DNS filter with fallback

[dave14305]

@ColinTaylor definitely not working on my network. Tested on 2 devices (macOS and Windows) and 2 browsers.

1. Disabled the DNS on 192.168.1.12
2. Confirmed devices have DNS records set (both show 192.168.1.12 and 192.168.1.1)
3. Browsing to dnsleaktest.com on primary browser fails
4. Browsing to dnsleaktest.com on secondary browser (clean browser only used for testing) fails
5. Dig google.com fails
6. Dig @9.9.9.9 google.com fails
7. Whitelist device in DNSFilter settings, browsing works fine

From this it seems like the DNSFiltering is blocking any queries that aren't from devices on the client list. I feel like I'm missing a setting somewhere as you've got it working

Having DNSFilter enabled and set to Router will always send the requests it receives to 192.168.1.12. Only if LAN DHCP DNS1 is blank will the router’s dnsmasq receive the queries. So by disabling DNS on PiHole, the whole thing breaks.

I think you’d have better luck without DNS filter enabled, but results could be unpredictable.

 

[ColinTaylor]

Having DNSFilter enabled and set to Router will always send the requests it receives to 192.168.1.12.

Doh! Yes you are correct.

So I think he'll need to set Global Filter Mode to Custom #1. Where Custom #1 is configured with the router's IP address (e.g. 192.168.1.1).

Then the only thing in the Client List is an exception for the PiHole's address (192.168.1.2), assuming that you want it to go somewhere other than the router. OTOH you might want the PiHole to forward through the router so this entry wouldn't be needed at all.

 

[hambone]

Ok, that makes a bit more sense now. If I could get away with not using the DNSFilter I would, but hard coded DNS records are forcing the hand there.

Thank you both for the help, adding the router to the custom entry is working perfectly.

 

[ColinTaylor]

Have you tried an Open DNS filter?

We're about to implement one here on the advice of some external security group. We have around 40 staff and training on its own doesn't seem to be fostering good web using habits.

The DNSFilter being discussed in this thread is not the same as the OpenDNS filter.

DNSFilter is a router option that can be used to force clients to use a specific DNS server. That DNS server could be your company's, your ISP's, OpenDNS, 9.9.9.9, or any other server of your choosing.

 

[Mikey Dread]

I recently started testing "AdGuard Home" running on a local always on macos server as a back up to unbound with adblocking running on a AC-86U used as an accesspoint. Not that I can tell much of a difference in real life, but it's actually so much faster than the Asus, that I switched it it to be the primary DNS and the Asus as backup.

You might considering a similar setup with AdGuard as a backup to your Pihole, if you have an always on computer on your network.

 

[josh3003]

Did you ever get this one working? Looking at doing a similar config.