I'm trying to force all dns queries to my pihole. I followed this guide https://jeff.vtkellers.com/posts/technology/force-all-dns-queries-through-pihole-with-openwrt/.
It blocks the Internet when intercept dns is enabled
Can you share some details about your setup? Where is Pi-Hole running? How are you doing DNS hijacking? How are you telling the clients where Pi-Hole is?
2 Likes
BusyBox v1.35.0 (2023-01-03 00:24:21 UTC) built-in shell (ash)
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|_____|| |||||___||| |____|
|| W I R E L E S S F R E E D O MOpenWrt 22.03.3, r20028-43d71ad93e
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.161",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Linksys E8450 (UBI)",
"board_name": "linksys,e8450-ubi",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.3",
"revision": "r20028-43d71ad93e",
"target": "mediatek/mt7622",
"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb1:aad0:db6d::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'ztr2q2xulu'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.2.10/24'
list ipaddr 'x.x.x.x/24'
list dns '192.168.2.20'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'ztr2q2xulu'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest ''
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option dest_port '53'
option dest_ip '192.168.2.20'
option dest 'lan'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'plex'
option src 'wan'
option src_dport '32400'
option dest_port '32400'
option dest_ip '192.168.2.20'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'nas'
option src 'wan'
option src_dport '9000'
option dest_ip '192.168.2.4'
option dest_port '9000'
config nat
option name 'prevent hardcoeded'
option src 'lan'
option target 'MASQUERADE'
option dest_ip '192.168.2.20'
list proto 'all'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'torrent'
option src 'wan'
option src_dport '6881'
option dest_ip '192.168.2.20'
option dest_port '6881'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Nas'
option src 'wan'
option src_dport '9000'
option dest_ip '192.168.2.4'
config rule
option name 'Google DNS blck'
list proto 'all'
option src ''
option dest '*'
list dest_ip '8.8.8.8'
list dest_ip '8.8.4.4'
option target 'REJECT'
root@OpenWrt:~#
I'm still not sure how you're intercepting DNS, so in the interest if speeding things up a bit, can you connect to your OpenWrt router using ssh, copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you don't want to share:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
The button for the code on the app doesn't work. Iv only access through my phone at the moment to the router
Which app? 
The open wrt forum app installed using chrome.. also the web version the button not working either on my phone
It's really hard for me to process the output without a proper formatting.
This rule creates a loop in the current state. You need to exclude you Pi-Hole server by MAC like (replace with your server's MAC):
list src_mac '!AA:BB:CC:DD:EE:FF'
Note the ! in the front, which tells to match everything except this MAC.
I haven't read the rest of the config, due to formatting.
As an aside, consider upgrading to the latest OpenWrt version.
Is EOL, you should upgrade.
Read https://openwrt.org/toh/linksys/e8450 before you do.
What are the upstream DNS servers configured within Pi-Hole?
Cloud flare 1.1.1.1 & 1.1.0.0
I'll have a read but the last time I tried to upgrade it I ended up soft bricking it
Yes, you can't just perform a sysupgrade, it's described in the wiki.
I just tried to update the firmware and I think I have bricked my router now. I switched off and on after it got stuck with one led on and now none of the LEDs come on
Did you follow the instructions in the Wiki?
I followed it but I think where I went wrong was with this file openwrt-24.10.0-mediatek-mt7622-linksys_e8450-ubi-squashfs-sysupgrade-1.itb. an error came up and I just forced it. Iv tried power cycling and still no lights. Ended up plugging in my old archer c7 with open wrt
You can check the recovery section in the Wiki and see where that leads you.