Gargoyle Forum

I'm on 1.5.10 and have checked the "Force Clients To Use Router DNS Servers". Unfortunately, I have one wireless device where I don't want to use the DNS servers from Gargoyle but a different set.

Is there any way to do this? Perhaps if I put this one device into the DMZ it will allow the DNS set on that one device only to work?

If not, is there any way, or must I uncheck the Force Clients?

The only possible way I could see around this is manually
setting up an IP outside of the DHCP range on your wireless device

Then you can input your own DNS, etc.

Ok, so if the router's range is from 192.168.1.100 to 192.168.1.254, then I set the one device to NOT use DHCP but have a static IP of 192.168.1.50 (as an example) and setup the DNS on the one device to point to my DNS of choice. Then it all should work???

If I click the "Force Clients To Use Router DNS Servers", then all IPs in the range 100 to 254 will be forced to use the router's DNS servers EXCEPT for my one device.

Yes?

Right.

Any device that is obtaining an IP via DHCP has to use the router DNS

If you do a static IP - you can configure your own DNS

I do this as follows -

Don't set the "force all client to use routers dns" box

Set up fixed ip addresses for all your connected clients

Put the exempt client at the beginning or end of the range for simplicity in the next step

set up a firewall restriction that blocks application protocol DNS for the range of clients than the one you want to allow external DNS queries

set up fixed dns servers on the one exempt client

Reboot the router and try setting up an external dns server on the connection of one of the blocked clients and make sure you cant browse the internet by url

This also prevents people using external dns servers by setting up a fixed ip address as per above (I do this to stop the kids bypassing the opendns blocked sites)

DoesItMatter wrote:The only possible way I could see around this is manually
setting up an IP outside of the DHCP range on your wireless device

Then you can input your own DNS, etc.

Yeah, don't think this is working. I believe that the implementation in the router prevents data on Port 53. Thus, even though it's a static IP, when the machine tries to access the new DNS, via port 53, the router re-directs all requests, whether DHCP supplied or not to the router's DNS. So no luck...

Rog66 wrote:I do this as follows -

Don't set the "force all client to use routers dns" box

Set up fixed ip addresses for all your connected clients

Put the exempt client at the beginning or end of the range for simplicity in the next step

set up a firewall restriction that blocks application protocol DNS for the range of clients than the one you want to allow external DNS queries

set up fixed dns servers on the one exempt client

Reboot the router and try setting up an external dns server on the connection of one of the blocked clients and make sure you cant browse the internet by url

This also prevents people using external dns servers by setting up a fixed ip address as per above (I do this to stop the kids bypassing the opendns blocked sites)

Rog66, I like this idea but was wondering, since there are only 4 MAC IDs that I need to prevent changing the DNS. Perhaps I just set up a general rule for these 4 MAC addresses that prevents only them from changing the DNS. So would this be blocking port 53 only?

Another idea, don't select Force Clients To Use Router DNS Servers and route route all traffic from port 53 to the OpenDNS 208.67.222.222 servers. How does one set that rule up?

Paul - apologies for some reason I never got notification of your reply. If you are using mac addresses then yes setting up a rule to block port 53 from these addresses will prevent external dns servers from being accessed. Just ensure none of the equipment has both wireless and wired connections (two different mac addresses).

You can redirect dns requests to the internal server. I'm not sure if you can do that in the gargoyle config screens but I did it once using the redirect option in the firewall config files. It wasn't as easy as blocking port 53.