My original quest for DD-WRT came about due to using OpenDNS. I originally had a D-Link wireless router which let me input the DNS addresses for OpenDNS, but the wireless signal eventually died in it. I replaced it with a Motorola WR850G that worked great initially, but a firmware upgrade to version 6.1.4 actually disabled my ability to set DNS server entries. Therefore, I had to either manually configure all of the network devices (computers, game consoles, etc.) to use OpenDNS, or just forget about it until I could change routers again.
It turns out that the DD-WRT router firmware was compatible with my router, so I installed it and was able to set OpenDNS again. I have since upgraded to a newer Linksys model, which also supports DD-WRT; in fact, I specifically chose a router that would work with DD-WRT.
All worked smoothly on DD-WRT, except that any time my IP address changed with our Internet provider, the “protected” IP address registered with OpenDNS was no longer valid, and the filtering was thereby gone. The OpenDNS updater I ran never worked reliably, either.
As many know, DD-WRT is based on a lightweight version of Linux, which provides that flexiblity needed to make custom changes. DD-WRT only runs on certain routers that contain specific chipsets, but it is well worth the time to research routers that support it. DD-WRT itself is full of numerous configuration options that make even a networking professional such as myself scratch my head over. In addition to quite a few pages full of settings to configure, DD-WRT also lets you enter commands directly to make additional configuration settings.
Armed with that knowledge, I had a list of problems I needed solved with my DNS services. First, I had to be able to set all computers and devices on the network to use OpenDNS. Second, my WAN IP address (the IP address handed out by my ISP) needed to be updated (hopefully instantaneously) when it changed. Finally, I wanted to prevent any device on the network from circumventing OpenDNS by manually changing settings on the device.
Prerequisites: in order to make all of this work smoothly, you need to have created at least a basic account at OpenDNS, as well as a companion account at DNS-O-Matic. The latter is the service that will automatically update not only our OpenDNS account with your current WAN IP address, it will also alert other nameserver providers (such as dyndns.org) with the information so they can also be automatically updated as well.
In the following instructions, the text in green is what you will enter into your router where indicated. You may want to copy and paste the text to ensure you don’t enter anything incorrectly.
Our first step will be to setup OpenDNS as the router’s default DNS source. There are two ways you can go with this. You can either have your router hand out the DNS addresses itself (option 1 below), or you can pass this task off to OpenDNS (option 2). Both methods work well.
From the DD-WRT Wiki, here are the instructions for changing your DNS server entries.
Option 1 – Configure DHCP with OpenDNS DNS server
- Go to Setup tab » Basic Setup sub tab » Network Setup section » Network Address Server Settings (DHCP), and
- Set Static DNS 1 to 22.214.171.124
- Set Static DNS 2 to 126.96.36.199
- Depending on the behavior you want, set Static DNS 3 to:
- 0.0.0.0 to fall back to your ISP DNS if OpenDNS is unresponsive
- 10.0.0.0 (a non-usable IP) if you don’t want to use any other servers
- Another DNS server of your choice (Do not duplicate one of the first two DNS’s or it will default to 0.0.0.0) – Note: OpenDNS also has these DNS IP’s that can be used for the 3rd Static DNS: 188.8.131.52 and 184.108.40.206 - To ensure that all devices are restricted by OpenDNS Web Content Filtering you should configure all 3 Static DNS entries using the OpenDNS IP’s.
- Apply Settings
If you want the DNS servers to be queried in the order they’re listed rather than randomly:
- Go to Services tab » Services sub tab » Services Management section » DNSMasq sub section »Additional DNSMasq Options text box, and enter:
- Apply Settings
Option 2 – Configure DNSMasq for OpenDNS DNS forwarding
- Go to Services tab » Services sub tab » Services Management section » DNSMasq sub section
- Enable both DNSMasq and Local DNS options
- In the Additional DNSMasq Options text box, enter:no-resolv
- Click Apply Settings
- Go to Administration tab » Commands sub tab
- In the Commands text box, enter:iptables -t nat -A PREROUTING -i br0 -p udp –dport 53 -j DNAT –to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp –dport 53 -j DNAT –to $(nvram get lan_ipaddr)
- Click Save Firewall (note: your WAN interface will be restarted)
This protects all devices on your network. If for some reason you want one device or a range of devices to be able to specify their own DNS server entries, you can specify a range of IP addresses on your network to which the DNS interception applies. Refer to the DD-WRT Wiki page for those instructions.
Finally, does your IP address change often? In order to stay protected, your current IP address needs to be registered in your OpenDNS account. Using the DNS-O-Matic service with your DD-WRT router, you can nearly instantly send IP address changes to your OpenDNS account, and also keep those alternative DNS services (such as dyndns.org) updated as well. To do this takes a few steps. From the DD-WRT Wiki:
- Setup an account with OpenDns and Enable dynamic IP update under the settings tab on the OpenDNS website. Also enable any filtering options you want.
- Log into DNS-O-Matic. It shares the same username and password for OpenDNS.
- Add OpenDNS as a service on DNS-O-Matic
- Also add account information for any other Dynamic DNS providers you have.
- Now click the “Update Info” radio button
- On the DDNS tab under Setup in dd-wrt set DDNS Service to Custom.
- Set DYNDNS Server to: updates.dnsomatic.com
- Fill in your Username and Password for OpenDNS/DNS-O-Matic
- Set Host Name to all.dnsomatic.com
To update multiple hosts, use hostname1 -a hostname2 -a hostname3 -a hostnameN
- Put /nic/update?hostname= in the URL text box.If that doesn’t work, use:
If you get a badauth error from dnsomatic, it could be that you need to use https instead of http, so try: