I have Dual Dnsmasq instances setup on two lan segments and I have http dns proxy setup on both instances and adblock setup on a single instance.
I setup kids lan removing the interface and notinterface options and used a different port to the adults_lan so the kids one will span both interfaces.
I then created a firewall rules to redirect port 53 on the kids lan to my custom port and a second rule to redirect specific devices to my custom dns port on the adults lan.
It seems dns resolution is broken on the kids lan and devices in the group on the adults lan fail also.
Based on your description your setup appears as if it might be more complex than it needs to be. There might be an easier way of achieving your (unstated) objective.
The fact that you distinguish between your kids' network and the adults' network makes me suspect you're doing some rudimentary filtering of what your kids can and can't get to.
And if that's the case, would something like Adguard Home or Pi-hole be suitable for your needs? You can configure client-specific policies so that, for example, your kids' devices don't get the same name resolution as your devices. And it requires only one listening port without trying to juggle multiple instances of a DNS resolver.
In addition, Pi-hole is built on top of dnsmasq so, if you're already familiar with dnsmasq with multiple subnets, you can easily edit the configuration files to suit your network topology.
Currently I have two lan segments adults and kids both who use httpdns proxy and banip.
On the kids network i also have adblock working.
Because im using old routers around the place without vlan functions as access points i cant provide seperate adults and kids wifi at those points.
I wish to force adults devices to use the adults dns by forwarding to the dns port on the adults dnsmasq dns instance.
Sadly it seems specifying a port other than 53 seems to break dns resolution.
I'm looking how I may debug where the hickup is, I don't know if I have some dnsmasq setting wrong or if adblock or httpdns is creating port forwards or something to the incorect port.
Hence my suggestion of using something like Pi-hole or Adguard Home or an equivalent.
Separate network segments may not be necessary. Even on the same network segment you can use DHCP reservations and apply per-device policies for content filtering so that different devices (different users) can access different stuff.
For example, device Adult1 gets IP address 192.168.0.100, and the DNS (content filtering) allows everything to the adult. Then, device Child1 gets IP address 192.168.0.200, and the DNS (content filtering) applies certain filters for what's permitted to the child.
However, if that's a non-starter, and the only viable option for you is separate network segments as you have been doing, let's start by taking a look at your configuration. What's the content of the following four files on every OpenWRT device which participates in your setup?
In addition, a diagram of the network to show the layout of the network segments and where they connect may also be useful. My profile contains a link to a very useful online diagramming tool which I use often to create shoddy diagrams in a hurry.
Depending on how computer/network savvy your kids are, running two DNSes in the same network could be an option.
Then pointing to the 1st or 2nd DNS, based on IP or MAC address, using the DHCP.
1st DNS is unrestricted, 2nd blocks all goat pr0n, and/or whatever ...
DNS always port 53, do you have more than one on the same host, you need to run the 2nd on a different port, and implement some kind of port forward based on the source's IP.
At the moment I cant get the two dns's i have to work under the same lan segment on when setting different ports i have set them to span all interfaces.
It even breaks the dns working on the assigned interface
Sadly only the dns set to port 53 seems to work.
below is my config:
config dnsmasq 'adults_dns'
option localise_queries '1'
option rebind_protection '0'
option local '/adults_lan/'
option domain 'adults_lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/adults_lan/dhcp.leases'
option localservice '0'
option confdir '/tmp/adults_lan/dnsmasq.d'
option quietdhcp '1'
option allservers '1'
list server '127.0.0.1#5054'
list server '127.0.0.1#5053'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '8.8.8.8'
option boguspriv '0'
list interface 'adults_lan'
list interface 'Kids_lan'
option port '53'
config dnsmasq 'kids_dns'
option localise_queries '1'
option rebind_protection '0'
option local '/kids_lan/'
option domain 'kids_lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/kids_lan/dhcp.leases'
option confdir '/tmp/kids_lan/dnsmasq.d'
option localservice '0'
option quietdhcp '1'
option allservers '1'
list server '127.0.0.1#5054'
list server '127.0.0.1#5053'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '8.8.8.8'
option boguspriv '0'
list interface 'kids_lan'
list interface 'adults_lan'
list notinterface 'loopback'
option port '5153'
config dhcp 'adults_lan'
option instance 'adults_dns'
option interface 'adults_lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '0'
config dhcp 'kids_lan'
option instance 'kids_dns'
option interface 'kids_lan'
option start '100'
option leasetime '12h'
option limit '150'
option force '0'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'adults_lan'
option name 'adults_zone'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'kids_lan'
option name 'kids_zone'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option name 'wan_zone'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'adults_zone'
option dest 'wan_zone'
config forwarding
option src 'kids_zone'
option dest 'wan_zone'
config redirect
option name 'dns hijack (adults_lan 53)'
option src 'adults_zone'
option proto 'tcp udp'
option src_dport '53'
option target 'DNAT'
option dest_port '53'
config redirect
option target 'DNAT'
option name 'dot hijack (adults_lan 853)'
option src 'adults_zone'
option src_dport '853'
option dest_port '853'
config rule
option name 'dot block (adults _lan 853)'
option src 'adults_zone'
option src_port '853'
option target 'REJECT'
option dest 'wan_zone'
config rule
option name 'dot block (kids_lan 853)'
option src 'kids_zone'
option src_port '853'
option target 'REJECT'
option dest 'wan_zone'
config rule
option name 'mdns ipv4 allow (adults_lan 5353)'
option family 'ipv4'
option src_port '5353'
option dest_port '5353'
option target 'ACCEPT'
option src 'adults_zone'
list dest_ip '224.0.0.251'
config rule
option name 'mdns ipv6 allow (adults_lan 5353)'
option family 'ipv6'
list proto 'udp'
option src 'adults_zone'
option src_port '5353'
list dest_ip 'ff02::fb'
option dest_port '5353'
option target 'ACCEPT'
config rule
option name 'mdns ipv4 allow (kids_lan 5353)'
option family 'ipv4'
option src 'kids_zone'
option src_port '5353'
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
config rule
option name 'mdns ipv6 allow (kids_lan 5353)'
option family 'ipv6'
list proto 'udp'
option src 'kids_zone'
option src_port '5353'
list dest_ip 'ff02::fb'
option dest_port '5353'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'dns hijack (kids lan 53)'
option src 'kids_zone'
option src_dport '53'
option dest_port '5153'
config redirect
option target 'DNAT'
option name 'dot hijack (kids_lan 853'
option src 'kids_zone'
option src_dport '853'
option dest_port '853'
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fdf6:0e5c:4f41::/48'
config interface 'adults_lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option device 'br-adults_lan'
config interface 'kids_lan'
option proto 'static'
option type 'bridge'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config interface 'wan'
option proto 'dhcp'
option peerdns '0'
option device 'wan'
option metric '1'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'none'
option reqprefix 'auto'
option peerdns '0'
option device 'wan'
option metric '2'
option auto '0'
config device
option name 'br-adults_lan'
option type 'bridge'
list ports 'lan'
config device
option name 'br-kids_lan'
config interface 'wwan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option auth 'none'
option metric '3'
option pdptype 'ipv4'
option auto '0'
Understood. I do the same. But I use a firewall rule to reject 853, rather than DNAT to black-hole it. I'm not entirely sure which, if either, method is better. I guess as long as you achieve the desired result it's all good.
It might help to run tcpdump (optional package, can be installed using LuCI or opkg) to check the traffic in and out on the ports you're using. You might be able to identify if - and where - traffic might be failing.
In addition, netstat can show you which ports are open for inbound traffic. If you're not seeing the ports you expect, that might also help to direct troubleshooting efforts.
as far as im aware 5153 in the below section defines my second dns servers port or am I wrong?
ports 5053 and 5054 they are just the upstream resolvers for https dns proxy
my asumption is a device allways asks for dns querys on port 53 and i have to redirect them to the port of the dns i wish them to use using the below rule:
I admit I'm still learning.
hi, can you check pls using ps | grep dnsm and logread -e dnsmasq if both dnsmasq instance is actually running?
with your config it is not just two dns servers bind to both your interfaces but as dnsmasq provides DHCP too, that part would also try to bind ... but if one DHCP server is running the other will not on the same interface.