Posted: Sun Jun 09, 2019 3:48 Post subject: [SOLVED] Force all DNS queries to local DNS server
Edit: I changed the name as I can now redirect queries to the PiHole, but I want to also redirect DNS queries to the PiHole (192.168.1.2) if the request was for another DNS server. See last post on second page.
Hi there! I'm not used to play with complicated rules and networking stuff so please bear with me.
I have no idea which kind of logs are needed or which command to type to retrieve relevant information. Please let me know if needed. I'm not used to make such thread.
Goal:
* Make DNS resolution available on br1
* (Try to) force all clients to use the PiHole as it's DNS provider (192.168.1.2/br0).
* The only port that should be reached on the PiHole by br1 is the DNS port (53).
* I would also like to see who made the query on the PïHole (PiHole side/issue/irrelevant here)
Topography:
I have a main network (192.168.1.1, br0) with a NAS, my computers wired and android devices and a public network (wl1.1, br1, 192.168.10.1) which is a public isolated network for guests.
The DNS server is connected to br0 and br1 is isolated in the GUI (see options below)
(I just noticed) I updated to r39960 kongac today and I cannot seem to make the DNS resolution on br1 works (Edit: After 15 minutes without playing with it, DNS resolution on Android on br1 is working but not using the PiHole.), even with Static DNS 1 at 1.1.1.1.
I turned off QoS to make sure it wasn't interfering. I also disabled Shortcut Forwarding Engine.
Configuration:
Setup:
Local DNS: 0.0.0.0
Static DNS 1: 192.168.1.2
DHCP-Authoritative: Enabled
Assign to Bridge:
br1 wl1.1 STP Off Prio 128 Path Cost 100
Port Setup:
WAN Port Assignment: VLAN 2 (Wan port from VLAN Tab)
Both br1 and wl1.1:
Masquerade / NAT: Enabled
Net Isolation: Enabled
IP 192.168.10.1
Mask 255.255.255.0
DHCPD
DHCP 0 br1 On
Wireless:
wl1.1:
AP Isolation: Enable
Network: Unbridged
Masquerade / NAT: Enable
Net Isolation: Enable
IP 192.168.10.1
Mask 255.255.255.0
Dnsmasq:
No DNS Rebind: Enabled
Additional Dnsmasq Options:
Code:
dhcp-option=6,192.168.1.2
Security: (Maybe it's relevant?)
The following are enabled:
SPI Firewall
Filter Java Applets
Filter ActiveX
Filter TOS/DSCP
ARP Spoofing Protection
Block Anonymous WAN Requests (ping)
Filter Multicast
Filter IDENT (Port 113)
Block WAN SNMP access
Firewall:
I found a bunch of rules online that I tried to glue together:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
I tried with only Static DNS, only the dnsmasq option, only the iptable... two of them, three of them. Rebooting every 2 or 3 changes... It's killing me.
I hope it was complete, I noticed how to attach image after writing all of this If you prefer screenshot, let me know!
Last edited by Extarys on Mon Jul 01, 2019 23:04; edited 4 times in total
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Sun Jun 09, 2019 7:42 Post subject:
The problem, I think, is that you have made a br1 and unbridged wl1.1
If you only have wl1.1 as your guest network then delete br1.
wl1.1 is its own interface (you have set it on 192.168.10.1)
Do not forget to set a dhcpd server on wl1.1 in setup/networking
Creating an extra bridge like br1 is only necessary if you have more interfaces for which you want to use the same subnet.
Delete all the firewall rules and the addtional DNSMasq options you have made. Actually after so much tinkering it is best to reset to defaults and start fresh.
NET isolation is done by enabling it in the GUI and also NAT is done by enabling it in the GUI
The only thing you have to do is to route DNS traffic from both br0 and wl1.1 to the Pi-hole (but not to redirect the traffic to the Pi-hole otherwise it will loop)
Test rules from the command line (putty/telnet) and if they are working: Administration/Commands Save Firewall
It really is not that complicated (LOL)
Attached my notes for setting up a Virtual Access Point the modern way
One more thing: Disable "No DNS Rebind" on Services/DNSMasq
Edit: was a bit too hasty, you have to allow access to the Pi-hole from wl1.1 as it is isloated from the main network where the Pi-hole is located:
iptables -I FORWARD -i wl1.1 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i wl1.1 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Sun Jun 09, 2019 8:39 Post subject:
One thing that crossed my mind about:
Quote:
Disable "No DNS Rebind" on Services/DNSMasq
This is necessary to allow local DNS servers to work but you can leave it enabled and then add the following in Additonal DNSMasq options:
rebind-domain-ok=/local_domain/
For local_domain you have to use the name you have given your local domain
Devices connected to br0 do use the PiHole, but devices connected to br1 doesn't. DNS resolution still work though, I'm suspecting they are using the ISP DNS servers.
"Use DNSMasq for DNS" is enabled by default.
I did try to use the following options with dnsmasq:
With Local DNS and No DNS Rebind enabled. 'dhcp-option' doesn't seem to have any effect, so I removed it (anyway you didn't talk about it in your post so...)
Putting Local DNS or Static DNS 1 to 192.168.1.2 makes the br1 devices use the PiHole but all devices are listed as 192.168.1.1 (they are coming from the router not the devices themselves).
I guess it's "working" but I'd like a way to see which device made the request.
If nobody have an idea here I'll try to check on PiHole side. I already made a post but it's "off-topic" so I'm not sure I'll receive any reply.
Thanks again for your time, at least the isolation and dns queries work.
Okayy, maybe I'm not waiting long enough after I apply setting and test too soon. I removed Static DNS 1 and disabled Use DNSMasq for DNS... Now everything is working as it should.
If you set it up like your first post It is not going to work.
If you put wl0.1 and wl1.1 on br1 you have to keep them bridged.
Search for instructions how to use br1
Yes I set them bridged both in Wireless and in Networking. All wireless devices now use the PiHole it seems.
I just noticed though that my wired computer doesn't use it anymore... Oh my...
My computer DNS is set to Auto but I just noticed those are my ISP's DNS server. (Manjaro Linux)
Is there a way to force all dns queries from the router?
I didn't touch it since I set up the guest network and it was working and the PiHole was receiving requests, but yesterday I got a VoIP ATA box and noticed that the PiHole didn't register any DNS queries from it.
I tried setting static DNS to 1.1.1.1 on my main computer and restart my network interface and the PiHole doesn't get the requests.
With these new rules, the PiHole get the request, but it seems like the result is not forwarded to the client.
I also was able to see the VoIP requesting a DNS resolution for the VoIP provider.
Firefox gives me:
Quote:
Hmm. We’re having trouble finding that site.
This is with the client configured to use DNS server 1.1.1.1.
Since the VoIP box uses their own DNS provider, the box must have also got an error trying to access the url. I do not have the password and for liability reasons they do not want to give it to me.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Sun Jun 30, 2019 11:43 Post subject:
If the ATA has to use its own DNS server, you have to exclude the IP address from the ATA (give it a static lease) from the PREROUTING to your PI-HOLE.
You are already excluding the PI-HOLE itself (otherwise it loops) and you can enter multiple IP addresses comma separated, but I think that will not work as that just makes multiple entries.
So you have to insert a rule in the PREROUTING chain to evaluate the ATA's IP address first.
Not sure if this will work (I am not the iptables expert) but try the following:
(those makes the requests goes to the Pi but the client never receive the result, so I guess it's those)
The first set of rules 'works' but static DNS servers bypass the PiHole. the second set is form a 2013 post and the PiHole catches the requests but doesn't seem to forward them. So I guess I should add the rules you said with the second set of rules?
the br1 is only for the guest network. Everything in my house runs on br0 with static dhcp leases. The PiHole is .1.2 and the ATA is .1.3. (NAS, Kodi, wired computer all have static IPs, I like predictability)
I want to make sure every devices, including the ATA uses the PiHole regardless of the static DNS set in the configs on any devices. (I re-explained at the bottom too)
egc wrote:
If the ATA has to use its own DNS server, you have to exclude the IP address from the ATA (give it a static lease) from the PREROUTING to your PI-HOLE.
You are already excluding the PI-HOLE itself (otherwise it loops) and you can enter multiple IP addresses comma separated, but I think that will not work as that just makes multiple entries.
So you have to insert a rule in the PREROUTING chain to evaluate the ATA's IP address first.
Not sure if this will work (I am not the iptables expert) but try the following:
Yes, using the rules from 2013, the PiHole receives the requests coming from br0 but doesn't seem to 'transmit' it to the client. Is there a rule to make all devices use the PiHole and not just the ATA? I'm no iptable expert either
I'm sorry, I'm not very good at explaining technical stuff like that, it's a mess in my head so trying to explain it is hard, so it must be hard for you too to interpret what I'm trying to say.
Both br0 and br1 uses the PiHole, except when the client/device had static DNS server set. For example, if I set my DNS server in my computer to 1.1.1.1, the DNS requests are not redirected to the PiHole. I would like all requests to be answered by the PiHole.