Here's the story:
On my local network I'm using a Raspberry Pi with dnsmasq for name resolution and DHCP. Our household consists of two adults & two kids, and I'm looking at restricting internet access for the kids via OpenDNS.
I've almost got this working correctly, by starting from this question. Essentially, what I'm doing is "tagging" the kids' devices with a keyword ("kids"), and associating an alternate DNS server (OpenDNS) with that tag, via the following:
# regular DNS for most devices
dhcp-option=option:dns-server,192.168.111.11,8.8.8.8,8.8.4.4
# restricted DNS for kids (two OpenDNS IP addresses, and my local DNS server)
dhcp-option=tag:kids,option:dns-server,208.67.222.222,208.67.220.220,192.168.1.11
# IP reservations for kids devices
XX:XX:XX:XX:XX:XX,set:kids,192.168.1.190
YY:YY:YY:YY:YY:YY,set:kids,192.168.1.191
This works: the kids' devices hit OpenDNS' servers for name resolution and are blocked from inappropriate sites.
But the problem is that the kids can no longer access hosts on our local network. This means that, for example, they can't access our local Minecraft server or file shares. I have tried switching the order of the DNS server and placing our local DNS server first in the order for the kids, but this disables the OpenDNS servers.
I've tried to think of a solution to this and the only thing I've come up with is setting up a second DNS server on another Raspberry Pi, but this means duplicating a lot of configuration that I don't want to keep track of.
How can I configure DNSMasq to properly resolve local addresses with different "external" DNS servers for two distinct sets of clients?
