Asus RT-AC68U Merlin DNSFilter + 2 PiHole's?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

josh3003

Regular Contributor
I followed a thread on reddit and set up DNSFilter and forcing all requests both normal and hardcoded/DNS over HTTPS queries through my router. It works great. I do however have a few queries I am hoping some of you could address.


As mentioned, everything seems to go through primary pihole and any query that has hardcoded dns forces itself back to the router which comes up as a query under my router. Awesome.


I've been thinking about redundancy, I was trying to maintain a 2nd pihole using pihole-gemini? Doesn't seem to work with the new Pihole version 5. Nonetheless I also followed a guide and I also have a pihole running in the cloud. I was thinking of pointing my 2nd DNS server to that cloud based server, in the event of a corrupt sd card or the primary pi failing. However, with the DNSfilter enabled I'd drop my connection as when it would go down, so would too my DNS queries. As a workaround I do have WAN access to my router so I can access it at anytime and disable the DNSFilter to enable DNS queries to continue and point to my 2nd DNS server.

There isn't anyway to force all clients to primary local pihole and in the event if it goes offline, dns queries would then go to the pi in the cloud or a 2nd local pihole with the same forced requests through the router or is that a limitation of DNS filter? I don't want to disable it all together and run 2 piholes as I want all the stats on one and save the other for reduncany if it is ever required. Hope this makes sense, if you need any clarification please let me know. Thanks.
 

ColinTaylor

Part of the Furniture
Have a look at this post and the four following it. It might be what you're after. It does require Merlin's firmware though, not stock.
 

josh3003

Regular Contributor
Or just run service restart_dnsmasq
Thanks. I'll do that later on as well. Might be best to go with PiHole as main dns and I might try my cloud-based pihole deployment as my routers wan, might give me a bit more visibility over what's going on as well as checking logs without it flooding my primary hardwired pi :)
If it goes belly up, I'll use 9.9.9.9 as a fallback.
 

josh3003

Regular Contributor
Also, bit of an off topic question but whats best practice for getting WAN access to the router? Is it safe to have it sitting there open to the world? It's handy for me to access it when I am not at home. But wondering what might be the best way to access it apart from VPN. Anyway to check what potentially hits my login page to check for suspicious activity?
 

ColinTaylor

Part of the Furniture
VPN on a non-standard port is the only recommended way. "Worst practice" would be enabling the web interface to the WAN.

If you have a PC or server on your LAN that is available you have more options there.
 

josh3003

Regular Contributor
Cool, I'll get this fallback dns configured correctly later today and then I can switch off enabling web interface to WAN. Will continue using VPN and accessing it that way.
 

josh3003

Regular Contributor
/jffs/configs/dnsmasq.conf.add
Is there a way to test that this strict-order is working? That all the tries are going to first DNS? How did you do the test which shows the:

server 8.8.4.4#53: queries sent 1008, retried or failed 0
server 8.8.8.8#53: queries sent 0, retried or failed 0

Seems that I followed the guide and I am getting some hits on both piholes and I have followed the guide.
 

dave14305

Part of the Furniture
Is there a way to test that this strict-order is working? That all the tries are going to first DNS? How did you do the test which shows the:

server 8.8.4.4#53: queries sent 1008, retried or failed 0
server 8.8.8.8#53: queries sent 0, retried or failed 0
You can run this and then check the syslog or dnsmasq.log (if using a separate log file):
Bash:
kill -SIGUSR1 $(pidof dnsmasq)
 

josh3003

Regular Contributor
Ok, so after running that it looks like although I listed the servers sequentially it's using the reverse order as it sent 206 queries to my backup DNS and failed 1 query which was forwarded to my primary DNS.
 

josh3003

Regular Contributor
Update,

I've tried it again and this time when I unplug primary raspberrypi running pihole locally, my network drops connectivity alltgoether.
 
Last edited:

dave14305

Part of the Furniture
Why would it be the opposite effect? Should I be using DHCP on the primary pihole as well instead of my router also?
What’s in /etc/resolv.conf? Found this discussion of strict-order:
but note the definition of --strict-order

-o, --strict-order
By default, dnsmasq will send queries to any of the upstream
servers it knows about and tries to favour servers that are
known to be up. Setting this flag forces dnsmasq to try each
query with each server strictly in the order they appear in
/etc/resolv.conf
^^^^^^^^^^^^^^^

It makes no promises about anything not appearing in /etc/resolv.conf.
Maybe it should, but it doesn't. (Or maybe the whole, sorry option
should be removed.....)
 

ColinTaylor

Part of the Furniture
Why would it be the opposite effect? Should I be using DHCP on the primary pihole as well instead of my router also?
No. Never run two DHCP servers on the same subnet.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top