[SOLVED] Force all DNS queries to local DNS server

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Sun Jun 09, 2019 3:48    Post subject: [SOLVED] Force all DNS queries to local DNS server Reply with quote
Edit: I changed the name as I can now redirect queries to the PiHole, but I want to also redirect DNS queries to the PiHole (192.168.1.2) if the request was for another DNS server. See last post on second page.

Hi there! I'm not used to play with complicated rules and networking stuff so please bear with me.
I have no idea which kind of logs are needed or which command to type to retrieve relevant information. Please let me know if needed. I'm not used to make such thread.

Goal:
* Make DNS resolution available on br1
* (Try to) force all clients to use the PiHole as it's DNS provider (192.168.1.2/br0).
* The only port that should be reached on the PiHole by br1 is the DNS port (53).
* I would also like to see who made the query on the PïHole (PiHole side/issue/irrelevant here)

Topography:
I have a main network (192.168.1.1, br0) with a NAS, my computers wired and android devices and a public network (wl1.1, br1, 192.168.10.1) which is a public isolated network for guests.
The DNS server is connected to br0 and br1 is isolated in the GUI (see options below)

(I just noticed) I updated to r39960 kongac today and I cannot seem to make the DNS resolution on br1 works (Edit: After 15 minutes without playing with it, DNS resolution on Android on br1 is working but not using the PiHole.), even with Static DNS 1 at 1.1.1.1.

I turned off QoS to make sure it wasn't interfering. I also disabled Shortcut Forwarding Engine.

Configuration:
Setup:
Local DNS: 0.0.0.0
Static DNS 1: 192.168.1.2
DHCP-Authoritative: Enabled

Setup > Networking:
Bridging:
br0 2C:30:00:00:00:72
br1 2C:30:00:00:00:72

Assign to Bridge:
br1 wl1.1 STP Off Prio 128 Path Cost 100

Port Setup:
WAN Port Assignment: VLAN 2 (Wan port from VLAN Tab)
Both br1 and wl1.1:
Masquerade / NAT: Enabled
Net Isolation: Enabled
IP 192.168.10.1
Mask 255.255.255.0

DHCPD
DHCP 0 br1 On

Wireless:
wl1.1:
AP Isolation: Enable
Network: Unbridged
Masquerade / NAT: Enable
Net Isolation: Enable
IP 192.168.10.1
Mask 255.255.255.0

Dnsmasq:
No DNS Rebind: Enabled
Additional Dnsmasq Options:
Code:
dhcp-option=6,192.168.1.2


Security: (Maybe it's relevant?)
The following are enabled:
SPI Firewall
Filter Java Applets
Filter ActiveX
Filter TOS/DSCP
ARP Spoofing Protection
Block Anonymous WAN Requests (ping)
Filter Multicast
Filter IDENT (Port 113)
Block WAN SNMP access

Firewall:

I found a bunch of rules online that I tried to glue together:

Code:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

# Keep network on pi-hole
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 192.168.1.2:53

# Punch DNS hole for pi-hole
iptables -t nat -I PREROUTING -i br0 -p tcp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br0 -p udp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br1 -p tcp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br1 -p udp -s 192.168.1.2 --dport 53 -j ACCEPT

iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset


I tried with only Static DNS, only the dnsmasq option, only the iptable... two of them, three of them. Rebooting every 2 or 3 changes... It's killing me.

I hope it was complete, I noticed how to attach image after writing all of this Razz If you prefer screenshot, let me know!


Last edited by Extarys on Mon Jul 01, 2019 23:04; edited 4 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4226
Location: Netherlands

PostPosted: Sun Jun 09, 2019 7:42    Post subject: Reply with quote
The problem, I think, is that you have made a br1 and unbridged wl1.1

If you only have wl1.1 as your guest network then delete br1.
wl1.1 is its own interface (you have set it on 192.168.10.1)

Do not forget to set a dhcpd server on wl1.1 in setup/networking

Creating an extra bridge like br1 is only necessary if you have more interfaces for which you want to use the same subnet.

Delete all the firewall rules and the addtional DNSMasq options you have made. Actually after so much tinkering it is best to reset to defaults and start fresh.

NET isolation is done by enabling it in the GUI and also NAT is done by enabling it in the GUI

The only thing you have to do is to route DNS traffic from both br0 and wl1.1 to the Pi-hole (but not to redirect the traffic to the Pi-hole otherwise it will loop)

Just assuming your Pi-hole is on 192.168.1.2:
Code:
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2-p udp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i wl1.1 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i wl1.1 –s ! 192.168.1.2-p udp --dport 53 -j DNAT --to 192.168.1.2:53


Test rules from the command line (putty/telnet) and if they are working: Administration/Commands Save Firewall

It really is not that complicated (LOL)

Attached my notes for setting up a Virtual Access Point the modern way

One more thing: Disable "No DNS Rebind" on Services/DNSMasq

Edit: was a bit too hasty, you have to allow access to the Pi-hole from wl1.1 as it is isloated from the main network where the Pi-hole is located:
iptables -I FORWARD -i wl1.1 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i wl1.1 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT


Have fun

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4226
Location: Netherlands

PostPosted: Sun Jun 09, 2019 8:39    Post subject: Reply with quote
One thing that crossed my mind about:
Quote:
Disable "No DNS Rebind" on Services/DNSMasq


This is necessary to allow local DNS servers to work but you can leave it enabled and then add the following in Additonal DNSMasq options:
rebind-domain-ok=/local_domain/

For local_domain you have to use the name you have given your local domain

Not 100% sure about this though, but others might confirm or correct Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Sun Jun 09, 2019 20:23    Post subject: Reply with quote
Thank you very much for your reply!

- The router was reset
- I decided to also create wl2.1 Very Happy and use br1
- In Wireless everything is bridged, I chose to configure them in Networking tab

I adjusted the firewall rules for br1 (instead of wl1.1).

Firewall:
Code:

iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -I FORWARD -i br1 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT


Devices connected to br0 do use the PiHole, but devices connected to br1 doesn't. DNS resolution still work though, I'm suspecting they are using the ISP DNS servers.

"Use DNSMasq for DNS" is enabled by default.

I did try to use the following options with dnsmasq:
Code:
rebind-domain-ok=/local/
dhcp-option=6,192.168.1.2


With Local DNS and No DNS Rebind enabled. 'dhcp-option' doesn't seem to have any effect, so I removed it (anyway you didn't talk about it in your post so...)

Putting Local DNS or Static DNS 1 to 192.168.1.2 makes the br1 devices use the PiHole but all devices are listed as 192.168.1.1 (they are coming from the router not the devices themselves).

I guess it's "working" but I'd like a way to see which device made the request.

If nobody have an idea here I'll try to check on PiHole side. I already made a post but it's "off-topic" so I'm not sure I'll receive any reply.


Thanks again for your time, at least the isolation and dns queries work.
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Sun Jun 09, 2019 20:47    Post subject: Reply with quote
Okayy, maybe I'm not waiting long enough after I apply setting and test too soon. I removed Static DNS 1 and disabled Use DNSMasq for DNS... Now everything is working as it should.

For now.

<3 Thank you so much!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4226
Location: Netherlands

PostPosted: Sun Jun 09, 2019 20:48    Post subject: Reply with quote
If you set it up like your first post It is not going to work.
If you put wl0.1 and wl1.1 on br1 you have to keep them bridged.
Search for instructions how to use br1

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Sun Jun 09, 2019 20:56    Post subject: Reply with quote
egc wrote:
If you set it up like your first post It is not going to work.
If you put wl0.1 and wl1.1 on br1 you have to keep them bridged.
Search for instructions how to use br1


Yes I set them bridged both in Wireless and in Networking. All wireless devices now use the PiHole it seems.

I just noticed though that my wired computer doesn't use it anymore... Oh my...

My computer DNS is set to Auto but I just noticed those are my ISP's DNS server. (Manjaro Linux)

Is there a way to force all dns queries from the router?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4226
Location: Netherlands

PostPosted: Mon Jun 10, 2019 6:56    Post subject: Reply with quote
The firewall rules force all DNS queries (port 53) coming from br0 and br1 to the Pi-hole (192.168.1.2)
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Sat Jun 29, 2019 16:49    Post subject: Reply with quote
I didn't touch it since I set up the guest network and it was working and the PiHole was receiving requests, but yesterday I got a VoIP ATA box and noticed that the PiHole didn't register any DNS queries from it.

I tried setting static DNS to 1.1.1.1 on my main computer and restart my network interface and the PiHole doesn't get the requests.

To confirm, here are my firewall rules:
Code:
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2
iptables -I FORWARD -i br0 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT


I tried removing the port from the ip address for testing, it looked like that before:
Code:
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53


I found this 2013 post suggesting:

Code:
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


I also tried changing the nvram get lan_ipaddr for the PiHole address too.
Code:

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2
iptables -I FORWARD -i br0 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT


With these new rules, the PiHole get the request, but it seems like the result is not forwarded to the client.
I also was able to see the VoIP requesting a DNS resolution for the VoIP provider.

Firefox gives me:
Quote:
Hmm. We’re having trouble finding that site.


This is with the client configured to use DNS server 1.1.1.1.
Since the VoIP box uses their own DNS provider, the box must have also got an error trying to access the url. I do not have the password and for liability reasons they do not want to give it to me.

I'm on br0.

Everything works fine on Automatic DNS.

Any idea how I can fix this? Very Happy
grc
DD-WRT User


Joined: 11 Jul 2018
Posts: 67

PostPosted: Sun Jun 30, 2019 7:20    Post subject: Reply with quote
if i undestand you correctly, you want to use pi-hole for both, br0 and br1. You can try this in Additional Dnsmasq Options:

    no-resolv
    server=192.168.1.2
    dhcp-option=br1,6,192.168.1.2


without any iptables rules
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4226
Location: Netherlands

PostPosted: Sun Jun 30, 2019 11:43    Post subject: Reply with quote
If the ATA has to use its own DNS server, you have to exclude the IP address from the ATA (give it a static lease) from the PREROUTING to your PI-HOLE.

You are already excluding the PI-HOLE itself (otherwise it loops) and you can enter multiple IP addresses comma separated, but I think that will not work as that just makes multiple entries.

So you have to insert a rule in the PREROUTING chain to evaluate the ATA's IP address first.

Not sure if this will work (I am not the iptables expert) but try the following:
Code:
iptables -t nat -I PREROUTING -i br0 –s <ip-address  of ATA> -p tcp --dport 53 -j RETURN

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5196
Location: Akershus, Norway

PostPosted: Sun Jun 30, 2019 11:59    Post subject: Reply with quote
Maybe a rule allowing the return packet is needed.

iptables -I FORWARD -i br0 -s 192.168.1.2 -p udp --sport 53 -o br1 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.2 -p tcp --sport 53 -o br1 -j ACCEPT
Extarys
DD-WRT Novice


Joined: 08 Oct 2016
Posts: 17

PostPosted: Sun Jun 30, 2019 20:57    Post subject: Reply with quote
Thanks for stopping by, I appreciate it. I think I wasn't clear enough and I apologize. I put better explanation at the bottom of the post.

grc wrote:
if i undestand you correctly, you want to use pi-hole for both, br0 and br1. You can try this in Additional Dnsmasq Options:

    no-resolv
    server=192.168.1.2
    dhcp-option=br1,6,192.168.1.2


without any iptables rules


Thanks I had an error on my 'server' directive. The br1 already use the PiHole.

Per Yngve Berg wrote:
Maybe a rule allowing the return packet is needed.

iptables -I FORWARD -i br0 -s 192.168.1.2 -p udp --sport 53 -o br1 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.2 -p tcp --sport 53 -o br1 -j ACCEPT


Huh, thanks, but I'm confused... Should I add those (with br0 and br1) with (current):

Code:
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2


or with

Code:

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.2


(those makes the requests goes to the Pi but the client never receive the result, so I guess it's those)

The first set of rules 'works' but static DNS servers bypass the PiHole. the second set is form a 2013 post and the PiHole catches the requests but doesn't seem to forward them. So I guess I should add the rules you said with the second set of rules?

the br1 is only for the guest network. Everything in my house runs on br0 with static dhcp leases. The PiHole is .1.2 and the ATA is .1.3. (NAS, Kodi, wired computer all have static IPs, I like predictability)

I want to make sure every devices, including the ATA uses the PiHole regardless of the static DNS set in the configs on any devices. (I re-explained at the bottom too)



egc wrote:
If the ATA has to use its own DNS server, you have to exclude the IP address from the ATA (give it a static lease) from the PREROUTING to your PI-HOLE.

You are already excluding the PI-HOLE itself (otherwise it loops) and you can enter multiple IP addresses comma separated, but I think that will not work as that just makes multiple entries.

So you have to insert a rule in the PREROUTING chain to evaluate the ATA's IP address first.

Not sure if this will work (I am not the iptables expert) but try the following:
Code:
iptables -t nat -I PREROUTING -i br0 –s <ip-address  of ATA> -p tcp --dport 53 -j RETURN



Yes, using the rules from 2013, the PiHole receives the requests coming from br0 but doesn't seem to 'transmit' it to the client. Is there a rule to make all devices use the PiHole and not just the ATA? I'm no iptable expert either Laughing



I'm sorry, I'm not very good at explaining technical stuff like that, it's a mess in my head so trying to explain it is hard, so it must be hard for you too to interpret what I'm trying to say. Laughing

To be clear:
Dnsmasq options:
Code:
rebind-domain-ok=/local/
server=192.168.1.2
dhcp-option=6,192.168.1.2
bogus-priv
no-resolv


Firewall rules, currently:
Code:
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.2
iptables -t nat -I PREROUTING -i br1 –s ! 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.2
iptables -I FORWARD -i br0 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT


Both br0 and br1 uses the PiHole, except when the client/device had static DNS server set. For example, if I set my DNS server in my computer to 1.1.1.1, the DNS requests are not redirected to the PiHole. I would like all requests to be answered by the PiHole.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5196
Location: Akershus, Norway

PostPosted: Mon Jul 01, 2019 4:24    Post subject: Reply with quote
These rules does not make any sense

iptables -I FORWARD -i br0 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT


The router will never see a packet coming in on br0 with a destination address located on br0.

I suppose you intended source address (-s).
grc
DD-WRT User


Joined: 11 Jul 2018
Posts: 67

PostPosted: Mon Jul 01, 2019 6:38    Post subject: Reply with quote
another combination Very Happy :

in Additional Dnsmasq Options:

    no-resolv
    server=192.168.1.2


+ Firewall:

    iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum