Secondary pihole dns has 3 times more traffic

Installing and Using OpenWrt Network and Wireless Configuration
1

Greetings all,

I have two pihole dns servers setup. One is on a Rock64 Gigabit SOC board, and the other for redundency is on a Orange PI+ board w/ 10/100 ethernet. My intention is for 99% of the dns traffic to flow through the Rock64 SOC since it has gigibit, however, that is not what is happening. The Orange PI+ is getting three times more traffic, even though it is set up as the secondary dns server. I've tried troubleshooting this and cannot figure out why. Below are the openwrt network config, and custom firewall rules I have setup.

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcd:1c00:bdad::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '78:a3:51:32:3f:c6'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        list dns '192.168.2.25'
        list dns '192.168.2.102'
        option peerdns '0'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '78:a3:51:32:3f:c7'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        list dns '192.168.2.25'
        list dns '192.168.2.102'
        option reqprefix 'auto'
        option reqaddress 'try'
        option peerdns '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'


#Force DNS
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.2.25:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.2.102:53

#forward unblocked requests
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.2.25 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.2.102 --dport 53 -j ACCEPT
2

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik
Please edit your post accordingly. Thank you! :slight_smile:

Assign them under lan, not wan/wan6

The tcp rule to .25 will almost never be matched.
Also the "forward unblocked requests" will never be used, since they will be matched at "force DNS"
Are you advertising the piholes as dns to the hosts with option 6 in dhcp? Or just forwarding from dnsmasq?

1 Like