Posted: Sun Jun 09, 2019 3:48 Post subject: [SOLVED] Force all DNS queries to local DNS server
Edit: I changed the name as I can now redirect queries to the PiHole, but I want to also redirect DNS queries to the PiHole (192.168.1.2) if the request was for another DNS server. See last post on second page.
Hi there! I'm not used to play with complicated rules and networking stuff so please bear with me.
I have no idea which kind of logs are needed or which command to type to retrieve relevant information. Please let me know if needed. I'm not used to make such thread.
* Make DNS resolution available on br1
* (Try to) force all clients to use the PiHole as it's DNS provider (192.168.1.2/br0).
* The only port that should be reached on the PiHole by br1 is the DNS port (53).
* I would also like to see who made the query on the PïHole (PiHole side/issue/irrelevant here)
I have a main network (192.168.1.1, br0) with a NAS, my computers wired and android devices and a public network (wl1.1, br1, 192.168.10.1) which is a public isolated network for guests.
The DNS server is connected to br0 and br1 is isolated in the GUI (see options below)
(I just noticed) I updated to r39960 kongac today and I cannot seem to make the DNS resolution on br1 works (Edit: After 15 minutes without playing with it, DNS resolution on Android on br1 is working but not using the PiHole.), even with Static DNS 1 at 184.108.40.206.
I turned off QoS to make sure it wasn't interfering. I also disabled Shortcut Forwarding Engine.
Local DNS: 0.0.0.0
Static DNS 1: 192.168.1.2
Test rules from the command line (putty/telnet) and if they are working: Administration/Commands Save Firewall
It really is not that complicated (LOL)
Attached my notes for setting up a Virtual Access Point the modern way
One more thing: Disable "No DNS Rebind" on Services/DNSMasq
Edit: was a bit too hasty, you have to allow access to the Pi-hole from wl1.1 as it is isloated from the main network where the Pi-hole is located:
iptables -I FORWARD -i wl1.1 -d 192.168.1.2 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i wl1.1 -d 192.168.1.2 -p tcp --dport 53 -j ACCEPT
I didn't touch it since I set up the guest network and it was working and the PiHole was receiving requests, but yesterday I got a VoIP ATA box and noticed that the PiHole didn't register any DNS queries from it.
I tried setting static DNS to 220.127.116.11 on my main computer and restart my network interface and the PiHole doesn't get the requests.
With these new rules, the PiHole get the request, but it seems like the result is not forwarded to the client.
I also was able to see the VoIP requesting a DNS resolution for the VoIP provider.
Firefox gives me:
Hmm. We’re having trouble finding that site.
This is with the client configured to use DNS server 18.104.22.168.
Since the VoIP box uses their own DNS provider, the box must have also got an error trying to access the url. I do not have the password and for liability reasons they do not want to give it to me.
(those makes the requests goes to the Pi but the client never receive the result, so I guess it's those)
The first set of rules 'works' but static DNS servers bypass the PiHole. the second set is form a 2013 post and the PiHole catches the requests but doesn't seem to forward them. So I guess I should add the rules you said with the second set of rules?
the br1 is only for the guest network. Everything in my house runs on br0 with static dhcp leases. The PiHole is .1.2 and the ATA is .1.3. (NAS, Kodi, wired computer all have static IPs, I like predictability)
I want to make sure every devices, including the ATA uses the PiHole regardless of the static DNS set in the configs on any devices. (I re-explained at the bottom too)
If the ATA has to use its own DNS server, you have to exclude the IP address from the ATA (give it a static lease) from the PREROUTING to your PI-HOLE.
You are already excluding the PI-HOLE itself (otherwise it loops) and you can enter multiple IP addresses comma separated, but I think that will not work as that just makes multiple entries.
So you have to insert a rule in the PREROUTING chain to evaluate the ATA's IP address first.
Not sure if this will work (I am not the iptables expert) but try the following:
Yes, using the rules from 2013, the PiHole receives the requests coming from br0 but doesn't seem to 'transmit' it to the client. Is there a rule to make all devices use the PiHole and not just the ATA? I'm no iptable expert either
I'm sorry, I'm not very good at explaining technical stuff like that, it's a mess in my head so trying to explain it is hard, so it must be hard for you too to interpret what I'm trying to say.
Both br0 and br1 uses the PiHole, except when the client/device had static DNS server set. For example, if I set my DNS server in my computer to 22.214.171.124, the DNS requests are not redirected to the PiHole. I would like all requests to be answered by the PiHole.