AX86U New Pihole

[Helios]

Hello,
My friend gave me an Pi 4B and i decided to try Pihole.
after all the Pihole installation I've changed some settings on My AX86U (Merlin) to use the Pihole DNS but at first i just changed the WAN DNS to the Pihole and found out that it's not the correct way and i need to change the Lan DHCP settings instead.
I would like some help figuring out if i changed the correct settings.
This is my current settings after the change:

WAN:

LAN:

Do i need to change anything else? I've also see some people change settings on the DNS Director Tab which mine is off, but i don't understand if that is recommended or not yet.
Also after changing to the settings above, some devices such as smart bulb on my guest network stopped working, weird thing that most of the devices that was previously on the guest network do work but only some stopped working even though i could see them connected in the Asus router app i couldn't control them anymore and had to move them back to the normal wifi network. any idea why it's happening or that's something that suppose to happen?
Thanks Ahead for all the help

 

[Tech9]

Do i need to change anything else?

Correct Pihole setup was discussed in perhaps >50 threads. Just use Search.

 

[dave14305]

any idea why it's happening or that's something that suppose to happen?

Your guest network (depending how it’s configured) might not allow access to other LAN (intranet) devices like the Pi-Hole IP, or the AP may be isolated (clients cannot see each other).

 

[Helios]

Correct Pihole setup was discussed in perhaps >50 threads. Just use Search.

I've seen some threads and some say need to enable the DNS Director and change the settings there and some say not so I'm confused a bit.

Your guest network (depending how it’s configured) might not allow access to other LAN (intranet) devices like the Pi-Hole IP, or the AP may be isolated (clients cannot see each other).

Right intranet option is disabled in guest network, but that wasn't an issue before and some devices still work as before just some stopped.
Should i just move all to the normal network so they can go through Pihole aswell?
Mainly used the guest network for smart bulbs and wifi cameras mothing else.

 

[bennor]

I've also see some people change settings on the DNS Director Tab which mine is off, but i don't understand if that is recommended or not yet.

One advantage of using DNS Director is catching those network clients who try to bypass the Pi-Hole by having their own fixed DNS server values.

Generally if you plan to use DNS Director, you would first enable DNS Director.
Next set Global Redirection to User Defined 1.
In the User Defined #1 field input the IP address for the Raspberry Pi Pi-hole device.
Next under Client List select (or input) the Raspberry Pi's MAC address into the Client MAC Address field and set Redirection to No Redirection, then click the "plus"/add icon on the right to add the entry to the Client List.
The select the Apply button at the bottom to save the changes.

You may need to reboot both the router and all network clients to ensure the changes you performed are properly used by the router and clients. If one is using the 3006.102.x firmware they can go the next step of using the Guest Network Pro profiles section under DNS Director to further route Guest Network Pro clients to use the main LAN Pi-Hole. One would set each Guest Network Pro profile to User Defined 1 then select the Apply button.

For those using the YazFi addon script for Guest Networks they can input the Raspberry Pi Pi-Hole IP address into the YazFi DNS field(s). This will allow the YazFi clients to use the Pi-Hole. Note that YazFi is not supported under the 3006.102.x firmware. It is 3004.386.x and 3004.388.x firmware only.

 

[Helios]

One advantage of using DNS Director is catching those network clients who try to bypass the Pi-Hole by having their own fixed DNS server values.

Generally if you plan to use DNS Director, you would first enable DNS Director.
Next set Global Redirection to User Defined 1.
In the User Defined #1 field input the IP address for the Raspberry Pi Pi-hole device.
Next under Client List select (or input) the Raspberry Pi's MAC address into the Client MAC Address field and set Redirection to No Redirection, then click the "plus"/add icon on the right to add the entry to the Client List.
The select the Apply button at the bottom to save the changes.

You may need to reboot both the router and all network clients to ensure the changes you performed are properly used by the router and clients. If one is using the 3006.102.x firmware they can go the next step of using the Guest Network Pro profiles section under DNS Director to further route Guest Network Pro clients to use the main LAN Pi-Hole. One would set each Guest Network Pro profile to User Defined 1 then select the Apply button.

For those using the YazFi addon script for Guest Networks they can input the Raspberry Pi Pi-Hole IP address into the YazFi DNS field(s). This will allow the YazFi clients to use the Pi-Hole. Note that YazFi is not supported under the 3006.102.x firmware. It is 3004.386.x and 3004.388.x firmware only.

Okay thank you I've enabled DNS Director and followed your steps to configure it.
Though now the rest of the smart bulbs that still worked on the guest network before enabling DNS Director are now unavailable too and i moved them to the normal WIFI network so they can function.
Unfortunately i don't have the Guest Network Pro option as I'm on AX86U non Pro and it seems this option is not available on the non Pro models.

another question, I'm trying configure Conditional Forwarding on so it can grab the connected clients names but no luck getting it to work..
did i put the wrong IP?

sorry for my English and appreciate all the help so far!

 

[bennor]

@Helios, for Pi-Hole's Conditional Forwarding you follow the example they provided in the Conditional Forwarding section:

"The following list contains all reverse servers you want to add. The expected format is one server per line in form of <enabled>,<ip-address>[/<prefix-len>],<server>[#<port>][,<domain>]. A valid config line could look like true,192.168.0.0/24,192.168.0.1,fritz.box"

So for example, in your case it would be something like the following: true,192.168.50.0/24,192.168.50.1,lan
One would obviously have to adjust the values to match their own network including changing the example "lan" domain name to match what one has entered in the router's LAN > LAN IP Domain Name field.

Further, if you are using YazFi on your RT-AX86U you would also include the YazFi guest network IP address(s) in the Pi-Hole Conditional Forwarding field so the Pi-Hole can resolve the YazFi clients.

YazFi - YazFi v4.4.9 [2025-Nov-08] - Enhanced AsusWRT-Merlin Guest WiFi Networks

Release Notes for YazFi v4.4.6 production release now available [2025-May-29] The fork from @Jack Yaz's repository is now hosted on the AMTM-OSR GitHub repo: https://github.com/AMTM-OSR/YazFi 1) FIXED: Problem where setting the "Allow Internet Access" option to "NO" was causing problems with...

www.snbforums.com

IoT devices can sometimes, depending on the device make/model, be tricky to deal with. Particularly if they have hard coded DNS server, or require a direct link to local network Home Assistant server, or have the IoT device connected through an AiMesh node or AP node, or have some other configuration setting that is causing the the problem. What some do, with the Asus-Merlin 3004.386.x and 3004.388.x firmware, is to use YazFi to isolate IoT devices on the Guest Network. YazFi doesn't work on AiMesh nodes, it only works on the main router. With YazFi one can add the Pi-Hole IP address into the YazFi DNS field(s) so YazFi clients can access the Pi-Hole.

 

[Helios]

@Helios, for Pi-Hole's Conditional Forwarding you follow the example they provided in the Conditional Forwarding section:

"The following list contains all reverse servers you want to add. The expected format is one server per line in form of <enabled>,<ip-address>[/<prefix-len>],<server>[#<port>][,<domain>]. A valid config line could look like true,192.168.0.0/24,192.168.0.1,fritz.box"

So for example, in your case it would be something like the following: true,192.168.50.0/24,192.168.50.1,lan
One would obviously have to adjust the values to match their own network including changing the example "lan" domain name to match what one has entered in the router's LAN > LAN IP Domain Name field.

Further, if you are using YazFi on your RT-AX86U you would also include the YazFi guest network IP address(s) in the Pi-Hole Conditional Forwarding field so the Pi-Hole can resolve the YazFi clients.

YazFi - YazFi v4.4.9 [2025-Nov-08] - Enhanced AsusWRT-Merlin Guest WiFi Networks

Release Notes for YazFi v4.4.6 production release now available [2025-May-29] The fork from @Jack Yaz's repository is now hosted on the AMTM-OSR GitHub repo: https://github.com/AMTM-OSR/YazFi 1) FIXED: Problem where setting the "Allow Internet Access" option to "NO" was causing problems with...

www.snbforums.com

IoT devices can sometimes, depending on the device make/model, be tricky to deal with. Particularly if they have hard coded DNS server, or require a direct link to local network Home Assistant server, or have the IoT device connected through an AiMesh node or AP node, or have some other configuration setting that is causing the the problem. What some do, with the Asus-Merlin 3004.386.x and 3004.388.x firmware, is to use YazFi to isolate IoT devices on the Guest Network. YazFi doesn't work on AiMesh nodes, it only works on the main router. With YazFi one can add the Pi-Hole IP address into the YazFi DNS field(s) so YazFi clients can access the Pi-Hole.

Thanks i did put: true,192.168.50.0/24,192.168.50.1,ASUS on the setting. at the moment only 3 oit of 15 devices received names and some still showing only their IP.
Also i noticed after enabling Conditional Forwarding these 2 appeared, is it normal?

 

[dave14305]

Thanks i did put: true,192.168.50.0/24,192.168.50.1,ASUS on the setting

Your earlier screenshot showed Dimon as the router domain, but you entered ASUS here. Did you change it on the router to ASUS also?

 

[bennor]

Thanks i did put: true,192.168.50.0/24,192.168.50.1,ASUS on the setting. at the moment only 3 oit of 15 devices received names and some still showing only their IP.

Give it some time. If after an hour or two the clients are still not being resolved, reboot the router and see if anything changes. Make sure to either manually reserve an IP address, or assign a static IP address, to your Raspberry Pi device if you don't already have one assigned.

Also i noticed after enabling Conditional Forwarding these 2 appeared, is it normal?
View attachment 69188

Generally yes, you should see the upstream devices (DNS servers and the Asus router) listed there.

 

[Helios]

Your earlier screenshot showed Dimon as the router domain, but you entered ASUS here. Did you change it on the router to ASUS also?

Sorry forgot to mention, Yes i did change the domain on the router also before enabling Conditional Forwarding.

 

[bbunge]

You would be better off to use Diversion on your router since you are running Merlin firmware.
Diversion can use the same block lists as Pi-Hole. And, I feel it works better than Pi-Hole.
You will have one fewer devices to keep up to date and simpler configuration. The RPI OS will require constant monitoring as Debian 13 and 12 have been getting quite a few security updates recently.
Just my $0.02.

 

[Helios]

Give it some time. If after an hour or two the clients are still not being resolved, reboot the router and see if anything changes. Make sure to either manually reserve an IP address, or assign a static IP address, to your Raspberry Pi device if you don't already have one assigned.


Generally yes, you should see the upstream devices (DNS servers and the Asus router) listed there.

After router reboot as of now 6 out of 18 devices still missing names. Also the names are different than what i see on my router list perhaps it doesn't see if the device name is changed in router settings?
I've noticed i have over 6k queries from www.google.com overnight, turns out each nest device/android phone (in my case Galaxy S23) send 2 queries per minute.

What i find odd is only www.google.com domain shows that it's going on the router client as in the picture above and all other google domains queries show under the the nest devices client as supposed to i assume.

You would be better off to use Diversion on your router since you are running Merlin firmware.
Diversion can use the same block lists as Pi-Hole. And, I feel it works better than Pi-Hole.
You will have one fewer devices to keep up to date and simpler configuration. The RPI OS will require constant monitoring as Debian 13 and 12 have been getting quite a few security updates recently.
Just my $0.02.

Thank you for suggestion, I might look into in the future if i ever get tired of maintaining PiHole.

 

[dave14305]

What i find odd is only www.google.com domain shows that it's going on the router client as in the picture above and all other google domains queries show under the the nest devices client as supposed to i assume.

Queries intercepted by DNS Director will appear as if they come from the router in Pi-Hole. Some client must be ignoring the DHCP DNS config.

After router reboot as of now 6 out of 18 devices still missing names. Also the names are different than what i see on my router list perhaps it doesn't see if the device name is changed in router settings?

Rebooting the router resets the dhcp lease table, so the router might not know all the client names until they renew their leases. Or they don’t provide a name when they request an IP. Custom client names in network map aren’t used in answering dns queries from conditional forwarding.

 

[bennor]

Custom client names in network map aren’t used in answering dns queries from conditional forwarding.

To add to this, if one uses manual reservations (LAN > DHCP Server > Manual Assignment) and sets a Hostname for the client. Pi-Hole's conditional forwarding should pickup that Hostname value when reporting the queries. It is possible that using YazDHCP may also help with device naming in this instance. Some examples attached.

Network Map client dialog:


Client Status:


Manual reservation using YazDHCP:


Pi-Hole Query entry.


For others reading, some other notes to be aware of in general.
If one has a client that randomizes it's MAC address that may present issues. One may have to disable that randomization on the client device when using manual reservations on the router. Certain devices may have their DNS hard coded which is where DNS Director kicks in. When DNS Director intercepts and routes a DNS request it will typically show up in Pi-Hole under the router's IP address not the client's IP address. That is a good thing since it shows DNS Director is working as intended. Bad in that the client device likely has a hard coded DNS entry and or is trying to bypass the DHCP DNS servers assigned to the client.

Also one should remember to disable the "Advertise router's IP in addition to user-specified DNS" option on the router's LAN > DHCP Server page when using Pi-Hole.

One will be shocked at the amount of traffic some devices may generate, particularly if using a DNS sinkhole like Pi-Hole that blocks certain destination IP address requests. They may find certain devices don't react well to having certain DNS requests blocked an that device may generate a flood of requests because it expects a response from a specific DNS server or blocked IP address.

 

[Helios]

Queries intercepted by DNS Director will appear as if they come from the router in Pi-Hole. Some client must be ignoring the DHCP DNS config.

Rebooting the router resets the dhcp lease table, so the router might not know all the client names until they renew their leases. Or they don’t provide a name when they request an IP. Custom client names in network map aren’t used in answering dns queries from conditional forwarding.

To add to this, if one uses manual reservations (LAN > DHCP Server > Manual Assignment) and sets a Hostname for the client. Pi-Hole's conditional forwarding should pickup that Hostname value when reporting the queries. It is possible that using YazDHCP may also help with device naming in this instance. Some examples attached.

Network Map client dialog:
View attachment 69205

Client Status:
View attachment 69206

Manual reservation using YazDHCP:
View attachment 69204

Pi-Hole Query entry.
View attachment 69207

For others reading, some other notes to be aware of in general.
If one has a client that randomizes it's MAC address that may present issues. One may have to disable that randomization on the client device when using manual reservations on the router. Certain devices may have their DNS hard coded which is where DNS Director kicks in. When DNS Director intercepts and routes a DNS request it will typically show up in Pi-Hole under the router's IP address not the client's IP address. That is a good thing since it shows DNS Director is working as intended. Bad in that the client device likely has a hard coded DNS entry and or is trying to bypass the DHCP DNS servers assigned to the client.

Also one should remember to disable the "Advertise router's IP in addition to user-specified DNS" option on the router's LAN > DHCP Server page when using Pi-Hole.

One will be shocked at the amount of traffic some devices may generate, particularly if using a DNS sinkhole like Pi-Hole that blocks certain destination IP address requests. They may find certain devices don't react well to having certain DNS requests blocked an that device may generate a flood of requests because it expects a response from a specific DNS server or blocked IP address.

So basically the flood of the logs now from "www.google.com" is how it supposed to be if device have hard coded DNS? i see.
Was worried because it clogs the logs, got around 11k just from www.google.com over 24 hours.