Specific DNS by local IP/MAC

I have seen similar discussions about this, but I am pretty new to OpenWrt and wanted to accomplish this:
Some of my devices need access via a DNS I found that does Adblocking, while as some of my devices are children devices and need to use a separate DNS that offers Ad and Adult Content blocking.
Everything on my network is either set with a static IP or is given an infinite lease for recorded IPs. I was wondering if there is a way to set DNS by IP/MAC on a case to case basis/set Ad Block DNS default and override certain IPs/MAC with the more restricted one.
At the moment I have my DNS set to the less restrictive one and it is working, but would really like to force kid's tablets, computers, phones without manually setting the DNS on the actual devices.
I am using LuCI, and would prefer if there was a way to do this in that but if not I can ssh.
I have seen answers to similar questions stating to use the Interfaces:DHCP Server:Advanced:DHCP-Options, but that doesn't appear to be a device specific method, unless I am missing something.
Sorry about the novel of a question, and thanks for any help anyone may be able to offer.

What is your internal subnet / range?

Have you implemented any logical groupings / structure around device types / requirements ?

The reason I ask, is that some methods can be vastly simplified if similar devices share a contiguous address space.

Is it stricly ipv4? or do you have relevant ipv6 servers for each upstream server too?

While you wait copy and paste your device status page ( active dhcp leases ) into a text file for your use later... and read: Assign different DHCP options to multiple hosts

( no need to actually setup yet... just get your head around the data you need and what is going on )


I have grouped by device types. Using subnet. Example: Computers are on 10.0.1.[ ], tablets 10.0.2.[ ], etc for each type of device. I am not opposed to reworking my design if that is an issue.

Nope, that is perfect!

Also, strictly v4.

1 Like


for dnatnet in $dnatVLSMs; do
	dnatname="`echo $dnatnet | tr -s '.' '-' | tr -s '/' '-'`"
	if uci show firewall | grep '@redirect' | grep ".name=" | grep "$dnatname"; then
		echo "dnat for $dnatname [exists]"
		echo "dnat for $dnatname [create]"
		uci add firewall redirect
		uci set firewall.@redirect[-1].name="$dnatname"
		uci set firewall.@redirect[-1].src="lan"
		uci set firewall.@redirect[-1].src_ip="$dnatnet"
		uci set firewall.@redirect[-1].src_dport="53"
		uci set firewall.@redirect[-1].dest_port=$altdnsPORT
		uci set firewall.@redirect[-1].family="ipv4"
		uci set firewall.@redirect[-1].proto="tcpudp"
		uci set firewall.@redirect[-1].target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

if ! uci show dhcp | grep '=dnsmasq' | grep -q dhcp.${altdnsNAME}; then
	echo "Adding dnsmasq domain for $altdnsNAME"; sleep 2
	uci set dhcp.${altdnsNAME}="dnsmasq"
	uci set dhcp.${altdnsNAME}.noresolv="1"
	uci set dhcp.${altdnsNAME}.port=$altdnsPORT
	uci set dhcp.${altdnsNAME}.cachesize='10000'
	uci set dhcp.${altdnsNAME}.interface='br-lan'
	uci set dhcp.${altdnsNAME}.logqueries='1'
	uci set dhcp.${altdnsNAME}.force='1'
	uci add_list dhcp.${altdnsNAME}.server=$ALTDNS1
	uci add_list dhcp.${altdnsNAME}.server=$ALTDNS2
	uci commit dhcp
	/etc/init.d/dnsmasq reload

Something like the above ( note: its an example... not really "set and forget" ) will do the job seeings your ip scheme is so tidy... ( that's assuming you want to cache queries )...

This method has the advantage of all clients going to your router ip... for dns as their setting... so you can change them at will on the fly.... and dhcp reservation is minimal... just an ip in the right range.... ( i think you have that already )

If you don't then you can repeat the DNAT per ip/range<>server pairs leave the dest_port as 53 and set a dest_ip of the desired upstream server...

The other way ( simplest to setup manually to begin with ) is pretty much shown in the link in my post above... you can set upstream dns servers per "tag" if you don't want to cache / run a service per group.


Thank you. I will work with this and the above example. Between the two I shouldn't have a problem getting the results I need. Once again, thanks.

1 Like

Going to add that the tagging option is equally viable and the error here was my inability to read further when I looked at that the six previous times.

Hopefully my negligence will benefit someone else. Your way will work better for my particular set up though, so thanks for that once again.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.