Is it possible to force DNS for certain devices with iptables?



I'm trying to use iptables to force DNS for certain devices (Shibby Tomato on Asus RT-N66U). I haven't found anything online describing such a configuration. The closest I could find was this:

# For the Samsung TV, use WAN DNS (i.e., Comcast).
# #############################################################
iptables -t nat -A PREROUTING -i br0 -s samsung-tv.home.lan -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')
iptables -t nat -A PREROUTING -i br0 -s samsung-tv.home.lan -p udp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')

# For every other client, use LAN DNS.
# #############################################################
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

This is close, but there are a couple problems.

1) I'd prefer to do it by MAC address, rather than hostname. Is that possible?

2) This only allows a single DNS server per client. Is there a way to assign a primary and secondary DNS using this (or similar) method?


Posted 2014-09-09T14:26:27.173

Reputation: 275



Question n.1 Yes it can be done: just use

iptables -t nat -A PREROUTING -i br0 -m mac --mac-source MAC-ADDRESS-OF-SAMSUNG -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')

The first new option, -m mac, instructs iptables to load the mac module. I am not familiar with Shibby Tomato, but in standard Linux this module is pretty standard.

Question n.2 You can always concoct a work around. Suppose you have instructed your Samsung TV to use and as DNS (even though they are not the DNS you wish). Then you can sort of implement a second DNS by substituting the previous iptables command with the following two commands:

 iptables -t nat -A PREROUTING -i br0 -d -m mac --mac-source MAC-ADDRESS-OF-SAMSUNG -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns1 | awk -F' ' '{print $1}')

 iptables -t nat -A PREROUTING -i br0 -d -m mac --mac-source MAC-ADDRESS-OF-SAMSUNG -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns2 | awk -F' ' '{print $1}')

This works as follows: if the TV does not get a reply from its first DNS (which it thinks is but we know is wan_get_dns1), then it will try to contact the second one,, which now gets redirected to the second DNS, wan_get_dns.


Posted 2014-09-09T14:26:27.173

Reputation: 41 321

@jluce50 The time delay is irrelevant to the server: it will DNAT packets coming in from the TV following the two rules above, one by one: receives one packet, DNATs it, sends it away. If the first DNS is down, it does nothing, but the TV, which is waiting for an answer which is not coming, becomes edgy and sends another packet to the other DNS. Now the server DNATs this second packet to the other DNS, sends it away, does not wait for an answer. – MariusMatutiae – 2014-09-10T19:28:10.190

Thanks! This isn't ideal, since I don't always know what the client has specified for primary/secondary DNS (kids computer, for example), but it looks like it's as close as I can get to what I want.

Edit: Sorry, I deleted my original comment before I saw your reply. I realized I had misunderstood how it would work. – jluce50 – 2014-09-10T19:48:08.697


iptables isn't really for DNS server management - It doesn't set the DNS server, rather it hijacks all DNS queries from the client and forces them to go to a specific server. You would be better off configuring the DHCP server to do what you want, since the DHCP server hands out DNS server information anyways. This is the only way you'll be able to set primary/secondary DNS servers.

You could route by MAC address, but I'd advise against that since that will break easily unless the device is connected directly to the router. If you don't want to use hostnames, use an IP.

Darth Android

Posted 2014-09-09T14:26:27.173

Reputation: 35 133

1Yeah, I get that, but I can't seem to find a better way to do what I want. The router's DHCP settings don't allow me to set the DNS per client (that I can see). I don't want to use IP's because it only works if the user is using DHCP. If they set a static IP it completely bypasses this functionality (I was using Dnsmasq, which works great, except for this issue). – jluce50 – 2014-09-09T18:31:33.563