Proper DNS forwarding with PiHole

Installing and Using OpenWrt Network and Wireless Configuration
21

It seems to be forwarding the packets now, but yeah, they all seem to come from the router instead of the device in pihole logs. My pihole is on 192.168.1.2 and the router on 192.168.1.1/24

iptables-save -c | grep -i -e dnshi -e pi -e mac
:dnshijack - [0:0]
[6:360] -A dnshijack -j DNAT --to-destination 192.168.1.2
[0:0] -A postrouting_lan_rule -d 192.168.1.2/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
[6:360] -A postrouting_lan_rule -d 192.168.1.2/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
[60:4475] -A prerouting_lan_rule -p udp -m mac --mac-source 00:11:22:33:44:55 -m udp --dport 53 -j ACCEPT
[0:0] -A prerouting_lan_rule -p tcp -m mac --mac-source 00:11:22:33:44:55 -m tcp --dport 53 -j ACCEPT
[6:360] -A prerouting_lan_rule -p udp -m udp --dport 53 -j dnshijack
[0:0] -A prerouting_lan_rule -p tcp -m tcp --dport 53 -j dnshijack
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
22

This is the result of the postrouting rule. If you don't add it they Pihole will reply directly to the lan host, which will reject it because it is waiting an answer from googledns, not the pihole.
One way to avoid that is to move the pihole to a different interface/network. Then you could omit the postrouting rule.

1 Like
23

I see, so there's no way I can have both the device name and dns hijack as long as the pi is on the same network? That's a bummer :confused:

Is there no other way? Perhaps router like features enabled on the pi? :sweat_smile:

24

I don't think so. Maybe @vgaetera has a better idea.

1 Like
25

Set up a LAN alias using a different subnet and assign Pi-hole an IP on that subnet:
https://openwrt.org/docs/guide-user/network/network_interface_alias
Then you should be able to remove the masquerading/SNAT rule.

1 Like
26

Will this retain the originating IP address (in pihole logs), and work "transparently", in the sense the devices think that 8.8.8.8 replied? Will I be able to do this through the UI?

How do these commands work, if I may ask?

Thanks for your help! I'll try it out soon!

27

The devices/clients never know who replied, since they don't have any knowledge of the network between themselves and 8.8.8.8.

and plain DNS calls and answers aren't verified.

1 Like
28

Ahh okay, but will pihole know what device tried to hit, say, 8.8.8.8?

30

When you remove the masquerading rule, Pi-hole will be able to see the client source IP.
If you want to see the original destination, enable firewall logging.

1 Like
31

Okay just making sure I got this right.

To redirect hardcoded DNS and see what devices have hardcoded DNS (PiHole shows the device instead of the router), I must

  1. Setup the PiHole on a separate "LAN alias" (I'm sorry, is the snippet below the right way to set this up? Is it the same as a VLAN? Update: I don't think so, but do correct me if I'm wrong :slight_smile: )
  2. Use the above firewall rule, but remove the masquerade rule.
root@R7800:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

+++
config interface lan2
       option 'ifname' '@lan'
       option 'proto' 'static'
       option 'ipaddr' '192.200.1.1'
       option 'netmask' '255.255.255.0'
+++

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option password 'password'
        option ipv6 'auto'
        option demand '0'
        option username 'username'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

Lines b/w +++ are what I'll be adding, and then set static IP on my pi to 192.200.1.2, and also the DHCP option6 to '6,192.200.1.2'. Is that correct?

32 
uci -q delete network.lan2
uci set network.lan2="interface"
uci set network.lan2.ifname="@lan"
uci set network.lan2.proto="static"
uci set network.lan2.ipaddr="192.168.200.1/24"
uci commit network
/etc/init.d/network restart

https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

33

Just those 3 lines, or the snippet that I posted above + the 3 lines you mention?

34

Just copy-paste the code from my post.

35

Okay did that and also updated the DHCP static lease for the Pi, and the DHCP option 6. But pihole doesn't seem to get the static IP.

Screenshot 2021-03-21 173346
Screenshot 2021-03-21 173346959×721 18.5 KB

I'll try again and get back to you. Thank you for the help so far!

(just noticed I was almost correct in updating the /etc/config/networks file : ) )

36

Okay, enabled DHCP on that interface and assigned a static IP, works now. Testing the dns forwarding thingy

37

Yes! It's working! Thank you very much everyone!

I want to know how this works, given I'm pretty new to this, and am still learning, what books would you suggest? A simple explanation of why the setup described here would be appreciated too!

Have a great day everyone!

1 Like
38

Dang, I see a lot more blocked domains now. I can't say how much I appreciate everyone's help. Thank you very much guys!

P.S. Please remove the MAC address from my first post, thank you : )

1 Like
39

I wouldn't suggest any particular book, just find some online documentation explaining iptables. The rest is combined networking knowledge and some experience with asymmetric routing.

2 Likes
40

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.