New OpenWrt with new pi-hole - are my hopes possible?

Hi,

I recently upgraded my router to Openwrt 19.07.1 ATH79. Because all settings were wiped clean, I thought it'd be a good time to introduce a Pi-Hole to the mix. After re-entering all the static leases and such from scratch, I set about installing Pi-Hole. I know the basics of router and network configuration but not much deeper than that. I think I've read too much and have gotten myself confused on what applies.

My goals:

  • All clients on my home network use Pi-Hole to resolve addresses. This include Android*
  • Openwrt continues to be the dhcp source
  • Pi Hole shows the clients as their "lan name" as opposed to the router name
  • Pi Hole uses opendns as it's source of IP's and thereby benefits from the features of opendns
  • No client on the network can bypass this setup

Unfortunately, this is what I'm seeing:

  • Several Android phones are calling out to 8.8.8.8 directly and bypassing Pi-Hole. To address this I followed the LUCI instructions of creating a forwarding rule for anything on 53. This seems to create the problem that all clients are represented in Pi Hole as the router. I've since turned this rule off temporarily.
  • Pi Hole doesn't appear to call out to opendns. I suspect it's using the router's dns resolutions.

Things I've done on the router:

  • Luci -> Network -> DHCP&DNS -> General Settings -> Added Pi Hole ip to the DNS Forwardings field
  • Luci -> Network -> Interfaces -> Lan -> DHCP Server -> Advanced Settings -> DHCP-Options (Added 6,piholeaddress)
  • Pi Hole -> Followed their "Method 2" of Settings -> DNS -> Upstream = Opendns and Condition Forwarding with the IP Address of my router

Put them in WAN instead.

:+1:

Then you need the OpenDNS servers on the OpenWrt. So lookups work like this:

DHCP issues PiHole DNS <> Client <> PiHole <> PiHole Lookups OpenWrt <> OpenWrt looks up OpenDNS.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/forced_dns_redirection

Since traffic is not going to the router; but another device on the LAN, this hijack likely won't work for you without another configuration for the network.

1 Like

Thanks! Would you mind translating some of your suggestions into steps? I'm not totally clear on what I should be doing.

Put them in WAN instead.

If I put the Pihole IP in the WAN, does that conflict with the suggestion to put the OpenDNS servers in the WAN?

Then you need the OpenDNS servers on the OpenWrt. So lookups work like this:
DHCP issues PiHole DNS <> Client <> PiHole <> PiHole Lookups OpenWrt <> OpenWrt looks up OpenDNS.

What's the right way to make this happen?

Since traffic is not going to the router; but another device on the LAN, this hijack likely won't work for you without another configuration for the network.

What's the other configuration?

No, it only conflicts with the diagram I showed.

You'll have to start form scratch...

where your OpenWrt is:

the DHCP/DNS [revolver] server <> PI set on WAN DNS <> PI resolves to OpenDNS...but I have no clue why you didn't do that in the first place.

I won't go into a lot of convoluted configs on the non-OpenWrt devices to accomplish such (not blaming you, just history)...since you ask, and seem to want step-by-step...I just suggest the OpenWrt be in the beginning of the chain.

Can you help me understand something... I think you mentioned putting the PHole IP Address in the WAN "Advertised" DNS section. Is that significantly different from using the option 6 thing in the LAN DNS section? There are so many openwrt places where DNS can be set and forwarded and advertised and such that I don't know which one is the right one to use. (I only know enough to be dangerous)

In answer to your question about why I didn't OpenDNS settings on the Pi-Hole, it's because I was using method 2 of the Pi-Hole instructions here: https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245

They specifically say to not set an upstream dns like opendns on the PI-Hole but instead set the upstream to be your router IP/DNS. This has the benefit of resolving local hostnames that the router assigned through dhcp.

Based on your feedback this is what I've done to date and I think it's working. I have more testing to do.

  • Changed the dhcp options 6 to first specify the PiHole, then my router IP (this was needed because only having just the PIHole IP meant my android phone was going to Google's DNS for some reason. Having the pair of IP addresses seems to fix that issue.

  • Configured the Pi-Hole to fall back to OpenDNS instead of my router IP/DNS. My router is set to OpenDNS on the WAN side now but for some reason when I removed the fallback on the Pi-Hole that referenced my router as the fallback it was not deferring to the router which had OpenDNS. I'm probably doing something stupid.

  • Removed that extra DNS forwarding setting I found somewhere in one of the many places related to Openwrt dns settings. I forget where now.

OK...

You wanna hijack DNS too...you seem to have forgotten than. If you wish to hijack all DNS, you need the router as input or forward for all DNS traffic.

  • So you don't wanna use the PiHole?
  • This is simply the reverse of my suggestion; but you complained in this config that you cannot hijack requests on some devices. This is likely because you issues a DHCP Option for DNS traffic to go to the local PiHole first, and not the router (needed to hijack).
  • So you set PiHole as WAN DNS
  • You set OpenDNS on PiHole
  • No DHCP Option 6

Clients use this chain:

Query OpenWrt (you obviously get local DNS)<> OpenWrt queries PiHole <> PiHole Queries OpenDNS

All DNS forwarders you desire are in the chain. This will allow a proper hijack rule (i.e. in the Forced DNS Redirection Wiki) to work. Simple.

EDIT: Your PiHole will only see the OpenWrt making requests; and would not be able to resolve local hostnames. All other devices would resolve local hostnames.

Thanks to your suggestions, I decided to start from scratch. I'm happy to say things are working great now. I removed all the pihole settings and dns forwardings from the router. Then I took a more systematic approach making small changes and testing them. What I learned is that my android phone sometimes would use the ipv4 dns settings and other times it would use ipv6. I had ipv4 covered, but I didn't do anything with ipv6. Once I addressed that, all the dns requests on our home network were being served by the Pihole.

Here were my steps:

  1. Since I wanted our home network to be forwarded to opendns eventually, I set the WAN dns to the two opendns servers. Network > Interfaces > WAN interface > Edit > Advanced Settings > Uncheck Use DNS settings advertised by peer > Add the two Opendns IP's

  2. I went to the PiHole Admin console and obtained the IPV6 address of the PiHole. PiHole admin console > Settings > Copy the value after 'Pi-hole IPv6 address'

  3. I went to the Openwrt lan settings and added the IPV6 address. Network > Interfaces > LAN > Edit > DHCP Server tab > IPV6 Settings > Announced DNS Servers > Added the PiHole IPV6 address from the step above

  4. I got Openwrt to advertise the PiHole IPV4 address as the DNS. Network > Interfaces > LAN > Edit > DHCP Server tab > Advanced Settings > DHCP Options > 6,PiHoleIPAddress,PiHoleIPAddress,RouterIPAddress

  5. I followed Method 2 for the PiHole from the PiHole documentation for enabling use. Pi Hole Admin Console > Settings > DNS > Unchecked Any Predefined DNS hosts (ie: opendns) > Added CUSTOM DNS IP address of my router (ie: 192.168.1.1) > Scrolled down Settings Page > Checked 'Conditional Forwarding' > Added IP of my router (ie: 192.168.1.1)

I think that covers everything I did. Now all my network DNS requests flow through the PiHole and the PiHole records the names of the network clients in its logs (as opposed to the router name itself).

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.