OpenWrt alternative to Pi-hole for adblock and local domains?

Context

I have known about Pi-hole quite a while from now. Initially, I started to use as ad blocker by pointing router to use Pi-hole's DNS services.

Later I discovered I can also use custom domains. So I've been configuring <service>.mydomain.tld to point to a reverse proxy IP.

With DNS for LAN pointed to the Pi-hole instance, the custom domain worked network wide.

Problem & Questions

After having a working instance of OpenWrt on my main router, I followed the same setting to point DNS to Pi-hole instance IP. This time, this does not seem to be working. Neither ad blocking, nor custom domain.

Why is Pi-hole not working out of the box? Do I need to make any additional configuration?

At this point, I understand OpenWrt will be able to handle stuff Pi-hole was handing. So my question would be:

Any solution for adblocking + custom local domains native to OpenWrt?

Along the same lines, I have another question:

Is there a clever way to make custom domains work for client who also want to use VPN?

(for the later one, whenever I used a VPN provider on a device, my adblock and custom domains were useless, that's because VPN provider uses their own DNS for the connection)

Maybe I'm asking too much with DNS + VPN, but I have to get my DNS based adblocking and custom domains back to work.

Please point me to correct documentation. Thank you for your time in advance.

Use the pi-hole as the DHCP for the LAN, it should point to itself, just make sure you check if the GW is correct, since its not the Pi's IP.

As for VPN, isn't it the whole point, not to use anything local, esp if it's a corp VPN.

See: https://openwrt.org/docs/guide-user/services/ad-blocking

I use the regular adblocking in combination with DNSMasq works sufficient for my needs.

I use DNS over HTTPS for upstream DNS servers: https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy to get secure DNS.

VPN has not much to do with this you are the one who specify the DNS servers you use not the VPN provider, although there are some who high-jack your DNS53 if it is send via the VPN

As for VPN, isn't it the whole point, not to use anything local, esp if it's a corp VPN.

I think I'm locked out of custom domains when VPN is on. VaultWarden will suffer.

Use the pi-hole as the DHCP for the LAN

Where is this setting?

By the way, what does DHCP have to do with DNS settings? Doesn't DHCP deals with giving IP and DNS for name resolution? How are they related?

it should point to itself, just make sure you check if the GW is correct, since its not the Pi's IP.

It did not make much sense with the level of knowledge I have. Can you please elaborate?

That's pi-hole config, you need to disable Dnsmasq in OpenWRT though.

You just answered your own question.
But in the case of Dnsmasq, DNS and DHCP are provided by one application.

That's another pi-hole setting.

image924×590 29.2 KB

For my information, what is the advantage of using pi hole over just using some addblock on the router? Its the same thing, right?

assuming you (can) use the the same block lists, then yes.
although blocklists eat RAM, if you have a lot if blocked domains, your router could crash, due to OOM.

pi-hole got a nice UI too

If I understood you correctly, for Pi-hole to take over for DNS and DHCP, I need to tick that DHCP server enabled on the Pi-hole UI.

Please correct me if I'm wrong, this will enable me the adblock and local domains as well as handle DHCP for the network. Is that correct?

Moving forward to configuring it. Checking that checkbox asks me to disable DHCP on the router.

Does setting DHCP-Option as shown below automatically disables DHCP on the OpenWrt, or I need to configure something else?

Assuming that IP is pointing at my Pi-hole instance.

Yes, you could obviously have Openwrt point to the IP of the Pi, and achieve the same.

The option below tells your clients where the DNS is located, and have nothing to do with disabling or enabling dnsmasq, but it should solve your problems with clients not using your pi-hole.

Thank you, with the config you mentioned, it's working.

I have a doubt, though. What happens to this setting?

1. Does it get overridden? Can I safely remove this?

2. Also, is it safe to disable dnsmasq from startup at this point?

I still need some elaboration on these lines. Do you mean the Router (gateway) IP address setting on Pi-hole should point to Pi-hole host? I have currently set it to router's IP.

And at this point, when I disable dnsmasq, my Pi-hole host is not reachable. Both dnsmasq is working in conjunction if I am correct.

Nothing, its not related to the clients.

Yes, it can be removed.

No, your current config is correct.

Which one ?

No, there should only be one DHCP on the LAN, having multiple DNSes is OK.

Thank you for confirming the settings on the Pi-hole side @frollic.

For the dnsmasq issue, I'll go a step back and..

Recap

• OpenWrt up and running as main router at 192.168.2.1. Distribuing IP in range of 192.168.2.0/24.
• There is a static DHCP lease for Pi-hole machine (on OpenWrt side). Let's assume IP is 192.168.2.10.
• At this point, DNS and DHCP is handled by OpenWrt. No adblocking, no custom domain, no DHCP.
• Although I didn't aim for Pi-hole to handle DHCP, but enabling DHCP option on Pi-hole as described above, and setting up DHCP-Options as described above enables me all the features I want. This includes adblocking and custom domains with configuration from Pi-hole. I can also see DHCP leases on the Pi-hole side.
• At this point, I can see DHCP leases on both sides, with OpenWrt listing more devices than Pi-hole.

Currently

As you mentioned, there should be only 1 DHCP server on the LAN. So I tried disabling dnsmasq from OpenWrt startup services. Please correct me if I misunderstood anything here.

After rebooting the router, everything breaks apart. I can't reach Pi-hole device. Most probably because all the devices are getting completely different IP, not following settings in Pi-hole. I think Pi-hole is ineffective at this point and new IP allocation is coming from some other router in the network as failover (I have an AP connected to the main router).

My speculations: When I disable dnsmasq on the OpenWrt and reboot. Maybe IP for the router is lost somehow? This also cascades to the Pi-hole, because DHCP static lease was made on the OpenWrt side.

I tested disabling dnsmasq on the router for 2 times just to confirm. Same behavior both time.

My question is: Should I leave dnsmasq ON on the OpenWrt side? If not, what is the correct way to handle this?

If the Pi is to handle the DHCP, it should be set up with a static IP.

I can't comment on setting up Pi-hole but to answer the question about alternatives, take a look at adblock-lean which implements adblocking via DNS and is designed to work well on an OpenWrt router.

Adblock-lean: set up adblock using dnsmasq blocklist

Setting static IP for Pi-hole device did the work.

Here is the summary of the thread (I finally settled with Pi-hole):

0. Question started with ask for an equivalent configuration for OpenWrt to setup adblock and custom domains. Because, as with any other router, pointing LAN DNS setting to Pi-hole simply didn't work. Our final goal is to configure those two.
1. Someone willing to do it with OpenWrt can refer to this reply by @egc. Otherwise, at this point, we are going to configure Pi-hole to work in conjunction with OpenWrt. We will delegate task of DNS lookup and blocking, custom domains, as well as DHCP (yeah, Pi-hole can do that).
2. Start by configuring static IP for the Pi-hole device. DON'T do this from the router's static DHCP lease. Set this on OS level. I found out that my network settings are managed by OpenMediaVault so I did it using OMV web UI, but there are other ways.
3. Find and enable DHCP as seen in this picture. Configurations are pretty self-explanatory.
4. Travel to DHCP settings for LAN on OpenWrt UI and set DHCP-Options to the Pi-hole's IP as seen in this picture. NOTE: 6, in start is important. Read more about DHCP-Options to know more.
5. At this point, all 3 features we talked about would be working and be handled by Pi-hole. But there is one overkill here. You don't need OpenWrt doing DHCP stuff now. You can save on RAM by stopping dnsmasq process. Safe way for it is by disabling it on startup. Travel to http://<openwrt-ip>/cgi-bin/luci/admin/system/startup, find and disable dnsmasq, reboot the router.

In order to go fully independent of external DNS, ISP DNS, google, cloudflare, etc,
have good and modern adblock options, I use this:

adguardhome -> dnsmasq -> unbound

Adguardhome answering on lan port 53 forwarding to dnsmasq:127.0.0.1:5354
adguard home blocks by service, individual configuration for groups of clients, several lists, it serves in your lan: DNS over UDP, TCP, dnssec, dns-over-https (DOH), TLS
block by

dnsmasq aswering on 127.0.0.1:5354 forwarding to unbound:127.0.0.1:5355
dnsmasq will add all your local hosts, CNAMES, A records, into your dns resolution chain, so you can configure all your internal hosts in OpenWRT,
it will also resolve from your DHCP leases, DHCP static entries, etc.

unbound aswering on 127.0.0.1:5355 and recursively resolving all queries
unbound will perform the external DNS resolution, so you don't rely on your ISP DNS, or other external DNS
advantages:
- less prune to DNS poisoning
- supports DNSSEC, TLS, etc
- if your ISP injects DNS records, change DNS resolution, etc, you are not affected
- Geo Location optimization: CDNs will often resolve do a server near your location, to best performance, if you use external DNS geolocation will often resolve to an IP will far from your location

And you will also need an IPList of DoH (DNS over HTTP) servers to block in your firewall, so your internal clients will not be able to bypass your DNS by connecting over HTTPs into an external DoH server

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.