Enforce dns queries to pihole

How to enforce clients to use the configured DNS and not be able to change it?
I read somewhere that it can be achieved by using iptables which I'm not familiar with.

Current setup:
ISP router on bridge mode connected to an openwrt router both are in same subnet.
Pihole on the LAN.

#The firewall rule for the redirect:
iptables -t nat -D PREROUTING -m mac "!" --mac-source  XX:XX:XX:XX:XX:XX -p tcp --dport 53 -m addrtype "!" --src-type LOCAL -j DNAT --to  192.168.x.x
iptables -t nat -A PREROUTING -m mac "!" --mac-source  XX:XX:XX:XX:XX:XX -p udp --dport 53 -m addrtype "!" --src-type LOCAL -j DNAT --to  192.168.x.x

(replace 192.168.x.x with the IP of your DNS filter and XX:XX:XX:XX:XX:XX with its MAC)

I tried the custom rules above but it didn't work and I can't tell if it's the correct way to do it, as I said I'm not familiar with iptables.

The easiest way would be installing adblock (even without any active blocklists), which offers that option. Be aware that with DoT/ DoH this might not prevent all DNS requests (namely those encrypted ones over TLS/ HTTPS which are becoming increasingly popular), but it does cover 'standard' (unencrypted) DNS requests. Preventing encrypted ones as well is somewhere between hard (huge blocked IP addresses of 'well-known' DoT/ DoH providers) and impossible (hsts) without breaking all DNS resolving.

you can't, since you have no control over the client.
there are however ways of stopping those calls from reaching their target, read https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

1 Like