Hello i have OpenWrt 21.02.3 r16554-1d4dea6d4f on a xiaomi 4A.
I have setup a second network 10.0.0.0/24 and a separate wifi. 10.0.0.0 network is isolated from 192.168.1.0/24 . so i want to enable the log of dns requests only for the network 10.0.0.0/24. If i enable the option "Log queries" from Luci it logs everything. I don't want that.
Is it possible from ssh to do that ?
set up a 2nd DNS, and redirect the 10 subnet to it, or tell all the devices you don't want to log, to use some other DNS than your own.
thanks for reply @frollic . both networks use as dns their default gateway (192.168.1.1 , 10.0.0.1 ) i don't have a pi-hole or something similar so i rely on openwrt. and i have setup DNS (opendns) to wan(upstream). I have logs ofc from opendns but i want a more detailed syslog, like which device request what. i know that this will be hard job for my router but i don't expect heavy traffic from 10.0.0.0 network.
if you're not doing anything fancy with the local DNS, point your regular clients directly to the opendns DNS IPs, while you use your local DNS for the 10.0.0 clients, then the only thing logged, will be the calls coming from the 10.0.0 subnet.
use the option 6.
Setup a second dnsmasq instance for the isolated 10.0.0.0/24 which will log queries.
@frollic i try your suggestion. but i can see the requests from 192.168.1.0/24. i guess i must try what @trendy said. i am still rookie with openwrt, so before i start setting up the second dnsmasq , i have to delete the default instance of DNS or i can add the second right away? thank you both.
after making the changes, you need to restart dnsmasq, and reconnect your clients, forcing them to make new DHCP requests.
The first 2 lines of the script will do that for you. Then make sure that the INST
variable is using the correct names of interfaces that you have.
I try that and it didn't worked. I try to reboot the router as last resort. But I keep getting logs.
then you probably did some kind of error in the configuration.
what IPs are your clients getting for the DNSes ?
I gave them the opendns ips from br-lan >DHCP. I also try from br-lan>Advanced settings.
And because I have these in custom rules iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 53 -j DNAT --to 192.168.1.1 iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j DNAT --to 192.168.1.1
I disable them just to be sure.
Keep these rules disabled and create a new one:
uci add firewall redirect
uci set firewall.@redirect[-1]=redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='DNS'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].src_dport='53'
uci set firewall.@redirect[-1].dest_ip='208.67.222.222'
uci set firewall.@redirect[-1].dest_port='53'
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].src_ip='192.168.1.0/24'
uci add_list firewall.@redirect[-1].proto='tcp'
uci add_list firewall.@redirect[-1].proto='udp'
uci commit firewall
/etc/init.d/firewall restart
There is also IPv6 nameserver advertised, which will be preferred most likely.
i have disable the ipv6 until i manage to make it work with statefull DHCP. but i don't care about ipv6 right now.
i set the firewall rule but i still get from 'lan' the queries but instead of 192.168.1.0 i get them from 127.0.0.1. thanks for the help by the way.
Assign the loopback interface in the dnsmasq instance which doesn't log queries.
Okay, I made some tests.
- The rule works as expected - DNS queries from the specified network are not logged.
- Most likely you see only PTR queries from the router itself searching for a name in /etc/hosts or /tmp/hosts/dhcp.cfg* like this:
Thu Jun 30 12:36:25 2022 daemon.info dnsmasq[18334]: 328 127.0.0.1/35653 query[PTR] 85.92.168.192.in-addr.arpa from 127.0.0.1
Thu Jun 30 12:36:25 2022 daemon.info dnsmasq[18334]: 328 127.0.0.1/35653 /etc/hosts 192.168.92.85 is pavel.homelan
From what I see, they are generated every time when LuCI is used, no matter the rule is active or not.
It seems you are right. luci generates the PTR. Ok thats a simple and nice solution but i have a question. the firewall rule aim to one dns ip 208.67.222.222. how to set the second ip of opendns? i have to enter a new rule or i can add under this line uci set firewall.@redirect[-1].dest_ip='208.67.222.222'
the second ip?
i broke something btw and i cannt see the network > firewall from luci i tried reboot and reinstall the firewall but it's not coming back.
It can't round robin a list of IPs. Practically the primary IP will always be online and available.