DNSMasq and different DNS for clients

Installing and Using OpenWrt Network and Wireless Configuration
#1

Hi,

I moved to LEDE so that I could provide different DNS servers so my daughters electronics can use OpenDNS family shield and the rest of us still have access to our special interest sites. I have this working.

I also have the adblock installed so non-daughter users are blocked from adds(as they use the local DNS). What I want is the best of both. I want OpenDNS and ad blocking for my daughters and just ad blocking for the rest.

I have come to the conclusion that I cant do this. Is it possible? And if so can someone point me in the correct direction.

Cheers.

#2

Hi,

The purpose of DHCP is to provide the same settings for all clients. If you wish to make exceptions, you can configure the DNS settings on the devices in question manually.

If you want OpenWRT/LEDE to provide a different DNS servers to the client than itself, look under LuCI:
Network --> Interfaces --> LAN --> Edit --> scroll down to DHCP server --> Advanced settings --> look under DHCP-Options

Define additional DHCP options, for example "6,192.168.2.1,192.168.2.2" which advertises different DNS servers to clients.

LP,
Jure

#3

Yes, I have that working. I can give different DNS servers to different clients. On my daughters machines they are using the OpenDNS family shield, as they dont use the local DNS this means that they don't get the benefits of the locally installed adblock.

I was wondering if I can have the best of both worlds. This would have to be something in DNSMASQ with different caches for different machines and using different upstream DNS servers. I'm wondering if this is possible?

#4

I'm not a user of adblock, can you describe how it works? I could potentially help hack together something if I had a better idea.

EDIT: If I understand correctly, you're actually handing out the OpenDNS IP addresses to your daughter, but handing out the routers ip to everyone else, the router is then masking certain DNS responses due to an adblock setting...

What I suggest is this: provide a separate SSID for your daughter (and any other friends etc) on a separate VLAN. On this VLAN hand out the router as the DNS but have the DNS's upstream recursive resolvers be OpenDNS, so that you're getting OpenDNS results filtered through adblock, a second DNSmasq runs to serve this VLAN and you get the best of both worlds there.

Is that helpful?

#5

You could set up a pi-hole server on a Raspberry Pi (or similar) to block ads with or without OpenDNS. This would be a separate DNS server that you assign to only one group of users. The other group uses the adblock config on the server. You might be able to do it all with just pi-hole, but I haven't looked into it.

The separate VLAN approach is a good idea too if you don't want another device.

#6

There are a few steps to this, some of which are supported through LuCI, some through the /etc/config files, and some that may need your own scripts.

I'd approach it as follows:

  • Set up a "guest AP" on its own VLAN and bridge
  • Set up two instances of dnsmasq serving different addresses, default route, and DNS servers to each

I'm not aware of any common DNS server other than bind that can handle "split-horizon DNS" and if you're someone that is comfortable with bind configuration, you probably aren't running services on OpenWRT :wink:

In the past, when I was running my DNS on OpenWRT, I ended up using multiple instances of unbound for DNS as I found it easier to configure directly that it was to try to unwind what the scripts to with /etc/config and dynamically generating config files to achieve a very non-standard configuration. https://calomel.org/unbound_dns.html is an excellent tutorial on unbound and discusses pulling "block" lists and incorporating them, if you choose to go that way.

#7

Thanks for the info. I'll do some reading, and then probably be back with more questions.