[dns-operations] Embedding MAC address in DNS requests for selective filtering

Robert Edmonds edmonds at mycre.ws
Mon Jan 25 17:50:22 UTC 2016

Shane Kerr wrote:
> At 2016-01-25 10:36:03 -0500
> bert hubert <bert.hubert at powerdns.com> wrote:
> > We have heard of implementations where 'per-device DNS filtering' is being  
> > offered, even behind NAT.  So this means you might get parental filtering on
> > your kids' iPads, but not on your own desktop.
> > 
> > This is then probably implemented by the home router (CPE) appending the MAC 
> > address to queries, presumably over EDNS.  The ISP nameserver can then
> > conditionally filter queries or not, based on customer IP and client MAC
> > address.
> Alternately this could be implemented by having the DHCP server give
> the clients a different DNS server (possibly even in a different
> subnet, if you wanted to do actual isolation instead of DNS filtering
> theater).

Hi, Shane:

If I understand correctly, this would only really work with a very
limited number of filtering options, say "filtered" and "unfiltered".
But the DNS filtering vendors give you a lot more flexibility than that.
E.g., this is OpenDNS's "Web Content Filtering" configuration panel:


Robert Edmonds

More information about the dns-operations mailing list