Hello there, a new user here.
I have quite recently flashed openwrt into my router, got internet working and all that.
There is a few issues i am facing with at the moment. I can't seem to force my devices to go through pi-hole and only pi-hole without having an issue somewhere.
I have setup dchp option "6,192.168.1.237,192.168.1.237" in dchp server of my lan interface.192.168.1.237 being the ip address of my pi-hole server in the docker container, running as host network mode. Not all dns queries go to pi-hole server, and running dnsleaktest, shows up the upstream dns server of my pi-hole and with two of my isp dns.
I have also added "dns hijacking?" in my firewall port forwards to force all incoming traffic to port 53 to forward it to the ip of my pi-hole server on port 53. I followed https://jeff.vtkellers.com/posts/technology/force-all-dns-queries-through-pihole-with-openwrt/ guide because i saw someone recommended it here. Oh and as the part of this guide i have added NAT rule as well. I am not sure if that is doing anything.
Another thing worth mentioning is that unchecking "Use DNS servers advertised by peer" in the WAN interface does the trick of forcing all dns queries to pi-hole but there is a weird issue i can't seem to be able to update gravity (list of blocked domains) in my pi-hole which might be due to no internet connection or lack of dns server for wan? Running Ipv4 ping from diagnostics menu results in the "ping: bad address 'openwrt.org'" but pinging ip address does work so i guess it is dns issue.
What should i do to properly configure it all together? Sorry if some of those things are blatantly obvious, i am still learning about network stuff.
My recommendation is to use as little custom config as possible, to minimize errors down the line. As you discovered, unchecking "Use DNS servers advertised by peers" does its job, and is simple, so go with that and remove the DNS hijacking config/rules for now. You can enable it later, when the basic configuration below works.
(Pi-Hole / OpenWrt refer to devices, not software)
Now to the DNS problem: You have disabled the upstream DNS (the ISP DNS). So now OpenWrt does not know where to send DNS queries to. Your other devices on the network are fine because you set the "6,xx.xx.xx.xx" option and the DHCP server on that interface advertises the DNS server to the clients. But only for devices that get their IP address from that interface/that DHCP server, not OpenWrt.
You can tell OpenWrt which DNS server to use here:
Network -> DHCP and DNS -> General settings -> DNS forwardings
Enter the IP of your Pi-Hole, save, and save and apply and OpenWrt should query your Pi-Hole and have working DNS.
Now if your Pi-Hole had DNS problems as well when you disabled the ISP DNS, that could mean that the Pi-Hole did not query itself. Check that first if problems persist.
You need to edit the nameserver for the Pi. cd /etc/ and the use ls command to list the config file.
I cannot remember which one it is network, dhcp, just use the cat command until you find it. It will be empty other than a 'nameserver=' entry.
Once you find it, sudo nano 'name of config file' in and change it to the DNS your pi is forwarding to resolve DNS.
You have to sudo and nano because it is a read only file.
Sorry for a long wait, posting this before midnight might not have been the best idea.
One other issue i have noticed with unchecking "Use DNS servers advertised by peers" is that some of the android phones report lack of internet connection until i turn wifi off and back on a few items in the wifi settings which is kind of a weird issue. I can't check the dns server on these phones because it doesn't show me that. My android phone doesn't report that issue at all and also shows that it uses two DNS serers, my pi-hole together with ipv6 address which seems indicate to the router itself? Could that be problem here or is it fine? Because all of my decives have got ipv6 address with ipv6 dns being the router.
I did remove that, will see how it goes without those rules.
Yup, that seems to have fixed the issue with openwrt and pi-hole! Thanks for that.
The only thing left is to check whether connected devices send all queries to pi-hole and not anything else.
But it doesn't look like it is fixed now? And now my router started pinging www.google.com which doesn't make sense at all. And so little of dns queries still indicate and not all queries go through pi-hole. Is there anything like debug stuff i can post to help with it?
I looked around and that file is resolv.conf
# cat resolv.conf
domain lan
search lan
nameserver 192.168.1.1
Is that the right one?
Yes; if you also find it somewhere else its a problem.
The pi-hole will now show up as a client at the bottom of the dashboard page.
SSH in and update the pi:
opkg update
opkg upgrade.
Then update gravity.
In LuCI Network/interfaces/lan/advanced add the dns server using the ip address of the pi. That should broadcast to all dhcp clients to run their DNS lookup through the pi only.
If it is configured correctly all queries will come from the router. The only fix that totally resolves who asked for what is to let the pi-hole handle DHCP.
Just to make sure, are you talking about configs on my pi-hole server or on my router?
Also, to tackle the "Ipv6 DNS being the router itself" problem i have turned off all ipv6 settings in interfaces > lan > dhcp server > ipv6 settings
Is that correct way to disable ipv6?
It helped i think but also resulted in one of the laptops in my network to mention "wpad.lan" in the queries. I have no idea what is that.
Before that, I have also tried adding back dns hijacking, but exactly like in https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
It caused a huge mess with pi-hole where openwrt flooded dns queries log and resulted in rate limit warnings.
I changed "internal ip address and port" to ip address of my pi-hole and 53, i don't remember exactly if that helped but pi-hole showed that some queries were from openwrt.lan
I can also send the entire config of network from /etc/config/ folder i have right now
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd7:27b1:b947::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'xxx'
option password 'xxx'
option ipv6 'auto'
option peerdns '0'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
and my dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '192.168.1.237'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,192.168.1.237,192.168.1.237'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'picsos'
option ip '192.168.1.237'
option mac '00:17:42:62:02:F6'
and my firewall
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
I hope that helps to anyone reading this to determine if there is an issue somewhere
My ideal goal is to force all devices on my lan interface to only use pi-hole as their dns, ignoring isp router but also not cause an issue with internet connections anywhere which i very much struggle to go towards.
I disable it network/interfaces/devices/br-lan.
If you assign the dns server in the router to the pi-holes address it will assign it to clients when it hands out the lease.
Late reply because this whole thing is a bit overwhelming at times but so far i have done:
- Unchecked "Use DNS servers advertised by peer" in
Interfaces >> wan >> Advanced Settings - Added IP of my Pi-Hole in the
DHCP and DNS >> DNS Forwardings - I always had option 6 with my pi-hole ip in
Interfaces >> lan >> dhcp server >> Advanced Settings - Added port forwarding to rule to hijack all incoming Ipv4 from lan,except for pi-hole, to the router on port 53 and forward (DNAT) to ip of my pi-hole, in lan, port 53.
- I have disabled and stopped odhcpd, Disabled ipv6 in
Network>> Devices >> br-lanand disabled all ipv6 settings inNetwork >> lan >> DHCP >> Ipv6 settings
So all that in order to:
- is to prevent devices from using isp dns,
- is to make it so that router and pi-hole can reach the domains? otherwise, pi-hole can't update gravity and openwrt can't do diagnostic stuff
- is to make it so that devices use pi-hole dns,
- to make it so that even hardcoded dns go to pi-hole
- is to prevent devices from using ipv6 dns (which is the router) and thus going around pi-hole
And i think thats everything. If some of those could have been done better, or i have misconfigured something or something else to add.
I have looked around this forum and there is so many suggestions on this topic, from running pi-hole in its own zone, do a few things with iptables, and etc
dnsleaktest.com now shows 5-6 dns servers from cloudflare??? Pi-hole does use cloudflare as its upstream dns but isn't that supposed to be 1?
I am also thinking about replacing this with adblock on the router itself, maybe that could make easier.