[SOLVED] Forwarding Guest DNS to Private Network Pihole(s) DNSEC

Hi, i require some help here.

I have a Private Network on 192.168.1.0/24 with 2 DNS Servers in that range for this example we are going to use 192.168.1.15 and 192.168.1.16 and i have a Guest Network (Isolated on AP's) on 10.0.2.0/24 .

Now on the Private Network DHCP is set to use 6,192.168.1.15,192.168.1.16 and it works as it should however i would like the Guest Network to be able to use the same IP's.

Now Guest network can connect to the internet currently fine however i would like it to go though the DNS Servers (Ablock + anonymize via Dnscrypt etc).

Both networks have their own DHCP Server but if i place 6,192.168.1.15,192.168.1.16 into the DHCP option on guest network the internet stops working.

So is there anyway i can DNS Hijack or DNS Forward from Guest to Lan then to WAN?
I did have it working before using Custom Rules which worked but i forgot to make a backup thus lost the coding.

If anyone could help i'd be grateful.

Do you allow it on the firewall?

1 Like

I have firewall set to like

Source Guest
Source Port 53
Destination This Device
Port 53

Not sure if thats correct like. As for the Other links in will have a look.
Thanks for your reply.

Source port must not be used.
Source zone guest to destination zone lan, destination IPs, destination port 53, udp.

2 Likes

Then i use the DNS Highjack on top?

@trendy Could you please take a look i think i get it now

# DNSHIJACKv4
# Log and redirect DNS Traffic
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4 "
iptables -t nat -A dnshijack -j DNAT --to-destination 192.168.1.15
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p tcp --dport 53 -j ACCEPT

Edit: Its working now used same rule twice with the different IP's and Mac addresses.

The next question is do i make another for 192.168.1.16 (DNS2)

DNS hijack is in a different file.

It doesn't look right. You are missing some lines (allow queries to OpenWrt) and you have changed the line sequence (rules with mac).

It won't hijack to a second, but you can surely allow a second Pihole in the masquerade rules and the rules with mac address.

Yes i changed the IP and mac address.

I have it set to

# DNSHIJACKv4 (DNS1)
# Log and redirect DNS Traffic
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dns1 "
iptables -t nat -A dnshijack -j DNAT --to-destination 192.168.1.25
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dns1
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dns1
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS1 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS1 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i br-guest ! -s 192.168.1.15 -p udp --dport 80 -j DNAT --to 192.168.1.15
iptables -t filter -A FORWARD -i br-guest -o br-lan -p udp --dport 80 -d 192.168.1.15 -j ACCEPT

# DNSHIJACKv4 (DNS2)
# Log and redirect DNS Traffic
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dns2 "
iptables -t nat -A dnshijack -j DNAT --to-destination 192.168.1.16
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dns2
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dns2
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 192.168.1.16 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS2 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.16 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS2 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:18 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:18 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i br-guest ! -s 192.168.1.16 -p udp --dport 80 -j DNAT --to 192.168.1.16
iptables -t filter -A FORWARD -i br-guest -o br-lan -p udp --dport 80 -d 192.168.1.16 -j ACCEPT

The Guest network has internet and ads are blocked however with you saying it wont hijack on the second one only in masquerade maybe the firewall rule should be

# DNSHIJACKv4 (DNS)
# Log and redirect DNS Traffic
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dns1 "
iptables -t nat -A dnshijack -j DNAT --to-destination 192.168.1.25
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dns1
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dns1
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS1 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.15 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS1 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.16 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS2 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 192.168.1.16 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS2 Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:18 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:18 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i br-guest ! -s 192.168.1.15 -p udp --dport 80 -j DNAT --to 192.168.1.15
iptables -t filter -A FORWARD -i br-guest -o br-lan -p udp --dport 80 -d 192.168.1.15 -j ACCEPT
iptables -t nat -A PREROUTING -i br-guest ! -s 192.168.1.16 -p udp --dport 80 -j DNAT --to 192.168.1.16
iptables -t filter -A FORWARD -i br-guest -o br-lan -p udp --dport 80 -d 192.168.1.16 -j ACCEPT

Again you have altered the sequence of the commands and you are causing a loop.

These targets is not defined.

The second rule for masquerade will never be matched and you are using the wrong destination port 80 instead of 53.

Sorry for being stupid.

Ok so far i have recopied from the forum thread you link

# DNSHIJACKv4
# Log and hijack to Pihole
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4 "
iptables -t nat -A dnshijack -j DNAT --to-destination 10.0.2.2
# allow Pihole to query internet
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 02:42:C0:A8:01:19 -p tcp --dport 53 -j ACCEPT
# allow queries to OpenWrt
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -d 10.0.2.1 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -d 10.0.2.1 -j ACCEPT
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# other zones
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE

Is the IP 10. ip's ment to be the LAN IP? If so i take its the logic of .1 being router and .2 being the dns server.

Is there a way to do it via LUCI GUI?

That is correct.
Copy the following lines for the second DNS.

add two more lines with the tcp/udp:53 mac address of the second DNS.

Also here add two more lines for the second DNS in case you have a guest or iot zone.

I am not sure, most likely no.

There's multiple different methods.
It's possible to use exclusively UCI syntax to redirect IPv4 DNS with no custom rules:
Hijacked DNS timeouts - #6 by vgaetera
Though redirecting IPv6 DNS is more difficult.


Another method:

Then configure Pi-hole to use DNS encryption, e.g. DoT.
And specify Pi-hole as the only upstream resolver for Dnsmasq.
It works for both IPv4 and IPv6 DNS.

1 Like

Thanks for the reply.

So i have DNS working on Guest with just the following

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

Network doesn't use IPv6 at all due to the ISP being IPV4 only.

No matter what i tried nothing worked, it kept thinking there was a captive portal, so simply removed the Guest Network outright (Not like i will need it for awhile with whats going on in the world).

Thanks for your help @trendy though i am very grateful for it.

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.