hey there.
I have an OpenWRT install handing out DHCP and running DNS. the router is forwarding DNS queries to a Rasberry Pi running PiHole. I'm trying to figure out how to DNAT all outbound DNS traffic to the rpi. played around in Luci but I think it needs to go into the custom firewall rules and I'm not having much success writing my own. has anyone done this before?
thanks.
Try:
config redirect
option name 'Redirect LAN DNS'
option src 'lan'
option dest 'lan'
option src_ip '192.168.0.224/27'
option src_dport '53'
option dest_ip '192.168.0.5'
option dest_port '53'
Modify the source IP CIDR to match your DHCP range. However I'm not sure how to replicate this for IPv6 and would be glad if someone has a recipe for v6.
thanks for responding, and I think this is pretty close. I don't want to restrict the range to my DHCP scope as I have other devices on static outside the scope and would be best not to hard-wire the inclusion but the exclusion if possible. also, I think your rule would cause a loop as outbound traffic from the DNS server would be bounced back. something like the below but this doesn't seem to work right for me,it breaks all DNS.
config redirect
option name 'Redirect LAN DNS'
option src 'lan'
option dest 'lan'
option src_ip '!192.168.0.5'
option src_dport '53'
option dest_ip '192.168.0.5'
option dest_port '53'
Here is what I do to stop devices from picking their own DNS server.
In Luci go to
Network >> Firewall >> Custom Rules
#keep network on pi-hole
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.200.10:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.200.10:53
#punch DNS hole for pi-hole
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.10 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.10 --dport 53 -j ACCEPT
Note: I run 2 PiHoles Also Change your IP
Note: the above rules will block any device trying to use any DNS sever except for Pihole
I also use DHCP option 6, It tells devices where your DNS server is:
Go to
Network >> Interfaces >> Scroll down to DHCP Server
Advanced Settings >>DHCP-Options
Note: I run two Piholes
thanks but this breaks my DNS too. perhaps because of the forwarding even tho I added my router's IP address into the 'punch hole' rule. I'd like to keep the forwarding in play and not use the PiHole directly because it fubar's local name resolution.
I'm curious...how are you getting the server to send the replies with the spoofed IP address
I'm not currently, that's the end game. right now it's just a simple DNS forward. from a workstation node I would like to be able to "nslookup google.com 8.8.8.8" and get the PiHole to reply instead of Google's servers but everything I've tried so far breaks DNS. current config is to block all outbound port 53 except the PiHole and that gets the job done but not dieal.
hmm, I guess I could have the router reply to DNS requests and forward them on, maybe that would work better.
redirecting to the router and letting it forward the request instead of trying to redirect directly to the PiHole seems to be working, I can do an nslookup to google's servers, get a reply, and find the hit in my PiHole log. .1 is the router, .2 is the PiHole.
thanks everyone for your input.
iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.1:53
wouldn't you need an exclusion for 20.1 to be able to talk out?
I've been futzing around with this for awhile, since the original posting I've added a second piHole for redundancy so decided to setup the router to forward DNS and redirect to it. my current solution relies on ipset which is an extra package...
# dns
ipset create dns hash:ip
ipset add dns 192.168.<DNS1>
ipset add dns 192.168.<DNS2>
iptables -t nat -A prerouting_lan_rule -m set ! --match-set dns src -p udp --match multiport --dports 53,853,5353 -j DNAT --to 192.168.<ROUTER>
iptables -t nat -A prerouting_lan_rule -m set ! --match-set dns src -p tcp --match multiport --dports 53,853,5353 -j DNAT --to 192.168.<ROUTER>
You need to masquerade as well or the redirected answers will be ignored due to different source.
If your DNS server uses the standard DNS protocol (port 53), yes.
If your DNS server uses DNS over HTTPS/TLS, then no, as that traffic goes through port 443 (https) / 853 (tls).
Given the advantages of DoH/DoT, you probably shouldn't do it the old way.
if your endpoints are setup to do DoH this won't redirect requests.
Of course. Can't do anything about that.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.