DNS hijacking + custom DNS per MAC

I understand that I can set up DNS hijacking using:

This would result in my router handling DNS queries even if a different DNS server is set on a specific LAN device, right? And it would use the custom DNS servers set in the wan interface.

But how would I configure an exception (preferably using LuCi if possible) such that a DNS request originating from a particular MAC address uses a particular DNS server that is different to the one set in the wan interface of my router?

So then all DNS requests are hijacked, but then in dependence on MAC address either the global DNS set on my wan interface is used, or a custom DNS server for one or more particular MAC addresses?

Would something like the solution here work in conjunction with the DNS hijacking?

Would DNS requests get cached for each separate DNS server?

1 Like

set how ?
you can provide custom DNS based on MAC, using the DHCP, but that obviously doesn't work if the DNS is hardcoded (like for some google devices).

yes, the solution works, unless the DNSes are hardcoded. then they need to be rerouted in the fw.

I am seeking to combine DNS hijacking with the selective DNS. So all ordinary DNS requests on port 53 are handled by router. And then in dependence on MAC address, either DNS 1 or DNS 2 is used. Make sense?

sure, it's fully doable.

but you have two options here.

1 provide DNS based on MAC, via DHCP
2 reroute (or don't) DNS based on MAC

I think reroute. Because I want my router to hijack/intercept ALL dns requests it sees (and cache appropriately), and then use the DNS server configured in WAN for the majority of the requests, but for my televisions with MAC addresses X and Y, I want the NordVPN DNS server to be used instead. And so even if I set DNS server in TV to Z, the router will still intercept and use the NordVPN server.

So the sequence is:

  1. router intercepts all ordinary DNS requests
  2. router reroutes DNS request for most devices to DNS 1 (using DNSmasq/caching?)
  3. router reroutes DNS request for device with MAC=X/Y to DNS 2 (using DNSmasq/caching?)

I don't think that dnsmasq can do #3 in combination with the rest.
You'd have to have multiple instances of dnsmasq running and forward the televisions to the second instance, to have queries forwarded and cached to the NordVPN nameserver.
Alternatively you can directly hijack all queries directly to NordVPN.
iptables -t nat -I prerouting_lan_rule -m mac --mac-source aa:bb:cc:aa:bb:cc -p udp --dport 53 -j DNAT --to-destination

1 Like

Would that have to be a custom rule in LuCi?

Yes, that can go there.

You can exclude MACs from the hijacking rule by preceding them with an exclamation mark:
DNS hijacking > DNS forwarding

Is it possible to do that using the GUI:

Sorry yes, but I mean can that be modified to implement something like:

iptables -t nat -I prerouting_lan_rule -m mac --mac-source aa:bb:cc:aa:bb:cc -p udp --dport 53 -j DNAT --to-destination

Selective redirection rules are similar to the main hijacking rule.
Just specify the source MAC and the destination IP to redirect to.
Also move the selective rules to precede the main rule.


Sorry to be so thick, but those should go in the firewall port-forwards section?

Yes, you can follow this instruction:
DNS hijacking > Web interface instructions

1 Like

Yes but for the exception - how do I set destination IP for the televisions?

The redirect destination should be that field:

  • Internal IP address

Although it may sound confusing if the IP is actually upstream.

1 Like

@vgaetera - legend - thank you so much!

1 Like

Actually this is not quite behaving as expected:

Dnsleaktest.com reports both my router DNS and the redirected DNS:

And also I get:


What is the output of iptables-save -c ?

This is just for testing purposes with hijack redirect to NordVPN DNS set for everything. It seems that now DNS lookups get returned by both the router default DNS (cleanbrowsing DNS - which blocks NordVPN.com) AND the NordVPN DNS I set in the hijacking rule (see the report from dnsleaktest.com above). But I only want the hijack rule to mean DNS gets returned by NordVPN. And so I would expect 'nslookup nordvpn.com' from client to actually work.