ASUS GT-AXE16000 Pihole+Unbound

[mustardquail]

Hi, I'm trying to get Pihole+Unbound working on my ASUS GT-AXE16000 running stock firmware.

I have the Pihole working fully and have been testing it with Unbound, everything seems to be working fine for about a month here with the devices I've tested being manually pointed to the Pihole.

I recently made the change to point all devices on the network to the Pihole from LAN settings (not WAN). I entered the Pihole IP in DNS Server 1, but left DNS Server 2 blank.

I had read that DNS Server 2 being blank might mean that the router inserts itself in DNS Server 2 silently, despite having Disabled the option for Advertise router's IP in addition to user-specified DNS. Can anyone confirm if this is true or not, with the ASUS GT-AXE16000?

For context, I'm hoping to force all client devices through the Pihole, as I've also heard that the Pihole can override even DNS requests for hardcoded DNS servers (8.8.8.8 & 8.8.4.4, and similar) such that these requests are still filtered.

 

[bennor]

See the following link, if you haven't already, for a general setup of Pi-Hole on Asus/Asus-Merlin firmware:
https://www.snbforums.com/threads/pihole-dns.74646/page-3#post-712319

Note: If running Asus-Merlin 3006.102.4_beta2 firmware one may have to change the DNS Director Global Redirection from Router to User Defined DNS 1 and input their Pi-Hole IP address into User Defined DNS 1.

And make sure to remove the Pi-Hole IP addresses from the WAN DNS fields if using the LAN DHCP DNS fields.

PS: One can block specific DNS servers like Google's 8.8.8.8 and 8.8.4.4 by using the LAN > Route page. Example for how to do so:

https://support.strongvpn.com/hc/en-us/articles/360043339733-Blocking-Public-DNS-on-an-Asus-Router

 

[ColinTaylor]

I had read that DNS Server 2 being blank might mean that the router inserts itself in DNS Server 2 silently, despite having Disabled the option for Advertise router's IP in addition to user-specified DNS. Can anyone confirm if this is true or not, with the ASUS GT-AXE16000?

No that's not true (or at least AFAIK). You can easily check this by seeing what DNS servers are being picked up by your clients.

For context, I'm hoping to force all client devices through the Pihole, as I've also heard that the Pihole can override even DNS requests for hardcoded DNS servers (8.8.8.8 & 8.8.4.4, and similar) such that these requests are still filtered.

The LAN DHCP settings do not force a client to use those DNS servers. It's down to the client whether it uses or ignores them. To force hardcoded DNS server requests to go elsewhere you would have to use something like DNS Filter in Merlin's firmware (I don't think stock firmware has an equivalent). And that's ignoring the whole issue of DoH.

 

[mustardquail]

Thank you both for these replies! I'll look into setting up that route as well.

I had to disable the Pihole setting in my router, as something went severely wrong randomly after a while of it working fine. For whatever reason, my router's CPU spiked to 90%+ multiple times, and full LAN connectivity would drop so I wouldn't be able to see the Pihole on the network or even reach the router. Had to reconnect to different access points just to undo the change; I'm still stumped on what caused this.

I ended up doing a full reboot of the Pihole and the router after undoing the change, though router reboots would not fix this during the worst parts of this issue. I kept seeing issues like below from pihole-FTL logs

2025-04-30 12:29:55.234 forwarded outlook.office.com to 127.0.0.1#5335
2025-04-30 12:29:55.235 reply outlook.office.com is NODATA-IPv4
2025-04-30 12:29:55.244 query[A] outlook.office.com from 10.10.1.116
2025-04-30 12:29:55.244 cached outlook.office.com is NODATA-IPv4
2025-04-30 12:29:55.254 forwarded outlook.office.com to 127.0.0.1#5335
2025-04-30 12:29:55.254 reply error is SERVFAIL

And from pihole logs

2025-04-30 10:56:09.232 WARNING Long-term load (15min avg) larger than number of processors: 5.1 > 4
2025-04-30 11:01:09.232 WARNING Long-term load (15min avg) larger than number of processors: 4.8 > 4
2025-04-30 11:04:26.231 WARNING Connection error (127.0.0.1#5335): TCP connection failed while receiving payload length from upstream (Connection prematurely closed by remote server)
2025-04-30 11:06:09.232 WARNING Long-term load (15min avg) larger than number of processors: 4.6 > 4
2025-04-30 11:06:30.279 WARNING Connection error (127.0.0.1#5335): TCP connection failed while receiving payload length from upstream (Connection prematurely closed by remote server)
2025-04-30 11:11:09.236 WARNING Long-term load (15min avg) larger than number of processors: 4.4 > 4
2025-04-30 11:16:09.240 WARNING Long-term load (15min avg) larger than number of processors: 4.3 > 4
2025-04-30 11:16:27.455 WARNING Connection error (127.0.0.1#5335): TCP connection failed while receiving payload length from upstream (Connection prematurely closed by remote server)
2025-04-30 11:21:09.244 WARNING Long-term load (15min avg) larger than number of processors: 4.3 > 4
2025-04-30 11:24:01.920 WARNING Connection error (127.0.0.1#5335): TCP connection failed while receiving payload length from upstream (Connection prematurely closed by remote server)

Really uncertain what could have caused this, as I was having no issues with manually assigned hosts on the Pihole+Unbound setup for over a month before implementing these changes from the router to point to the Pihole and stop advertising the router's IP as a DNS server. I'm running this on a Raspberry Pi 5 and my router is an ASUS GT-AXE16000, so I was really surprised that system resources on the router end were being taxed this heavily even though it's pretty beefy hardware from what I understand.

 

[ColinTaylor]

I don't know anything about PiHole or Unbound, but at the risk of stating the obvious it appears that the Unbound server is not running (on port 5335).

 

[bennor]

I had to disable the Pihole setting in my router, as something went severely wrong randomly after a while of it working fine. For whatever reason, my router's CPU spiked to 90%+ multiple times, and full LAN connectivity would drop so I wouldn't be able to see the Pihole on the network or even reach the router. Had to reconnect to different access points just to undo the change; I'm still stumped on what caused this.

What did the Pi-Hole Dashboard show for queries? Did it show a huge spike in queries? Like thousands all at once?

Its possible, depending on your configuration you had a feedback loop develop if you used the Pi-Hole in the WAN DNS field(s) and had Conditional Forwarding enabled on the Pi-Hole. Such a feedback loop floods the local network and crashes it. Check the WAN DNS and ensure the Pi-Hole IP address isn't listed there if you have Conditional Forwarding enabled on the Pi-Hole.

 

[mustardquail]

Interesting puzzle for sure! I had only set the Pihole as the DNS Server in LAN though, not WAN. I had set Quad9 as the WAN DNS. I did end up seeing much more queries, and while I had the Pihole IP address in DNS Server 1 & 2, I saw an error in Pihole diagnostics like "max 150 concurrent DNS queries reached" or something similar before I reverted my settings back to pre-Pihole working config. It's been back to normal working conditions for a few hours now, but this image is what it looked like (you can see a few spikes before returning back to normal)

The dip around 10:00-11:00 was me trying to troubleshoot it by disabling some of these changes I'd made the night before. I had not fully reverted the changes and the problem seemed to creep back again until I fully reverted these changes in the 13:00 hour.

I had not set up conditional forwarding, but I had added a few network service filter rules in Firewall settings like so (Deny list):
TCP & UDP: Source IP *, Source Port *, Dest IP 8.8.8.8, Dest Port 53
TCP & UDP: Source IP *, Source Port *, Dest IP 8.8.4.4, Dest Port 53

I have a suspicion that these firewall rules may have caused some issues that triggered the Unbound service to crash or otherwise become unresponsive on the Pihole server, which then cascaded into further instability on the router's end and contributed to significant CPU usage. The Unbound errors have not returned after I reverted settings and rebooted both devices.

 

[bennor]

I had not set up conditional forwarding, but I had added a few network service filter rules in Firewall settings like so (Deny list):
TCP & UDP: Source IP *, Source Port *, Dest IP 8.8.8.8, Dest Port 53
TCP & UDP: Source IP *, Source Port *, Dest IP 8.8.4.4, Dest Port 53

Yes, that may be a possible cause depending on your setup. As indicated previously (in a provided link) the easy way to block public DNS servers like Google's is to use the LAN > Route setting to route 8.8.8.8 and 8.8.4.4 to the router's IP in the Gateway field. The following example that I've been using for years without issue with Pi-Hole + Unbound.

 

[mustardquail]

This is great, thank you! I am planning to test this over the weekend so I'll definitely take a look. Admittedly, my attempts earlier this week were a bit impulsive and I should have done it over the weekend anyway -- but lesson learned!