list proto 'udp'
        option src 'lan'
        option src_dport '53'
        option dest_port '5053'
        list src_mac 'MAC1 here'

config redirect
        option target 'DNAT'
        option name 'DNS-Redirect-MAC2'
        list proto 'udp'
        option src 'lan'
        option src_dport '53'
        option dest_port '5054'
        list src_mac 'MAC2 here'

config redirect
        option target 'DNAT'
        option name 'DNS-Redirect-General'
        option src 'lan'
        option src_dport '53'

config rule
        option name 'Prohibit-DoT'
        option src 'lan'
        option dest_port '853'
        option target 'REJECT'
        option dest '*'