There are times when you need to filter out what some hosts in the network can or cannot do. When you have a router running OpenWRT this can be done at the firewall level.
But if you’re not much into advanced configuration and just want to completely block out some network hosts from reaching the internet (and hence phoning home) then it’s a lot simpler to do this directly from the DHCP and simply leave them without a DNS and gateway configuration.
Start with editing /etc/config/dhcp to add the following tag definitions in the file (tag identifier can be any string, I chose these for clarity purposes):
config tag 'nodnsnogateway' list dhcp_option '3' list dhcp_option '6' config tag 'nogateway' list dhcp_option '3' config tag 'nodns' list dhcp_option '6'
These definitions stop the DHCP server from providing gateway and/or DNS information to the hosts they are applied to. To serve custom information instead include the IP addresses in the options definition, for example:
list dhcp_option '3,192.168.1.101' list dhcp_option '6,192.168.1.128,1.2.3.4'
Then create mac-specific host configurations and add the tag attributes to the hosts that should receive the custom configuration:
config host option name 'host-without-dns' option dns '1' option ip '192.168.1.30' option mac '00:11:22:33:aa:bb' option leasetime '12h' option tag 'nodns' config host option name 'lan-only-host' option dns '1' option ip '192.168.1.33' option mac '00:11:22:33:cc:dd' option leasetime '12h' option tag 'nodnsnogateway'
Save changes to the file (via SSH/SCP) and then reload and use Save & Apply on OpenWRT’s DHCP and DNS page to make the configuration changes apply.
Additional options
The dnsmasq DHCP server supports additional custom configuration values:
# dnsmasq --help dhcp Known DHCP options: 1 netmask 2 time-offset 3 router 6 dns-server 7 log-server 9 lpr-server 13 boot-file-size 15 domain-name 16 swap-server 17 root-path 18 extension-path 19 ip-forward-enable 20 non-local-source-routing 21 policy-filter 22 max-datagram-reassembly 23 default-ttl 26 mtu 27 all-subnets-local 31 router-discovery 32 router-solicitation 33 static-route 34 trailer-encapsulation 35 arp-timeout 36 ethernet-encap 37 tcp-ttl 38 tcp-keepalive 40 nis-domain 41 nis-server 42 ntp-server 44 netbios-ns 45 netbios-dd 46 netbios-nodetype 47 netbios-scope 48 x-windows-fs 49 x-windows-dm 58 T1 59 T2 60 vendor-class 64 nis+-domain 65 nis+-server 66 tftp-server 67 bootfile-name 68 mobile-ip-home 69 smtp-server 70 pop3-server 71 nntp-server 74 irc-server 77 user-class 80 rapid-commit 93 client-arch 94 client-interface-id 97 client-machine-id 119 domain-search 120 sip-server 121 classless-static-route 125 vendor-id-encap 150 tftp-server-address 255 server-ip-address
# dnsmasq --help dhcp6 Known DHCPv6 options: 21 sip-server-domain 22 sip-server 23 dns-server 24 domain-search 27 nis-server 28 nis+-server 29 nis-domain 30 nis+-domain 31 sntp-server 32 information-refresh-time 56 ntp-server 59 bootfile-url 60 bootfile-param