[LunchBoxSteve]

Can anyone give me a step by step on how to configure DD-WRT with PiHole?

I'm trying to follow along with older threads but it's hard to understand the back/forth and people debugging what they posted along the way and follow what it should be.

I have it setup and running now. I've configured filter rules under access restrictions to not allow any port 53 traffic from any IP address on any interface except for the PiHole address.

The filter is showing lots and lots of counts so I know it's working. I also can't ping domain names in the block list indicating it's working but the problem is that some DNS traffic is still escaping the router.

If I swap out the router with another one (won't mention the name) with the same rules /setup with this PiHole, no traffic escapes so it has to be something with DD-WRT not configured that's allowing it.

Any help would be greatly appreciated. I thought I'd start with verifying I hadn't missed something.

[egc]

You missed reading the forum guidelines:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

No mentioning of router model, no build number and posting in the wrong forum

I will transfer this thread to the right forum

[Alozaros]

as egc noted above, you've made a vital errors...
have a search, either in the forum or GGl with adding DDWRT at the ggl search...many threads on the Pi-Hole subject this days...same and same again and again...its, not that hard to find.... if you spend some quality time with coffee and reading
step by step guides are somewhere there...
Good Luck

[LunchBoxSteve]

No offense but the forums are a mess of information and searching reveals way too many threads on the subject that are hard to follow which is why I asked if someone could give me a step by step or at least point me to one.

As for posting in the right thread, I assume I have it right when I do so but guess I didn't and for that I apologize.

Information on what I'm running this on 2x
Netgear R7000P's running R-43718.

Thanks.

[egc]

Well I am far from an expert on this subject so can only share what I learned here in the forum regarding this subject.

What I learned is you can use two different approaches to use an external DNS server.
1. Use DNSMasq to set that DNS server on the clients so that the clients directly contact the PiHole as DNSserver.
Set Local DNS from the router itself to the PiHole and block port 53 on OUTPUT chain (so that the router cannot resolve DNS addresses and block port 53 on the FORWARD chain so that clients cannot resolve DNS with their own DNS server.

Of course on the blocked FORWARD chain make an exception for the IP address of the PiHole that should be allowed of course.

2. Redirect all queries to port 53 on the server (you canno tuse Forced DNS redirection as that would also redirect the pihole back to the server).
On the server set static DNS to the Pihole (make sure to enable "Ignore WAN DNS" as as to stop a leak.
Also on the server set local DNS to the Pihole
You can set a block rule for port 53 on the OUTPUT chain to be sure and also the block rule on the FORWARD chain for port 53 but both should not be necessary.

Now there are other possibilities to get DNS like DoH and DoT and also some DNS servers listen on port 5353

You can set block rules for port 5353 and 853 (DoT) on the FORWARD chain to stop this.

Stopping DoH is more difficult, you need a block list with DoH servers and use this to block on the FORWARD chain.
See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326658&postdays=0&postorder=asc&start=15

Like I said these are just my thoughts on the subject an probably not complete and/or possibly wrong on details
Regard this as a possible direction how to proceed

[LunchBoxSteve]

Thank you for this... How would I block output and input chains?

[Alozaros]

[LunchBoxSteve]

What I'm trying to accomplish is blocking the domain names for Windows Update / Telemetry. When I feed this into my PiHole attached to my PFSense box and redirect all my DNS traffic through the PiHole it blocks perfectly on any of our PiHoles that I attach.

When I run the PiHole attached to a DD-WRT router I can get it to block all the domains from the web browser but Windows Updates / Telemetry is still getting through somehow.

We are trying to use it because these forced updates keep breaking stuff on a family members household system and we can't take them off the internet but need to stop the updates until we choose to do them so we had thought a Pihole would work because it's working for me on my setup.

(We just connect via VPN when we want to do updates to tunnel through the rules in the Firewall).

[LunchBoxSteve]

Alozaros

So I tried this just now and it blocks microsoft.com but not www.microsoft.com in the web browser with these settings.

I have the microsoft.com in the block list as a test domain.

In my PFSense box with the same PiHole settings it blocks everything from microsoft.com with or without the WWW.

[LunchBoxSteve]

Ok so I have it figured out...

It appears for it to work properly that the domains to be blocked in PiHole need to be added to the Regex section of the Block List and not the Domain section for it to block not only the domain.com but also the www.domain.com

For whatever reason PFSense seems to handle it's DNS requests differently than DD-WRT when pushing them through the PiHole which is what lead me to believe it was DD-WRT leaking DNS traffic.

When in fact it wasn't leaking traffic but handing the DNS traffic to the Pi Hole in different ways and so Pi Hole wasn't blocking it on some requests but was blocking it on other requests.

I should mention I'm using it with DD-WRT configured with Alozaros's mentioned information just above.

Anyway, all resolved now...

Thanks for everyone's help.