Forced DNS Redirection and Pihole on dhcp-option=6

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
skygunner
DD-WRT User


Joined: 28 Dec 2008
Posts: 146
PostPosted: Wed Jan 25, 2023 7:31    Post subject: Forced DNS Redirection and Pihole on dhcp-option=6 Reply with quote
Hi,

My DD-WRT Router's IP is 192.168.1.1, is is the DHCP server.
Pihole's upstream DNS server is 192.168.1.1
in the DD-WRT DNSmasq options I put in

dhcp-option=6,IP-of-pihole

The above settings works fine.

But it seems some clients would use DOT and not going through Pihole.
If I enalbe Forced DNS Redirection and Forced DNS Redirection DOT on DD-WRT, would those DNS requests go through the DD-WRT router directly, or they would be forwarded to the pihole set on dhcp-option=6?
_________________
[Broadcom]
DIR868L RevA -> r51506
DIR868L RevA -> r51440
Linksys EA6900-> r42819 STD
WL-500gP v2 --->

[Ralink]
DIR-600 Rev.B -> DD-WRT v3.0-r34886
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12889
Location: Netherlands
PostPosted: Wed Jan 25, 2023 7:36    Post subject: Reply with quote
Moved this thread to the Advanced Networking forum, the general Questions forum is not the best place to ask for router help.

For using a PiHole with DDWRT see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414
which is a sticky in this Advanced Networking forum.

Redirection will redirect DNS to the router.

To stop DoH traffic see the IPSET guide also a sticky in this forum.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2977
Location: Germany
PostPosted: Wed Jan 25, 2023 9:09    Post subject: Reply with quote
to block DoT i use the following rules

    ## block DoT
    iptables -I FORWARD ! -s 192.168.1.110 -p tcp --dport 853 -j REJECT --reject-with tcp-reset
    iptables -I FORWARD ! -s 192.168.1.110 -p udp --dport 853 -j REJECT --reject-with icmp-port-unreachable

    192.168.1.110 = IP address of the Pi-Hole


this blocks all DoT queries that use the standard port except from the Pi-Hole itself.

a small test from my PC shows that the rules work

Code:
:~$ echo -n "test" | nc -4u 1.1.1.1 853
:~$ echo -n "test" | nc -4 1.1.1.1 853

root@DD-WRT:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    32 REJECT     udp  --  *      *      !192.168.1.110        0.0.0.0/0            udp dpt:853 reject-with icmp-port-unreachable
    1    60 REJECT     tcp  --  *      *      !192.168.1.110        0.0.0.0/0            tcp dpt:853 reject-with tcp-reset
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum