Posted: Sun Mar 24, 2024 15:29 Post subject: Different DHCP DNS options on Multiple DHCP Servers
I have build 47282 running an R7800 (old, I know, but it's fast and reliable ) and I'm struggling to achieve a certain configuration with regards to DHCP servers passing different DNS options to clients on different networks.
This is my current setup:
* Wired LAN, wlan0 and wlan1 make up my main home network
* wlan1.1 and wlan1.2 are virtual interfaces for segregated guest and IoT wifi networks
* The router provides DHCP as well as recursive DNS resolver for my main home network
* For this, all "Static DNS" options are disabled, "Use DNSMasq for DNS" is enabled, "Recursive DNS Resolving (Unbound)" is enabled
* Router also provides DHCP as well as recursive DNS resolver for the guest and IoT networks
* For this, "Multiple DHCP Server"s are configured on wlan1.1 and wlan1.2
* In "DHCP Server" I have a few fixed leases that I need
* No "Additional DHCPd Options"
* No "Additional Dnsmasq Options"
This has been working perfectly for a long time. Clients only receive one DNS server via DHCP on all networks, which is the router's respective IP address in that network.
Lately I've been trying to set up a Pi-hole as a dedicated DNS server for my main home network only. For the guest and IoT networks I'd like to keep using the router's recursive resolver as the only DNS server. I tried to set Pi-hole's IP address as "Static DNS 1" in the DHCP server's options. That worked for the main home network of course, but clients on the guest and IoT networks also received this DNS server which broke DNS resolution. I guess I could try to route their DNS traffic to the pi-hole but I would much rather keep the networks completely separate.
Could anyone please give me advice how I might achieve this setup? My careful guess is that some magic "Additional Dnsmasq Options" (or possibly "Additional DHCPd Options") is what I need but I'm not experienced with Dnsmasq and since I don't have a spare router at the moment I'm wary of experimenting too much by myself.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sun Mar 24, 2024 15:37 Post subject:
there is something wrong with your setup but i cant see the all picture...atm too tired..
better update first as your build is very old and lack's of updated services...DNSmasq Unbound and ect...last build 55416 and probb a new is comming/expected soon, that has a DNSmasq fix too... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Thank you for your advice, Alozaros. You're of course completely right, I've been neglecting upgrading since it has been so stable. I might upgrade to build 53562 soon, but I I'm very hesitant to go higher because I saw that apparently with builds after that on R7800 you have to make a choice of either the router crashing or destroying gigabit performance.
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Sun Mar 24, 2024 16:14 Post subject:
derfraenk wrote:
Thank you for your advice, Alozaros. You're of course completely right, I've been neglecting upgrading since it has been so stable. I might upgrade to build 53562 soon, but I I'm very hesitant to go higher because I saw that apparently with builds after that on R7800 you have to make a choice of either the router crashing or destroying gigabit performance.
The last 4.9 build is 53562, so you can safely upgrade to that build.
Pihole setup is a sticky in this forum, but it looks like you want to handout different DNS servers for different interfaces (not sure if that is a good idea but here you go) e.g.:
Thank you very much, egc! Both for confirming about build 53562 and the DHCP options. I'll try to learn more about them and see if I can get it to work that way. For understanding, would these be dhcpd options or Dnsmasq options?
And yes, you're correct, I'm trying to hand out different DNS servers for different interfaces. If you don't mind, could you please elaborate on why you think this may not be a good idea? I'd be happy to learn more and I don't mind setting it up differently if that's better.
Edit: I may not have made that part clear enough. The guest and IoT networks are separate from my home network and use different IP networks with no routing between them. This is why the clients in them lost DNS resolution when they were given the Pi-hole's IP address as DNS server. I'd like to keep this separation if possible.
Thank you again! I had skimmed through the thread but it didn't seem to have what I wanted to achieve. But it could be just my lack of understanding. I will take more time this evening and read through the materials to try and understand better.
Our local DNS/PiHole guru will probably also chime in later (knowing him he is drinking a beer at this time )
@derfraenk
sorry I have read through your posts and I don't understand the problem.
You have checked "Use dnsmasq for DNS".
This means that all clients get the address of the router as DNS server or rather the addresses of dnsmasq.
For example:
LAN 192.168.1.1:53
IOT 192.168.2.1:53
Guests 192.168.3.1:53
(depending on which subnets you have configured for DHCP)
You only need to enter the address of the Pi-Hole as Static DNS and everything is configured.
Therefore, I cannot understand and comprehend your statements
Quote:
"Use DNSMasq for DNS" is enabled
Quote:
I tried to set Pi-hole's IP address as "Static DNS 1" in the DHCP server's options. That worked for the main home network of course, but clients on the guest and IoT networks also received this DNS server which broke DNS resolution.
what?
If "Use dnsmasq for DNS" is enabled then the clients still get the address of the router, nothing changes at all.
ho1Aetoo, thank you as well. I have read through the sticky again and I think (read: "hope" ) that I understand now where I had the wrong idea. Perhaps this is also why I was too unclear and where the misunderstanding comes from.
I was trying to do something like in the 1. example:
* Home net: Client <--> Pi-Hole <--> Public DNS
* Guest net: Client <--> DD-WRT <--> Public DNS
* IoT net: Client <--> DD-WRT <--> Public DNS
My idea was that this would be preferable because it's fewer hops.
Now I understand that the 2. example would be better suited to my needs because this flow simply applies to all the networks:
Client <--> DD-WRT <--> Pi-Hole <--> Public DNS
Therefore I will forget about my misguided idea and try to set it up like this.
I appreciate everybody's contribution, it helped me a lot.
Just for documentation's sake: It works now with the suggested configuration. Turns out if you do it the correct way, it works. I like the idea that clients in the guest network also benefit from Pi-hole blocking this way. Thanks again to everyone for your help!
Yes, I use the configuration myself - because it works without any problems with virtual isolated interfaces etc.
I also don't need sorting by different clients - I've been using the Pi-Hole for several years and it runs in the background and I only look at the statistics every week/month.
when it works - it works and there is nothing exciting to see