Hi, so I have a pretty unique setup, so let me first explain what services I have and where:
- 172.16.22.3 = My home server's IP (In it's own VLAN)
- 172.16.22.1 = OpenWRT router (for the servers VLAN)
- 172.16.22.3:53 = PiHole's DNS port, running on my home server
- 172.16.22.3:5353 = Unbound's DNS port, running on my home server (recursive DNS server)
What I want to achieve is this:
- All clients connected to the Guest or LAN interfaces (in their own VLANs) should be advertised the PiHole servers, which they're supposed to use for DNS. (With the appropriate Firewall configs allowing that)
- PiHole's upstream DNS server should be the router's DNS server (172.16.22.1), to allow hostname lookups (i.e. for something like
openwrt.local) - Router's upstream DNS server should be the unbound recursive DNS server (172.16.22.3, port 5353), there should be no queries made to the ISP's servers at any point.
What i did so far:
- In Lucy settings: Network -> Firewall -> Traffic Rules, I've added rules that allow communication from LAN and Guests interface to Servers interface over both UDP and TCP when the port is 53. This allows the users in LAN/Guest VLAN to access PiHole directly.
- In Lucy settings: Network -> Interfaces -> LAN -> Edit -> DHCP Server -> Advanced Settings -> DHCP-Options, I've set
6,172.16.22.3, to advertise PiHole as the DNS server. Same thing for Guests interface. - In Lucy settings: Network -> DHCP and DNS -> General Settings -> DNS forwardings, I set
172.16.22.3#5353, to forward all queries to my unbound recursive DNS. - In Lucy settings: Network -> DHCP and DNS -> General settings -> Log queries, I've ticked the box, to log all DNS queries to system log (temporarily, for debugging).
What works:
- When I connect (on LAN interface), my upstream DNS server is indeed set to 172.16.22.3 (PiHole)
- When I run
dig @172.16.22.3 itsdrike.comfrom my personal pc, I do get back a response with the proper resolved IP. - In PiHole logs, I do see that a query to itsdrike.com was made, and it's lookup was forwarded to 172.16.22.1 (router), which answered properly with an IP.
What's weird:
In Lucy: Status -> System Log, I see the following:
Thu Jan 4 15:43:15 2024 daemon.info dnsmasq[1]: 900 172.16.22.3/46329 query[A] itsdrike.com from 172.16.22.3
Thu Jan 4 15:43:15 2024 daemon.info dnsmasq[1]: 900 172.16.22.3/46329 forwarded itsdrike.com to 172.16.22.3#5353
Thu Jan 4 15:43:15 2024 daemon.info dnsmasq[1]: 900 172.16.22.3/46329 forwarded itsdrike.com to 192.168.1.1
Thu Jan 4 15:43:15 2024 daemon.info dnsmasq[1]: 900 172.16.22.3/46329 reply itsdrike.com is 188.114.97.10
Thu Jan 4 15:43:15 2024 daemon.info dnsmasq[1]: 900 172.16.22.3/46329 reply itsdrike.com is 188.114.96.10
Which clearly indicates that the itsdrike.com query was received from the pihole server (172.16.22.3), and the daemon did then forward the lookup to unbound (172.16.22.3#5353), however, the log below that the lookup was also forwarded to 192.168.1.1 (my ISP provided router, leading back to ISP's DNS)? I then see 2 reply logs, both returning back a valid IP for that domain (188.114.96.10).
So, the setup seems like it's almost doing what I need, however I don't understand at all why the query to 192.168.1.1 is made, and so I've no idea how to disable that. Any help would be appreciated!