I understand that I can set up DNS hijacking using:
This would result in my router handling DNS queries even if a different DNS server is set on a specific LAN device, right? And it would use the custom DNS servers set in the wan interface.
But how would I configure an exception (preferably using LuCi if possible) such that a DNS request originating from a particular MAC address uses a particular DNS server that is different to the one set in the wan interface of my router?
So then all DNS requests are hijacked, but then in dependence on MAC address either the global DNS set on my wan interface is used, or a custom DNS server for one or more particular MAC addresses?
Would something like the solution here work in conjunction with the DNS hijacking?
Would DNS requests get cached for each separate DNS server?
set how ?
you can provide custom DNS based on MAC, using the DHCP, but that obviously doesn't work if the DNS is hardcoded (like for some google devices).
yes, the solution works, unless the DNSes are hardcoded. then they need to be rerouted in the fw.
I am seeking to combine DNS hijacking with the selective DNS. So all ordinary DNS requests on port 53 are handled by router. And then in dependence on MAC address, either DNS 1 or DNS 2 is used. Make sense?
I think reroute. Because I want my router to hijack/intercept ALL dns requests it sees (and cache appropriately), and then use the DNS server configured in WAN for the majority of the requests, but for my televisions with MAC addresses X and Y, I want the NordVPN DNS server to be used instead. And so even if I set DNS server in TV to Z, the router will still intercept and use the NordVPN server.
So the sequence is:
router intercepts all ordinary DNS requests
router reroutes DNS request for most devices to DNS 1 (using DNSmasq/caching?)
router reroutes DNS request for device with MAC=X/Y to DNS 2 (using DNSmasq/caching?)
I don't think that dnsmasq can do #3 in combination with the rest.
You'd have to have multiple instances of dnsmasq running and forward the televisions to the second instance, to have queries forwarded and cached to the NordVPN nameserver.
Alternatively you can directly hijack all queries directly to NordVPN. iptables -t nat -I prerouting_lan_rule -m mac --mac-source aa:bb:cc:aa:bb:cc -p udp --dport 53 -j DNAT --to-destination 10.10.10.10
Selective redirection rules are similar to the main hijacking rule.
Just specify the source MAC and the destination IP to redirect to.
Also move the selective rules to precede the main rule.
This is just for testing purposes with hijack redirect to NordVPN DNS set for everything. It seems that now DNS lookups get returned by both the router default DNS (cleanbrowsing DNS - which blocks NordVPN.com) AND the NordVPN DNS I set in the hijacking rule (see the report from dnsleaktest.com above). But I only want the hijack rule to mean DNS gets returned by NordVPN. And so I would expect 'nslookup nordvpn.com' from client to actually work.