Open DNS question

Chester11 · Feb 14, 2021

Hi boys:

I'm messing around with Pi-hole and Open DNS. The goal is to set up content filtering for my kids.

Pi-hole software is pretty cool, and does a pretty good job of filtering out ads. (Oddly it filtered my local newspaper).

Eventually, I might use the family friendly Open DNS on the router.

Is there a way to point individual devices to unfiltered DNS? (The only way I can see is adjusting the network settings on an individual device, but was wondering if there was a more elegant solution). Password protected access would be the best - but I can't figure it out.

Also - separate question - I'm seeing IP6 traffic on the Pi-hole logs, to my knowledge my devices or ISP don't support it. Can anyone drop some knowledge on me?

I'm not exactly a network engineer - and and using old Verizon MOCA routers. I am concerned the extra hop on the internal network (the Pi-hole) will slow things if I point all of our devices there.

Thanks in advance.

OVERKILL · Feb 14, 2021

Easiest way to skip OpenDNS on certain pieces of gear is to give them static mappings outside your DHCP scope and manually assign them something else.

IPv6 chatter is normal, it's local link traffic within your network on devices with IPv6 enabled on their LAN-facing interfaces, nothing to be concerned about.

Up until I switched to CIRA, I was using OpenDNS and still use it at client sites. It's a great and robust solution, backed by Cisco now of course, since they bought it and have re-branded it as "Umbrella", so it's definitely a solid choice.

I've not bothered farting around with Pi-hole, I've been able to do everything I've wanted to do with my firewall solution + OpenDNS/CIRA.

uc50ic4more · Feb 14, 2021

You can set a device to use a different DNS server which would bypass whatever your router is using. You can also enable DoH (DNS over HTTPS) in very recent versions of (at least) Firefox and Chrome which would bypass the device-level setting.

Cloudflare's 1.1.1.1 and Google's 8.8.8.8 & 8.8.4.4 are good bets.

Chester11 · Feb 15, 2021

Thanks - I get reserving a range outside of DHCP. Do I have to set up a routing rule to use a different DNS? (I seem to remember the router only allowing one DNS server - maybe I need to poke around more).

I'll check out DoH too.

Quattro Pete · Feb 15, 2021

Chester11 said:
Thanks - I get reserving a range outside of DHCP. Do I have to set up a routing rule to use a different DNS? (I seem to remember the router only allowing one DNS server - maybe I need to poke around more).

Does your router support dnsmasq commands? Od maybe Pi-Hole supports it? I'm not familiar with Pi-Hole.

If so, you can use a command to assign specific DNS addresses to all clients coming in on a specific LAN interface that you've previously configured on the router, for example:

Code:

dhcp-option=tag:br1,6,208.67.222.123,208.67.220.123

This is saying that any client associated with the router's br1 interface will be assigned these specific DNS addresses, which happen to be OpenDNS ones in this example.

More dnsmasq commands here:

Man page of DNSMASQ

www.thekelleys.org.uk

Now, if the user is smart enough to ignore the router-supplied DNS address and manually set their own DNS, then you also need to add some scripts to the firewall to reject any DNS that's different from the one dnsmasq assigned. So, I'm using the following scripts on my router's firewall:

Code:

iptables -I INPUT -i br1 -p tcp --dport 53 -j REJECT
iptables -I INPUT -i br1 -p udp --dport 53 -j REJECT
iptables -I FORWARD -i br1 -p tcp --dport 53 -j REJECT
iptables -I FORWARD -i br1 -p udp --dport 53 -j REJECT
iptables -I FORWARD -i br1 -p tcp -d 208.67.220.123 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -d 208.67.220.123 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -p tcp -d 208.67.222.123 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -d 208.67.222.123 --dport 53 -j ACCEPT

OVERKILL · Feb 15, 2021

Quattro Pete said:
Does your router support dnsmasq commands? Od maybe Pi-Hole supports it? I'm not familiar with Pi-Hole.

If so, you can use a command to assign specific DNS addresses to all clients coming in on a specific LAN interface that you've previously configured on the router, for example:

Code:

dhcp-option=tag:br1,6,208.67.222.123,208.67.220.123

This is saying that any client associated with the router's br1 interface will be assigned these specific DNS addresses, which happen to be OpenDNS ones in this example.

More dnsmasq commands here:

Man page of DNSMASQ

www.thekelleys.org.uk

Now, if the user is smart enough to ignore the router-supplied DNS address and manually set their own DNS, then you also need to add some scripts to the firewall to reject any DNS that's different from the one dnsmasq assigned. So, I'm using the following scripts on my router's firewall:

Code:

iptables -I INPUT -i br1 -p tcp --dport 53 -j REJECT iptables -I INPUT -i br1 -p udp --dport 53 -j REJECT iptables -I FORWARD -i br1 -p tcp --dport 53 -j REJECT iptables -I FORWARD -i br1 -p udp --dport 53 -j REJECT iptables -I FORWARD -i br1 -p tcp -d 208.67.220.123 --dport 53 -j ACCEPT iptables -I FORWARD -i br1 -p udp -d 208.67.220.123 --dport 53 -j ACCEPT iptables -I FORWARD -i br1 -p tcp -d 208.67.222.123 --dport 53 -j ACCEPT iptables -I FORWARD -i br1 -p udp -d 208.67.222.123 --dport 53 -j ACCEPT

Yup, that's very similar to my configuration. I also block VPN ports in case the kids try and get around it that way.

Chester11 · Feb 15, 2021

awesome - thanks guys.

I also noticed the firefox has DoH turned on by default. (Or at least I don't remember turning it on).

Open DNS question

Chester11

OVERKILL

$100 Site Donor 2021

uc50ic4more

Chester11

Quattro Pete

Man page of DNSMASQ

OVERKILL

$100 Site Donor 2021

Man page of DNSMASQ

Chester11

Similar threads