How can I force a client to use a specific DNS?

Hello, I'm trying to figure out how to force a single client to use a specific DNS. My main goal is to use Getflix.com's service with my TV, but I don't want other devices on my network to use their DNS.

I'm using a Linksys WRT32X on OpenWrt 23.05.0

I want to see if I've configured things properly on my side before reaching out to Getflix support.

What I've done so far:

• Followed the guide on DNS Hijacking to for all clients to use the DNS advertised by the router
• Followed the guide on creating a "tag" that uses a different set of DHCP options
• Added static routes per Getflix's documentation (may not be necessary with other options enabled)

/etc/config/network

 1
 2 config interface 'loopback'
 3         option device 'lo'
 4         option proto 'static'
 5         option ipaddr '127.0.0.1'
 6         option netmask '255.0.0.0'
 7
 8 config globals 'globals'
 9         option ula_prefix 'fd32:b9ba:8453::/48'
10
11 config device
12         option name 'br-lan'
13         option type 'bridge'
14         list ports 'lan1'
15         list ports 'lan2'
16         list ports 'lan3'
17         list ports 'lan4'
18
19 config interface 'lan'
20         option device 'br-lan'
21         option proto 'static'
22         option ipaddr '192.168.1.1'
23         option netmask '255.255.255.0'
24         option ip6assign '60'
25
26 config device
27         option name 'wan'
28         option macaddr 'aa:bb:cc:dd:ee:ff'
29
30 config interface 'wan'
31         option device 'wan'
32         option proto 'dhcp'
33
34 config interface 'wan6'
35         option device 'wan'
36         option proto 'dhcpv6'
37
38 config route
39         option interface 'lan'
40         option metric '2'
41         option target '8.8.8.8/32'
42
43 config route
44         option interface 'lan'
45         option target '8.8.4.4/32'
46         option metric '2'
47
48 config route
49         option interface 'lan'
50         option target '108.175.32.0/20'
51         option metric '2'
52
53 config route
54         option interface 'lan'
55         option target '198.38.96.0/19'
56         option metric '2'
57
58 config route
59         option interface 'lan'
60         option target '198.45.48.0/20'
61         option metric '2'
62
63 config route
64         option interface 'lan'
65         option target '185.2.220.0/22'
66         option metric '2'
67
68 config route
69         option interface 'lan'
70         option target '23.246.0.0/18'
71         option metric '2'
72
73 config route
74         option interface 'lan'
75         option target '37.77.184.0/21'
76         option metric '2'
77
78 config route
79         option interface 'lan'
80         option target '45.57.0.0/17'
81         option metric '2'

/etc/config/dhcp

 1
 2 config dnsmasq
 3         option domainneeded '1'
 4         option localise_queries '1'
 5         option rebind_protection '1'
 6         option rebind_localhost '1'
 7         option local '/lan/'
 8         option domain 'lan'
 9         option expandhosts '1'
10         option cachesize '1000'
11         option authoritative '1'
12         option readethers '1'
13         option leasefile '/tmp/dhcp.leases'
14         option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
15         option localservice '1'
16         option ednspacket_max '1232'
17
18 config dhcp 'lan'
19         option interface 'lan'
20         option start '100'
21         option limit '150'
22         option leasetime '12h'
23         option dhcpv4 'server'
24         option dhcpv6 'server'
25         option ra 'server'
26         option ra_slaac '1'
27         list ra_flags 'managed-config'
28         list ra_flags 'other-config'
29
30 config dhcp 'wan'
31         option interface 'wan'
32         option ignore '1'
33
34 config odhcpd 'odhcpd'
35         option maindhcp '0'
36         option leasefile '/tmp/hosts/odhcpd'
37         option leasetrigger '/usr/sbin/odhcpd-update'
38         option loglevel '4'
39
~ (irrelevant host entries)
72
73 config tag 'getflix'
74         option dhcp_option '6,Getflix's DNS'
75
76 config host
77         option name 'tv'
78         option mac 'TV's MAC'
79         option ip 'TV's IP' (is this entry necessary if the MAC is specified?)
80         option tag 'getflix'

/etc/config/firewall

  1
  2 config defaults
  3         option syn_flood '1'
  4         option input 'REJECT'
  5         option output 'ACCEPT'
  6         option forward 'REJECT'
  7
  8 config zone
  9         option name 'lan'
 10         list network 'lan'
 11         option input 'ACCEPT'
 12         option output 'ACCEPT'
 13         option forward 'ACCEPT'
 14
 15 config zone
 16         option name 'wan'
 17         list network 'wan'
 18         list network 'wan6'
 19         option input 'REJECT'
 20         option output 'ACCEPT'
 21         option forward 'REJECT'
 22         option masq '1'
 23         option mtu_fix '1'
 24
 25 config forwarding
 26         option src 'lan'
 27         option dest 'wan'
 28
 29 config rule
 30         option name 'Allow-DHCP-Renew'
 31         option src 'wan'
 32         option proto 'udp'
 33         option dest_port '68'
 34         option target 'ACCEPT'
 35         option family 'ipv4'
 36
 37 config rule
 38         option name 'Allow-Ping'
 39         option src 'wan'
 40         option proto 'icmp'
 41         option icmp_type 'echo-request'
 42         option family 'ipv4'
 43         option target 'ACCEPT'
 44
 45 config rule
 46         option name 'Allow-IGMP'
 47         option src 'wan'
 48         option proto 'igmp'
 49         option family 'ipv4'
 50         option target 'ACCEPT'
 51
 52 config rule
 53         option name 'Allow-DHCPv6'
 54         option src 'wan'
 55         option proto 'udp'
 56         option dest_port '546'
 57         option family 'ipv6'
 58         option target 'ACCEPT'
 59
 60 config rule
 61         option name 'Allow-MLD'
 62         option src 'wan'
 63         option proto 'icmp'
 64         option src_ip 'fe80::/10'
 65         list icmp_type '130/0'
 66         list icmp_type '131/0'
 67         list icmp_type '132/0'
 68         list icmp_type '143/0'
 69         option family 'ipv6'
 70         option target 'ACCEPT'
 71
 72 config rule
 73         option name 'Allow-ICMPv6-Input'
 74         option src 'wan'
 75         option proto 'icmp'
 76         list icmp_type 'echo-request'
 77         list icmp_type 'echo-reply'
 78         list icmp_type 'destination-unreachable'
 79         list icmp_type 'packet-too-big'
 80         list icmp_type 'time-exceeded'
 81         list icmp_type 'bad-header'
 82         list icmp_type 'unknown-header-type'
 83         list icmp_type 'router-solicitation'
 84         list icmp_type 'neighbour-solicitation'
 85         list icmp_type 'router-advertisement'
 86         list icmp_type 'neighbour-advertisement'
 87         option limit '1000/sec'
 88         option family 'ipv6'
 89         option target 'ACCEPT'
 90
 91 config rule
 92         option name 'Allow-ICMPv6-Forward'
 93         option src 'wan'
 94         option dest '*'
 95         option proto 'icmp'
 96         list icmp_type 'echo-request'
 97         list icmp_type 'echo-reply'
 98         list icmp_type 'destination-unreachable'
 99         list icmp_type 'packet-too-big'
100         list icmp_type 'time-exceeded'
101         list icmp_type 'bad-header'
102         list icmp_type 'unknown-header-type'
103         option limit '1000/sec'
104         option family 'ipv6'
105         option target 'ACCEPT'
106
107 config rule
108         option name 'Allow-IPSec-ESP'
109         option src 'wan'
110         option dest 'lan'
111         option proto 'esp'
112         option target 'ACCEPT'
113
114 config rule
115         option name 'Allow-ISAKMP'
116         option src 'wan'
117         option dest 'lan'
118         option dest_port '500'
119         option proto 'udp'
120         option target 'ACCEPT'
121
122 config redirect
123         option target 'DNAT'
124         option name 'Intercept-DNS'
125         option src 'lan'
126         option src_dport '53'

The UCI commands I used to set up the tag

uci set dhcp.getflix="tag"
uci set dhcp.getflix.dhcp_option="6,Getflix's DNS"
uci add dhcp host
uci set dhcp.@host[-1].name="tv"
uci set dhcp.@host[-1].mac="TV's MAC"
uci set dhcp.@host[-1].ip="TV's IP"
uci set dhcp.@host[-1].tag="getflix"
uci commit dhcp
service dnsmasq restart

When I enable these options, Getflix's service is not working as expected. Netflix is blocked entirely. If I enable these options but disable the static routes, then I have access to Netflix, but the wrong region, indicating I'm not being routed through Getflix.

Is anything obviously wrong with my configs?

This should be all you need, but it becomes useless due to the hijacking rule below , so remove it.

Also remove the static routes. They are only needed if you are using a vpn service and in addition you must specify the wan (not lan) interface in the routes.

Thanks for the info. I just tried this out and there must be something deeper that is wrong on my network, or something is wrong with Getflix because it's still not working as expected.

Thought I would chime back in on this. I found out what was causing this configuration not to work, which is great, but I don't understand it. It turns out the wan6 interface on my device is related to the issue. If I stop this interface, then Getflix works as expected. Apparently my ISP does not handle IPv6 properly which causes issues downstream on my router, which somehow impacts my IPv4-only TV from resolving Getflix's IPv4 DNS addresses.

I wish I had a dime for every permutation of that I read.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.