Force attachment to specific dnsmasq instance

Is it possible to force a client to use a specific dnsmasq instance/ dns?

I have two interfaces to wan with a different dnsmasq instance setup on each as adults and kids with filtering setup on the kids side to keep them safe.

Can I make a device connect through the kids dhcp/ dns server even when attatched to the adults interface?

I'm not exactly sure how your setup looks like exactly, but you can have the firewall filter and/or redirect traffic based on MAC or IP addresses.

1 Like

This https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options ?

2 Likes

Thanks looks like the MAC tag option will suit my need's.

It looks as if I can use wild card's for the mac so I can exclude random generated mac addresses and attach them to the kids network by using second word in the MAC address and classifying them also.

Is there plans to add Luci integration for this?

Does this look ok sorry I'm still learning?

This would force a known client mac address to the kids_lan dnsmasq second instance

config tag 'Force_mac_Dns'
	option instance 'Kids_Dns'

config host
	option name 'j400'
	option mac '00:21:63:75:aa:17'
	option tag 'Force_mac_Dns'

And this would force clients with a random Mac address to the Kids_lan dnsmasq second instance?
I'm not sure if I can config a mac with multiple members like so:

config mac 'Random_mac_filter_list'
	option mac.1 '*:*2:*:*:*:*'
	option mac.2 '*:*6:*:*:*:*'
	option mac.3 '*:*A:*:*:*:*'
	option mac.4 '*:*A:*:*:*:*'
	option instance 'Kids_Dns'
uci set dhcp.tag1="kidsdns"
uci set dhcp.tag1.dhcp_option="6,D.N.S.IP"
uci add dhcp host
uci set dhcp.@host[-1].name="somehost"
uci set dhcp.@host[-1].mac="00:11:22:33:44:55"
uci set dhcp.@host[-1].ip="10.11.12.14"
uci set dhcp.@host[-1].tag="kidsdns"

you need to create the tag too.
obviously the ip param isn't something you probably want, but I'm not sure it'll work without it.
no idea about the multiple random mac lines, trial and error, unfortunately.

2 Likes

Ok so I have to specify the IP address of the dns server and I cant use option instance setting to direct it to a particular instance?

I was thinking it would give the client an IP address of the pool of the second instance? does it just redirect dns like a firewall rule and just enable you to pull multiple clients in a group by using the tag to group them?

The documentation is very minimal ill have to have a play

It does not direct to the second instance just redirect the dns from my testing sadly.
I a can't force those devices to use white and black lists of the other dnsmasq dns instance sadly or obtain a dhcp pool from the other instance.

Either it is not possible or im missing something.

Multiple DHCP/DNS instances are most suitable for multiple downstream interfaces configured with separate VLANs/SSIDs for different subnets, when each client group uses its own subnet.

A MAC-based DHCP classifier makes possible to mix clients from different groups on the same subnet, but this does not protect against clients switching to a custom unrestricted DNS.

Meanwhile, you can create a MAC-based firewall rule to intercept and redirect DNS traffic, and then you no longer need the MAC-based DHCP classifier.

What I'm trying to achieve is forcing specific devices to a specific instance for the purpose of forcing my kids to use the adblock filtering on the second dnsmasq instance regardless of which instance they connect to.

How I was hoping for it to work was that if someone was to connect to the adults_lan (first dnsmasq instance 192.168.1.X) but if they are in the taged group or random mac address it would instead give them an IP address in the second kids_lan (second dnsmasq instance 192.168.2.1)

This would then force all the restrictions on the kids devices if they attatch to the adults network.

The problem with adblock is that the report function only works on the subnet of the dnsmasq instance it is attached to (192.168.2.x) so any forwarding from adults_lan omits any reporting.

config dnsmasq 'Adults_Dns'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/Adults_Lan/'
	option domain 'Adults_Lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/Adults_Lan/dhcp.leases'
	list interface 'Adults_Lan'
	option localservice '0'
	list notinterface 'Kids_Lan'
	option confdir '/tmp/Adults_Lan/dnsmasq.d'
	list server '/use-application-dns.net/'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '127.0.0.1#5054'
	list server '127.0.0.1#5053'
	option quietdhcp '1'
	option filterwin2k '1'
	option allservers '1'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '8.8.8.8'

config dnsmasq 'Kids_Dns'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/Kids_Lan/'
	option domain 'Kids_Lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/Kids_Lan/dhcp.leases'
	option confdir '/tmp/Kids_Lan/dnsmasq.d'
	list interface 'Kids_Lan'
	option localservice '0'
	list notinterface 'loopback'
	list notinterface 'Adults_Lan'
	list server '/use-application-dns.net/'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '127.0.0.1#5054'
	list server '127.0.0.1#5053'
	option quietdhcp '1'
	option filterwin2k '1'
	option allservers '1'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '8.8.8.8'

config dhcp 'Adults_Lan'
	option instance 'Adults_Dns'
	option interface 'Adults_Lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

config dhcp 'Kids_Lan'
	option instance 'Kids_Dns'
	option interface 'Kids_Lan'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option force '1'

config interface 'Adults_Lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-Adults_Lan'

config interface 'Kids_Lan'
	option proto 'static'
	option type 'bridge'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'Wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '127.0.0.1'
	option device 'wan'
	option metric '1'

config interface 'Wan6'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'auto'
	option device 'wan'
	option metric '2'
	option auto '0'

config device
	option name 'br-Adults_Lan'
	option type 'bridge'
	list ports 'lan'

config device
	option name 'br-Kids_Lan'

config interface 'Wwan'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option auth 'none'
	option metric '3'
	option pdptype 'ipv4'
	option auto '0'

It should work this way:

  • Add the port option on the second DNS instance using a free port like 5153.
  • Remove the interface and notinterface options from both DNS instances.
  • Replace the MAC-based DHCP classifier with a MAC-based firewall rule redirecting DNS traffic to the custom DNS port.

Keep in mind that each downstream interface needs own firewall redirect, so using a MAC-based set can help avoid duplication.
Also note that you no longer need a separate subnet if using different DNS was the only reason to create it.

ok so removing the interface and not interface options allow me to span the dhcp server across different lan's so a kids device can attatch to any instance reguardless of network it is attached to?

I'm guessing using the host option instance setting will tell which one for them to attatch to as below for example?

config host
	option instance 'Adults_Dns'
	option dns '1'
	option mac '1C:F8:D0:C3:20:B5'
	option name 'Xanthea-ph'

config host
	option instance 'Kids_Dns'
	option dns '1'
	option mac '50:ED:3C:93:FF:18'
	option name 'Tayne-ph'

And something like this for rules ?

config rule
	option name 'Deny_DoT_Adults_Lan'
	option src 'Adults_Zone'
	option proto 'tcp udp'
	option dest 'Wan_Zone'
	option dest_port '853'
	option target 'REJECT'

config rule
	option name 'Deny_DoT_Kids_Lan'
	option src 'Kids_Zone'
	option proto 'tcp udp'
	option dest 'Wan_Zone'
	option dest_port '853'
	option target 'REJECT'

config redirect
	option target 'DNAT'
	option name 'Adblock_Adult_dns_53'
	option src_dport '53'
	option src 'Adults_Zone'

config redirect
	option target 'DNAT'
	option name 'Adblock_Kids_dns_53'
	option src_dport '5267'
	option src 'Kids_Zone'


config redirect 'adblock_Kids_Zone53'
	option name 'Adblock DNS (Kids_Zone, 53)'
	option src 'Kids_Zone'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '5267'
	option target 'DNAT'

config redirect 'adblock_Kids_Zone853'
	option name 'Adblock DNS (Kids_Zone, 853)'
	option src 'Kids_Zone'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '5267'
	option target 'DNAT'

config redirect 'adblock_Kids_Zone5353'
	option name 'Adblock DNS (Kids_Zone, 5353)'
	option src 'Kids_Zone'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5267'
	option target 'DNAT'

The above does not work as suggested

if I remove the interface and not interface options and use the option instance to bind a host it still comes out with an ip address of the lan it is attached to.

Removing the interface and notinterface options and specifying the port option makes both DNS instances reply on any interface, you can confirm this from OpenWrt:

nslookup example.org localhost
nslookup -port=5267 example.org localhost

Then create a MAC set and populate it with hosts that should use non-restrictive policy:

uci -q delete firewall.mac_allow
uci set firewall.mac_allow="ipset"
uci set firewall.mac_allow.name="mac_allow"
uci set firewall.mac_allow.match="mac"
uci add_list firewall.mac_allow.entry="11:22:33:44:55:66"
uci add_list firewall.mac_allow.entry="aa:bb:cc:dd:ee:ff"
uci commit firewall
/etc/init.d/firewall restart

Also add the following options for each DNS redirect:

# Non-restrictive redirects
    option family 'any'
    option ipset 'mac_allow src'

# Restrictive redirects
    option family 'any'
    option ipset '!mac_allow src'
1 Like

Ok I tested that and yes the dns spans interfaces, but the dhcp server does not seem to.

I was thinking that would enable me to make the dhcp server span two interfaces and by removing the interface and not interface interface options and specifying the interface in host options i wish to attach to.

I guess setting up one lan and having an alternative dns for selected clients? problem is maintaining these groups from luci.

You can edit IP set entries in the LuCI firewall settings on OpenWrt 22.03.

1 Like

This is my error when restarting the firewall after a test:
I'm guessing wild cards are not supported or do I have some other error ?

Section random_mac (random_mac) ignoring invalid ipset entry '*:*2:*:*:*:*'
Section random_mac (random_mac) ignoring invalid ipset entry '*:*6:*:*:*:*'
Section random_mac (random_mac) ignoring invalid ipset entry '*:*A:*:*:*:*'
Section random_mac (random_mac) ignoring invalid ipset entry '*:*E:*:*:*:*'
config ipset 'random_mac'
	option name 'random_mac'
	option match 'mac'
	list entry '*:*2:*:*:*:*'
	list entry  '*:*6:*:*:*:*'
	list entry '*:*A:*:*:*:*'
	list entry '*:*E:*:*:*:*'

config rule
	option name 'random_mac_forward'
	option family 'any'
	option src 'Adults_Zone'
	option ipset 'random_mac'
	option dest 'Wan_Zone'
	option target 'REJECT'

It seems wild cards are not supported with MAC or IP addresses and one must use CIDR notation with IP adresses and no mention of MAC address options.

It looks like there was an attempt at adding this functionality:

Wildcard support for MAC addresses in netfilter (Linux kernel) and iptables – martin.uy