thanks for reply @frollic . both networks use as dns their default gateway (192.168.1.1 , 10.0.0.1 ) i don't have a pi-hole or something similar so i rely on openwrt. and i have setup DNS (opendns) to wan(upstream). I have logs ofc from opendns but i want a more detailed syslog, like which device request what. i know that this will be hard job for my router but i don't expect heavy traffic from 10.0.0.0 network.
if you're not doing anything fancy with the local DNS, point your regular clients directly to the opendns DNS IPs, while you use your local DNS for the 10.0.0 clients, then the only thing logged, will be the calls coming from the 10.0.0 subnet.
use the option 6.
1 Like
Setup a second dnsmasq instance for the isolated 10.0.0.0/24 which will log queries.
1 Like
@frollic i try your suggestion. but i can see the requests from 192.168.1.0/24. i guess i must try what @trendy said. i am still rookie with openwrt, so before i start setting up the second dnsmasq , i have to delete the default instance of DNS or i can add the second right away? thank you both.
after making the changes, you need to restart dnsmasq, and reconnect your clients, forcing them to make new DHCP requests.
1 Like
The first 2 lines of the script will do that for you. Then make sure that the INST variable is using the correct names of interfaces that you have.
I try that and it didn't worked. I try to reboot the router as last resort. But I keep getting logs.
then you probably did some kind of error in the configuration.
what IPs are your clients getting for the DNSes ?
I gave them the opendns ips from br-lan >DHCP. I also try from br-lan>Advanced settings.
And because I have these in custom rules iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 53 -j DNAT --to 192.168.1.1 iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j DNAT --to 192.168.1.1 I disable them just to be sure.
Keep these rules disabled and create a new one:
uci add firewall redirect
uci set firewall.@redirect[-1]=redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='DNS'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].src_dport='53'
uci set firewall.@redirect[-1].dest_ip='208.67.222.222'
uci set firewall.@redirect[-1].dest_port='53'
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].src_ip='192.168.1.0/24'
uci add_list firewall.@redirect[-1].proto='tcp'
uci add_list firewall.@redirect[-1].proto='udp'
uci commit firewall
/etc/init.d/firewall restart
There is also IPv6 nameserver advertised, which will be preferred most likely.
i have disable the ipv6 until i manage to make it work with statefull DHCP. but i don't care about ipv6 right now.
i set the firewall rule but i still get from 'lan' the queries but instead of 192.168.1.0 i get them from 127.0.0.1. thanks for the help by the way.
Assign the loopback interface in the dnsmasq instance which doesn't log queries.
Okay, I made some tests.
- The rule works as expected - DNS queries from the specified network are not logged.
- Most likely you see only PTR queries from the router itself searching for a name in /etc/hosts or /tmp/hosts/dhcp.cfg* like this:
Thu Jun 30 12:36:25 2022 daemon.info dnsmasq[18334]: 328 127.0.0.1/35653 query[PTR] 85.92.168.192.in-addr.arpa from 127.0.0.1
Thu Jun 30 12:36:25 2022 daemon.info dnsmasq[18334]: 328 127.0.0.1/35653 /etc/hosts 192.168.92.85 is pavel.homelan
From what I see, they are generated every time when LuCI is used, no matter the rule is active or not.
2 Likes
It seems you are right. luci generates the PTR. Ok thats a simple and nice solution but i have a question. the firewall rule aim to one dns ip 208.67.222.222. how to set the second ip of opendns? i have to enter a new rule or i can add under this line uci set firewall.@redirect[-1].dest_ip='208.67.222.222'
the second ip?
i broke something btw and i cannt see the network > firewall from luci i tried reboot and reinstall the firewall but it's not coming back.
It can't round robin a list of IPs. Practically the primary IP will always be online and available.
2 Likes
As @trendy said, by default only the first rule will be taken into account.
There is a workaround, but it is a bit complicated and I don't know if it's worth the effort.
You can use the iptables statistic module, which is part of the iptables-mod-ipopt package.
The rules should look like this:
config redirect
option target 'DNAT'
option name 'DNS1'
option src 'lan'
option src_dport '53'
option dest_ip '208.67.222.222'
option dest_port '53'
option reflection '0'
option dest 'lan'
option extra '-m statistic --mode nth --every 2 --packet 0'
list proto 'tcp'
list proto 'udp'
option src_ip '192.168.1.0/24'
config redirect
option target 'DNAT'
option name 'DNS2'
option src 'lan'
option src_dport '53'
option dest_ip '208.67.220.220'
option dest_port '53'
option reflection '0'
option dest 'lan'
list proto 'tcp'
list proto 'udp'
option src_ip '192.168.1.0/24'
Check the results running iptables -t nat -nvL zone_lan_prerouting
Chain zone_lan_prerouting (3 references)
pkts bytes target prot opt in out source destination
2254 535K prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
0 0 DNAT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:53 statistic mode nth every 2 /* !fw3: DNS1 */ to:208.67.222.222:53
7 471 DNAT udp -- * * 192.168.1.0/24 0.0.0.0/0 udp dpt:53 statistic mode nth every 2 /* !fw3: DNS1 */ to:208.67.222.222:53
0 0 DNAT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:53 /* !fw3: DNS2 */ to:208.67.220.220:53
6 396 DNAT udp -- * * 192.168.1.0/24 0.0.0.0/0 udp dpt:53 /* !fw3: DNS2 */ to:208.67.220.220:53
2 Likes
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.