DNS Hijacking with 2 PiHoles

Installing and Using OpenWrt Network and Wireless Configuration
1

Newb here and attempting to configure DNS Hijacking with NAT rule to masquerade redirected traffic back to the client showing the requested DNS server address.

I have this working with 1 PiHole and I have Option 6 set in DHCP with both PiHole addresses so they are advertised correctly. I want the second PiHole to act as secondary service clients can use if the 1st goes offline.

I understand that the Port Forward can only redirect from the Source Zone (Lan) to a single address, however, I am wanting the rule to allow two both PiHoles to match as exceptions e.g. !192.168.1.2 !192.168.1.3 so that their DNS requests pass through without re-direction. Under Advanced Settings, Source MAC address I can add custom MAC addresses matching the devices with preceding ! but this does not work for either device if I use the MAC addresses alone. It appears to only work with a custom Source IP address preceded by ! . Via Luci there is not an add function to input multiple Source IP addresses. The other option is an IP range, which I presume is CIDR notation. I am using only two successive addresses and not sure if this can be input as a range - 192.168.1.2 and 192.168.1.3.

As it is now, the first PiHole answers queries correctly and queries to non 192.168.1.2 addresses are redirected to 192.168.1.2 and masqueraded to show the requesting DNS server as responding. However the second PiHole answers all requests with SERVFAIL

123@MacStudio ~ % dig google.com @192.168.1.3                   

; <<>> DiG 9.10.6 <<>> google.com @192.168.1.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60455
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; Query time: 97 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Mon Aug 07 11:53:41 EDT 2023
;; MSG SIZE  rcvd: 39

TIA for any feedback

2

Solved. Looked up and used the CIDR notation for the two successive IPs as the IP range input !192.168.1.2/31 for 192.168.1.2 -192.168.1.3. Appears to be working correctly

3

I am interested in this too can you post here how you did it, Or maybe someone else can add the steps needed to the DNS hijacking wiki.

I asked the same question years ago and was told I could not do it because of iptable rules or something like that.

4

Which steps are you missing, the hijacking wiki page looks pretty complete to me ?

5

Actually the last time I read it was when openwrt was still using iptable's now that it uses fw4 I should try to find the wiki again

6

AFAIK the config posted there isn't firewall specific, it should work with multiple fws.

1 Like
7

I suppose the web interface portion of the Wiki could cover the CLI cases for improvement.

I initially followed this excellent guide:https://jeff.vtkellers.com/posts/technology/force-all-dns-queries-through-pihole-with-openwrt/. This covers also adding a NAT rule to masquerade responses to clients as if the responding DNS server was the requested DNS server that was intercepted and actually answered by the PiHole.

Following the instructions, in Luci under Firewall - Port Forwards, define in a new rule under General Settings the DNS Hijack and redirect is defined to a single IP address. Then in the Advanced Settings tab of the same rule is where you define the source MAC addresses or Source IP address or address range.

Screenshot 2023-08-08 at 8.34.35 AM
Screenshot 2023-08-08 at 8.34.35 AM1123×717 56.3 KB

I could not find any guides that explicitly address using multiple DNS/PiHole services but it seemed logical that exceptions for all cases would need to be defined here otherwise the intercept would catch the traffic in a chain of additional rules defined. I tried using multiple MAC addresses, but after some initial testing this did not appear to work, it only worked for the IP defined in the redirect which was also in the IP address field as an exception at the time. My testing was minimal and so I would need to go back to verify this. When entering these exceptions I placed (!) at the front of all the entries by using the custom entry field at the bottom of the pop-up IP or MAC address selector.

I then looked at defining the IP range instead of using multiple MAC addresses. Being a newb I generally know what CIDR notation is, but nothing about calculating it. I used https://mxtoolbox.com/SubnetCalculator.aspx to input my first Pi-Hole IP and then selected the notation pop-up on the right to get the notation for the range I want which was only the next successive IP, 192.168.1.2/31 which is only 2 IPs in the range. Save & Apply and everything worked.

Screenshot 2023-08-08 at 8.35.29 AM
Screenshot 2023-08-08 at 8.35.29 AM1120×936 76.9 KB

Here is a shot of the NAT Rule defined under Firewall - NAT Rules to masquerade the responding DNS server address:

Screenshot 2023-08-08 at 8.38.41 AM
Screenshot 2023-08-08 at 8.38.41 AM1131×916 77.5 KB

Hope this helps

1 Like
8

I have 2 local DNS servers that would only do 1 of them

9

that can't be blamed on openwrt.

if you want them to be used equally, put a load balancer in front of them.

I got two Piholes, running in the free for life Oracle cloud tier, the primary receives
requests from the clients, the 2nd one, the hijacked requests trying to escape my LAN.
both IPs are provided to the clients via DHCP.

10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.