Posted: Sun Sep 27, 2020 3:39 Post subject: Pi Hole & DD-WRT (DNS Traffic Escaping)
Can anyone give me a step by step on how to configure DD-WRT with PiHole?
I'm trying to follow along with older threads but it's hard to understand the back/forth and people debugging what they posted along the way and follow what it should be.
I have it setup and running now. I've configured filter rules under access restrictions to not allow any port 53 traffic from any IP address on any interface except for the PiHole address.
The filter is showing lots and lots of counts so I know it's working. I also can't ping domain names in the block list indicating it's working but the problem is that some DNS traffic is still escaping the router.
If I swap out the router with another one (won't mention the name) with the same rules /setup with this PiHole, no traffic escapes so it has to be something with DD-WRT not configured that's allowing it.
Any help would be greatly appreciated. I thought I'd start with verifying I hadn't missed something.
Joined: 16 Nov 2015 Posts: 6445 Location: UK, London, just across the river..
Posted: Sun Sep 27, 2020 10:08 Post subject:
as egc noted above, you've made a vital errors...
have a search, either in the forum or GGl with adding DDWRT at the ggl search...many threads on the Pi-Hole subject this days...same and same again and again...its, not that hard to find.... if you spend some quality time with coffee and reading
step by step guides are somewhere there...
Good Luck _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
No offense but the forums are a mess of information and searching reveals way too many threads on the subject that are hard to follow which is why I asked if someone could give me a step by step or at least point me to one.
As for posting in the right thread, I assume I have it right when I do so but guess I didn't and for that I apologize.
Information on what I'm running this on 2x
Netgear R7000P's running R-43718.
Joined: 18 Mar 2014 Posts: 12909 Location: Netherlands
Posted: Sun Sep 27, 2020 15:18 Post subject:
Well I am far from an expert on this subject so can only share what I learned here in the forum regarding this subject.
What I learned is you can use two different approaches to use an external DNS server.
1. Use DNSMasq to set that DNS server on the clients so that the clients directly contact the PiHole as DNSserver.
Set Local DNS from the router itself to the PiHole and block port 53 on OUTPUT chain (so that the router cannot resolve DNS addresses and block port 53 on the FORWARD chain so that clients cannot resolve DNS with their own DNS server.
Of course on the blocked FORWARD chain make an exception for the IP address of the PiHole that should be allowed of course.
2. Redirect all queries to port 53 on the server (you canno tuse Forced DNS redirection as that would also redirect the pihole back to the server).
On the server set static DNS to the Pihole (make sure to enable "Ignore WAN DNS" as as to stop a leak.
Also on the server set local DNS to the Pihole
You can set a block rule for port 53 on the OUTPUT chain to be sure and also the block rule on the FORWARD chain for port 53 but both should not be necessary.
Now there are other possibilities to get DNS like DoH and DoT and also some DNS servers listen on port 5353
You can set block rules for port 5353 and 853 (DoT) on the FORWARD chain to stop this.
this suppose to be a DNSmasq way, egc gave you the directions for Iptables way, with bit of search you will find the rest, wiki also available very close the BOARD button
i guess learning is all about try n err here...as i don't have PI-Hassole and never tried it, probb never will...its your duty to try n err / learn ... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
What I'm trying to accomplish is blocking the domain names for Windows Update / Telemetry. When I feed this into my PiHole attached to my PFSense box and redirect all my DNS traffic through the PiHole it blocks perfectly on any of our PiHoles that I attach.
When I run the PiHole attached to a DD-WRT router I can get it to block all the domains from the web browser but Windows Updates / Telemetry is still getting through somehow.
We are trying to use it because these forced updates keep breaking stuff on a family members household system and we can't take them off the internet but need to stop the updates until we choose to do them so we had thought a Pihole would work because it's working for me on my setup.
(We just connect via VPN when we want to do updates to tunnel through the rules in the Firewall).
It appears for it to work properly that the domains to be blocked in PiHole need to be added to the Regex section of the Block List and not the Domain section for it to block not only the domain.com but also the www.domain.com
For whatever reason PFSense seems to handle it's DNS requests differently than DD-WRT when pushing them through the PiHole which is what lead me to believe it was DD-WRT leaking DNS traffic.
When in fact it wasn't leaking traffic but handing the DNS traffic to the Pi Hole in different ways and so Pi Hole wasn't blocking it on some requests but was blocking it on other requests.
I should mention I'm using it with DD-WRT configured with Alozaros's mentioned information just above.