i have recently changed my configs so to have 2 wlan's, one would be the main one for guests/kids and one for adults.
the kids one uses opendns as DNS (through dhcp option 6)
it is all good, but i would like to have the kids wlan to use also an host file to force all google searches through google safe search (216.239.38.120).
I tried to teach myself something about dnsmasq but i probably got it wrong...
i thought that i could achieve this with a "list addnhosts" option but i gets ignored.
maybe i am missing something obvious and i am wondering if someone could point me in the right direction...
additionally, adding the dhcp option 6 i also lost the possibility to use hostnames for local machine (i can ping/ssh through ip but not through hostnames) i have tried adding 127.0.0.1 or 192.168.2.1 to the dhcp option but it didn't help. i am guessing that if i manage to get /etc/hosts to be read and if i add the hostnames there it would work, but my question is if this is the best way to have at the same time a specific dhcp option 6 and local hostnames solved?
You can't use the router's DNS server to alter an A Record, since you use alternate DNS servers on the LAN and GUEST networks. You will have to reconfigure your network if you want the ability to "poison" DNS names.
thanks lleachii, not sure i understand what you mean with "poison", i just wanted to have two different host files, one for guest and the other for the main lan...
could i ask you to elaborate more?
In order to do what you desire, your DNS server has to be the OpenWrt device, as you want it to hand out an A Record of 216.239.38.120 for google[DOT]com and www[DOT]google[DOT]com. Simple. You have to reconfigure your DNS infrastructure.
i actually have one more issue that i just found out
with the 2 wlan's, transmission doesn't find any peers
if i revert back to the original configuration i have no problem (tested with debian netinstall torrent...)
yep, i saw that, but it helped to understand the idea of poisoning quite well.
i think i understand also what you mean with "dns has to be your openwrt device"
i am trying to get my head around on how to achieve that in a clean way...
I too faced a similar scenario, using OpenDNS primarily, but have now converted to using CleanBrowsing Family Filter https://cleanbrowsing.org/filters#family which blocks a multitude of sites including the use of several 'safe search' engines, and seems feature rich compared.
I have a minimum of 2x sets of DNS resolvers,
ie 1st for VPN DNS, 2nd for GUESTS using CleanBrowsing Family Filter DNS
1st set configured via 'WAN' >Network >Interfaces >WAN (edit) >Advanced Settings tab >uncheck Use DNS servers advertised by peer >Use custom DNS servers >Save & Apply
2nd set configured via 'Firewall - Custom Rules' >Network >Firewall >Custom Rules tab >entering
The only catch is you'd need to establish the interface name used for your kids/guests (in my example above the br-guest interface is used) and change that to suit, also change the DNS IP addresses for OpenDNS if required.
@lleachii & @otnert,
just wanted to say thanks, i eventually had some time during winter holidays and i played with the DNS settings.
i have 2 dns sections in dhcp (one for the main dns and one for the guest one), i have setup an additional host file for DNS poisoning on the guest network and its relative option "list addnhosts"
relevant dhcp bit
config dnsmasq 'main'
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
list interface 'lan'
list server '8.8.8.8'
list server '8.8.4.4'
config dnsmasq 'guest'
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/guest/'
option domain 'guest'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.guest'
option resolvfile '/tmp/resolv.conf.guest'
option strictorder '1'
option nonwildcard '1'
option localservice '1'
list interface 'guest'
list notinterface 'lo'
list server '208.67.222.222'
list server '208.67.220.220'
list server '208.67.222.220'
list server '208.67.220.222'
list addnhosts '/etc/hosts-restricted/hosts'
everything, including transmission seems to work fine
one possible task for the future will be to understand if there is a possibility to keep some of the youtube content. At the moment i am using openDNS to filter out all "video sharing" so this removes 100% of youtube. This is probably a bit too aggressive since some videos on youtube are actually not bad. From what i have read, ip filtering is either on or off, so there is no way to achieve this unless using some kind of content filter. (restrict.youtube.com is still a bit too open for me...) but as said, that is for the future
