Set Pihole as DNS for all devices on the network that access the Internet

Hello,
I find many different statements about how to specify a local DNS server as default for all devices that go to the Internet. I do not want to specify a DNS on all devices separately.

I have 200MBit/s cable from TeleColumbus. OpenWRT on a R7800 is connected directly behind the modem.

I check the DNS settings with this website: http://www.whatsmydnsserver.com/

PiHole is on 192.168.1.8.

• I have unchecked the checkbox "Use DNS servers advertised by peer" at "Interfaces -> Wan -> Advanced Settings".
• At "Use custom DNS servers" I have entered 192.168.1.8.

Now the DNS setting works fine. But if I deactivate Pihole (192.168.1.8 not reachable anymore), the DNS from the provider is used again. So I guess there is still a fallback somehow. ONLY 192.168.1.8 should be used.

What else do I have to set? Thank you very much.

• disable DoH in the browsers or block it using banIP
• disable DoT on Android devices (it's an OS setting, not browser)
• in your firewall, catch and reroute/forward all outgoing DNS calls to your pi-hole

there are some useful links in URL-filter for OpenWrt Barrier Breaker

Out of curiosity: Why do you use PiHole, and not a solution, integrated into openwrt, like adblock etc.?

Not OP. but if you have a large DNS block list, and your device doesn't have plenty of RAM, dnsmasq might, in some rare scenarios, allocate all of the routers available RAM, causing it to freeze/crash.

reference: Opening Taxi App - Oom_reaper kills dnsmasq

My piholes block list is 1.1M entries, I wouldn't want that in my router.

image1010×129 14.8 KB

The percentage blocked is misleading, since I'm currently being hammered by devices making RRSIG requests for the domain pizzaseo.com.
And yes, it's obviously public.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

My blocklist is >8.000.000 items

Here i go:

root@OpenWrt:~# ubus call system board; uci export network; uci export dhcp ; ls
 -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp
/resolv.* /tmp/resolv.*/*
{
        "kernel": "4.14.221",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "ipq806x/generic",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        list dns '192.168.1.8'
        option peerdns '0'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list server '192.168.1.8'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime '1h'
        option dns '1'
        option name 'Hauptrechner'
        option ip '192.168.1.2'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime '1h'
        option dns '1'
        option name 'ServerPi'
        option ip '192.168.1.3'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime '1h'
        option dns '1'
        option name 'WerbeblockPi'
        option ip '192.168.1.8'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.12'
        option name 'Fairphone3'
        option dns '1'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime '1h'
        option dns '1'
        option name 'Freifunk2'
        option ip '192.168.1.19'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime '1h'
        option dns '1'
        option name 'Freifunk1'
        option ip '192.168.1.18'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime '1h'
        option dns '1'
        option name 'X220'
        option ip '192.168.1.5'


ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Feb 15 15:22 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 May 14 11:53 /tmp/resolv.conf
-rw-r--r--    1 root     root           123 May  9 18:28 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.1.8
# Interface wan6
nameserver 2a02:2457:30c:101::11
nameserver 2a02:2457:10c:101::126
head: /tmp/resolv.*/*: No such file or directory
root@OpenWrt:~#  

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration?s=noresolv=#dns_forwarding

You should also not use the DNS servers advertised by peer in wan6 interface.

OK, then it is because of implementation details. In my simple basic Parental Control, I have about 1 Mio. blocked domains, managed on openwrt router with 128MB RAM.
At first glance, 8 Mio. should fit into 512MB.

Thank you very much. After executing it, the message "udhcpc: no lease, failing" appears, is this not so bad? I have done some research and think that is correct.

root@OpenWrt:~# uci -q delete dhcp.@dnsmasq[0].server
root@OpenWrt:~# uci add_list dhcp.@dnsmasq[0].server="192.168.1.8"
root@OpenWrt:~# uci add_list dhcp.@dnsmasq[0].server="192.168.1.8"
root@OpenWrt:~# uci commit dhcp
root@OpenWrt:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing

root@OpenWrt:~# /etc/init.d/dnsmasq stop
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].noresolv="1"
root@OpenWrt:~# uci commit dhcp
root@OpenWrt:~# /etc/init.d/dnsmasq start
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing

Hmm... I'm not sure I'm understanding you correctly, I haven't entered the addresses anywhere, are those from the provider?

Maybe it will be 16 million in half a year... Or maybe not. I like the web interface of Pihole very much.

OK, for 16 Mio. I would need external storage, like USB-stick. But I doubt, it really will be worth it. Actually, using shallalist adv and trackers list, result looks good enough for me.
GUI is a completely other story. "Cosmetics" is not so interesting for a good old German engineer. Although I am open for joint enhancements regarding interface.
More interesting for me was to use the same solution from mobile connection, too.
Which is done already for Android, effectively using my openwrt device as DNS server for my mobile phone (both cell connection and WiFi).

Yup, that's the reason why my Pis are cloud hosted.

Hosting is free, and I don't have to punch a hole in my firewall.

Ah, did not think about this. So you are running the Pis in a VM ?
Actually, my mobile device and the DNS server on openwrt-box at home behind ISP-router communicate via my public web server thru VPN tunnel. No need to mess around with firewall or DDNS.

Yes, two of them .... redundancy, and the the free account included two VMs
It also lets me tinker with different OSes and versions of pihole, since I can switch off/reimage one,
and no one will ever notice.

uci set network.wan6.peerdns='0'
uci commit network
ifup wan6

Thank you all for your responses. It works wonderfully now.

I wish there was a way to reliably include Pihole via the web interface. A setting "use external DNS" that does everything in the background. I now don't know how to reset the settings via the console. If at some point Pihole breaks I would have a serious problem. (I have made a backup). There are 100 different ways to do this in this forum and on the internet, it is often not complete.

Thanks anyway.

uci delete network.wan6.peerdns
uci commit
ifup wan6

Pihole is better

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.