Adding a DNS forward through Luci

mhood-douda · December 29, 2024, 12:15am

I'm configuring my OpenWRT to forward its requests to my pi-hole on a rpi4. I've already setup the firewall forwarding rule to get my lan clients to use pi-hole. In order to capture the OpenWRT router itself I've read here to use Network>DHCP and DNS>Forwards but I'm unclear on what info (and format of that info) goes into the DNS Forwards and Additional server files boxes.

Hopefully this request is clear. Please let me know if any additional info is needed.

thanks

frollic · December 29, 2024, 5:53am

Use option 6 from https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options, to tell the clients to query the pi directly.

And https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns to force those who ignore option 6.

mhood-douda · December 29, 2024, 3:22pm

Thanks for the tips. I've done the first suggestion already. The second one results in loss of internet connection for wifi clients.

frollic · December 29, 2024, 3:25pm

Did you add the DoT block ?

egc · December 29, 2024, 3:26pm

If you intercept dns you have to make an exception for the pi's ip address the pi has to have a way out for its upstream dns query

frollic · December 29, 2024, 3:28pm

... or you'll end up in a loop.

The fw rule for that is the 2nd last paragraph on the DNS hijacking page.

mhood-douda · December 29, 2024, 3:29pm

No, I added just as the intercept_dns link specifies.

mhood-douda · December 29, 2024, 3:56pm

Current configuration for pihole (192.168.1.207) on my OpenWRT router.

I have DHCP/DNS configured to query the pihole directly:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.1.207'

The LAN is configured with the pihole as DNS:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        list dns '192.168.1.207'
        option delegate '0'

In firewall, I've configured a redirect to port 53 to the pihole with an exclusion for the pihole itself

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Forward to Pihole'
        option src 'lan'
        option src_dport '53'
        option dest_ip '192.168.1.207'
        option dest_port '53'
        option src_ip '!192.168.1.207'
        option family 'ipv4'

and added a firewall rule to deal with DoT

config rule 'dot_fwd'
        option name 'Deny-DoT'
        option src 'lan'
        option dest 'wan'
        option dest_port '853'
        option proto 'tcp udp'
        option target 'REJECT'

and finally added a firewall NAT rule to deal with unexpected source errors

config nat
        option name 'Prevents unexpected source error on redirect to pihole'
        list proto 'all'
        option src 'lan'
        option dest_ip '192.168.1.207'
        option target 'MASQUERADE'

This config appears to be working. I'm thinking now that having the router use the pihole for DNS isn't needed.

system · January 8, 2025, 3:57pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.