use Pi-Hole as simple DNS-Server with DD-WRT

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Author Message
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2899
Location: Germany

PostPosted: Sun Jan 30, 2022 14:09    Post subject: use Pi-Hole as simple DNS-Server with DD-WRT Reply with quote
You must be registered in the forum and logged in to see the attachments!

1. example

Client <--> Pi-Hole <--> Public DNS
(the clients get 192.168.1.110 (ip address of the Pi-Hole) as DNS server via DHCP)

Please do not add "Additional DNSMasq Options" on the Router.
The option "dhcp-option=6,192.168.1.110" is added automatically by setting "disable Use DNSMasq for DNS".


All required settings are shown in the picture.

Pro's : shortest way (1 hop less)
Pro's : Pi-Hole statistics can be sorted by individual clients

Con's : Local hostnames are not resolved
Con's : Does not work with unbridged / isolated VAP's


Last edited by ho1Aetoo on Tue May 24, 2022 13:53; edited 4 times in total
Sponsor
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2899
Location: Germany

PostPosted: Sun Jan 30, 2022 14:10    Post subject: Reply with quote
2. example

Client <--> DD-WRT <--> Pi-Hole <--> Public DNS
(the clients get 192.168.1.1 (IP address of the router) as DNS server via DHCP)

This variant has the advantage that a 2nd DNS server is stored in the router as a fallback.
Thus, the Internet access still works if one Pi-Hole times fails or is offline.
Furthermore, the variant works well with an unbridged and isolated guest VAP.

If you still want to use the DNS rebind protection you should enable this option directly in the DNSMasq of the Pi-Hole

Download the configuration to the Pi-Hole:
Code:
sudo wget https://forum.dd-wrt.com/phpBB2/files/99_stop_dns_rebind_184.txt -O /etc/dnsmasq.d/99-stop-dns-rebind.conf

Contents of the file "99-stop-dns-rebind.conf":

Quote:
stop-dns-rebind

Restarting the DNS resolver:

Code:
sudo service pihole-FTL restart

Delete the configuration (if no longer wanted):

Code:
sudo rm -rf /etc/dnsmasq.d/99-stop-dns-rebind.conf
sudo rm -rf /etc/dnsmasq.d/$USER.conf

If an error occurs - not bad then the files are not present

Please do not add "Additional Dnsmasq Options" on the router.

All required settings are shown in the picture.

Pro's : Local hostnames are resolved correctly
Pro's : works without problems with unbridged and isolated VAP'S
Pro's : fallback DNS (only useful with a 2nd Pi-Hole to prevent DNS leaks)

Con's : the Pi-Hole sees only the router (no sorting by individual clients)


Last edited by ho1Aetoo on Mon Jun 13, 2022 15:48; edited 5 times in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2899
Location: Germany

PostPosted: Sun Jan 30, 2022 14:10    Post subject: Reply with quote
3. example

Client <--> Pi-Hole <--> DD-WRT <--> Public DNS
(the clients get 192.168.1.110 (ip address of the Pi-Hole) as DNS server via DHCP)

Additional Dnsmasq Options:
Code:
dhcp-option=br0,6,192.168.1.110

DNS rebind protection must be disabled on the Pi-Hole.(in case it was activated before)
Code:
sudo rm -rf /etc/dnsmasq.d/99-stop-dns-rebind.conf
sudo rm -rf /etc/dnsmasq.d/$USER.conf

If an error occurs - not bad then the files are not present


Restarting the DNS resolver:
Code:
sudo service pihole-FTL restart

All required settings are shown in the picture.

Pro's : Local hostnames are resolved correctly
Pro's : Pi-Hole statistics can be sorted by individual clients

Con's : does not work with ubridged / isolated VAP's


Last edited by ho1Aetoo on Tue May 24, 2022 18:52; edited 5 times in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2899
Location: Germany

PostPosted: Sun Jan 30, 2022 14:11    Post subject: Reply with quote
Unbound (recursive DNS) as Upstream DNS Server on Pi-Hole

applicable for example 1 and 2

The Raspberry Pi installation and configuration is quite simple.
There are actually also external sources for this.

https://docs.pi-hole.net/guides/dns/unbound/

This is exactly how I installed it:

Code:
raspberry4:~$ sudo apt install unbound

Download the configuration to the Pi-Hole:

Code:
sudo wget https://forum.dd-wrt.com/phpBB2/files/pi_hole_153.txt -O /etc/unbound/unbound.conf.d/pi-hole.conf

Contents of the file "pi-hole.conf":

Quote:
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0

interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"

# Trust glue only if it is within the server's authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

Comment: On powerful machines like the Raspberry Pi 4 you can set the following "num-threads: 2"

Code:
sudo wget https://forum.dd-wrt.com/phpBB2/files/99_edns_188.txt -O /etc/dnsmasq.d/99-edns.conf

Contents of the file "99-edns.conf":

Quote:
edns-packet-max=1232

Restarting unbound:
Code:
sudo service unbound restart

Check unbound:
Code:
sudo service unbound status

Note:

If unbound starts with the following error

Quote:
unbound[119114:0] warning: so-rcvbuf 1048576 was not granted

then you have to increase the receive buffer of the kernel:

Code:
sudo wget https://forum.dd-wrt.com/phpBB2/files/zzz_unbound_200.txt -O /etc/sysctl.d/zzz-unbound.conf

Restart procps and unbound:

Code:
sudo service procps restart
sudo service unbound restart

check if the error is gone:

Code:
sudo service unbound status

Restarting the DNS resolver:

Code:
sudo service pihole-FTL restart

Delete the configuration (if no longer wanted):
Code:
sudo rm -rf /etc/unbound/unbound.conf.d/pi-hole.conf
sudo rm -rf /etc/dnsmasq.d/99-edns.conf
sudo rm -rf /etc/sysctl.d/zzz-unbound.conf

If an error occurs - not bad then the files are not present

Additional Dnsmasq Options on the Router (is only needed for example 2):

Code:
edns-packet-max=1232

Configure Unbound in the Pi-Hole (see picture)


Last edited by ho1Aetoo on Wed May 25, 2022 8:56; edited 8 times in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2899
Location: Germany

PostPosted: Sun Jan 30, 2022 14:12    Post subject: Reply with quote
Force DNS redirection (redirect all DNS queries to the Pi-Hole)

For this, iptable rules are required which must be entered in the "Administration > Commands" tab (see screenshots)

Example 1+3

iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 -p tcp --dport 53 -j DNAT --to 192.168.1.110:53
iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 -p udp --dport 53 -j DNAT --to 192.168.1.110:53

192.168.1.110 = IP address of the Pi-Hole

Example 2

## filter on br0 (usually includes LAN and WLAN)
iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 ! -d $(nvram get lan_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53
iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 ! -d $(nvram get lan_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53

192.168.1.110 = IP address of the Pi-Hole

## filter unbridged VAP wlan0.1
iptables -t nat -I PREROUTING -i wlan0.1 ! -d $(nvram get wlan0.1_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get wlan0.1_ipaddr):53
iptables -t nat -I PREROUTING -i wlan0.1 ! -d $(nvram get wlan0.1_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get wlan0.1_ipaddr):53

## filter unbridged VAP wlan1.1
iptables -t nat -I PREROUTING -i wlan1.1 ! -d $(nvram get wlan1.1_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get wlan1.1_ipaddr):53
iptables -t nat -I PREROUTING -i wlan1.1 ! -d $(nvram get wlan1.1_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get wlan1.1_ipaddr):53


Last edited by ho1Aetoo on Sun Apr 03, 2022 17:01; edited 5 times in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2899
Location: Germany

PostPosted: Sun Jan 30, 2022 14:13    Post subject: Reply with quote
Configuration files:

Last edited by ho1Aetoo on Tue May 24, 2022 13:55; edited 1 time in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2899
Location: Germany

PostPosted: Sun Apr 03, 2022 16:59    Post subject: Reply with quote
Configuration files:

Last edited by ho1Aetoo on Wed May 25, 2022 8:51; edited 3 times in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2899
Location: Germany

PostPosted: Tue May 24, 2022 18:56    Post subject: Reply with quote
unbridged isolated VAPs

applicable for example 2

I think the screenshots are self-explanatory


Last edited by ho1Aetoo on Tue Jul 26, 2022 8:15; edited 3 times in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2899
Location: Germany

PostPosted: Wed May 25, 2022 8:57    Post subject: Reply with quote
Discussion thread about the Pi-Hole sticky

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329571

You can ask your questions in the linked discussion thread.
This makes it a little easier for us to manage the sticky thread.
Display posts from previous:    Page 1 of 1
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum