Forwarding DNS requests to local DNS server

Hi,

I'm currently running a Pi-Hole (Raspberry Pi) as my local DNS server, and currently my OpenWRT configuration distributes the local DNS server as only DNS option for DHCP clients. In my firewall I'm also blocking all DNS requests (port 53) that aren't coming from my Raspberry Pi.

But I've noticed some devices and software have hard-coded DNS settings, going for example straight to the Google DNS without listening to the DHCP server settings.

So I'd like to forward all DNS requests going to the Google DNS back to my Raspberry-Pi.
How would I tackle this? Should I make sure that the devices sending the DNS request to the Google DNS, also get a response as if it were coming from the Google DNS?

Kind regards,
Puydt

I think you need to hijack DNS requests:

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/forced_dns_redirection

1 Like

Thanks for the quick reply, I've just tried the 'Forced DNS redirection', but this locks the request in a loop. As my Pi-Hole isn't Whitelisted to bypass that forwarding rule, so every DNS request from my Pi-Hole (that should leave the network), directly returns to my Pi-Hole.

Is there a way to ignore my Pi-Hole when using that rule?

bit of a guess, but possibly something like:

option extra_src '! <pihole ipv4 address>'

see: https://openwrt.org/docs/guide-user/firewall/firewall_configuration

The redirect is working correctly, but I'm having a new issue now. The reply doesn't originate from the initial requested DNS IP-address.

Information:
My PC's LAN IP-address: 192.168.1.20
My Local DNS servers IP-address: 192.168.1.4
Not important here, but Default Gateway (Router): 192.168.1.3

Executed test: Request a HTTP page from subscene.com

This is a wireshark logging from the working DNS request for the HTTP page (when using DHCP, meaning the DNS server already set correctly).

When forcing for example the Google DNS, the request is redirected, but the response originates from the actual DNS Server's IP-address. My PC doesn't connect this response to the request, therefor the DNS request failed. And we don't see TCP/HTTP packets going towards the resolved IP-address.

Is this the common working principle for DNS response handling? Or should my PC listen to this response? Can I set this up so the response is also altered as if it were coming from the original requested IP-address?

Kind regards,
Puydt

I'm not sure you can change the responding DNS server short of intercepting and re-writing the packet.
If the referred requests are legitimate it might be that you can put them in your local hosts file.