AX92u force all DNS request to pihole

priestman

New Around Here
Hi All,
I built up my aimesh system with pihole, everything is working fine already, but I'd like to force all DNS traffic to Pihole.
I'm using pihole for parental control too and I want to make sure there is no hardcoded or manually settled DNS in our home network.

So, anyone know how to force traffic through the Pihole?
(I know, with Merlin is just a few clicks, but not out for this router yet.)

I think Firewall - Network Services Filter would be my friend in this case, but I don't know how to set it up exactly.

Screenshot 2022-01-19 at 16.40.16.png


A possible solution, as an "Allow list":
Destination IP: "Pihole IP"
Port Range: "53"
Protocol : "TCP" and "UTP"

Will it be ok for me or I will kill our internet connection?
My family at home all week, so I sould be very careful with this. :p

Thanks is advance.
 

ColinTaylor

Part of the Furniture
That will kill your internet connection. The NSF only controls LAN to WAN traffic.
 

fbicknel

Occasional Visitor
I'm wingin' it here, so don't take this as the absolute truth:

I think you need to put your pihole DNS server on the WAN side of your router... so make yourself a little DMZ there between your home router and your ISP's router... and point the router's DNS server settings at that device. You should probably firewall off your pihole from the Internet inbound traffic and set up DoS protections for port 53. That would involve some tinkering with the firewall rules on the ISP's router.

Hopefully someone more skilled than me can check this and tell me where I've gone astray. Meantime; sounds like an interesting experiment. ;)
 

priestman

New Around Here
I'm wingin' it here, so don't take this as the absolute truth:

I think you need to put your pihole DNS server on the WAN side of your router... so make yourself a little DMZ there between your home router and your ISP's router... and point the router's DNS server settings at that device. You should probably firewall off your pihole from the Internet inbound traffic and set up DoS protections for port 53. That would involve some tinkering with the firewall rules on the ISP's router.

Hopefully someone more skilled than me can check this and tell me where I've gone astray. Meantime; sounds like an interesting experiment. ;)
Thank you to participating the brainstorming :)

I tried this earlier, but I had to revert back. There were two disadvantages of this method:
  • All queries came from the router's IP, so the pihole couldn't tell which device send that
  • The router couldn't reach the "outside world", so there were serious time synchronization issues
 

ColinTaylor

Part of the Furniture
Thank you to participating the brainstorming :)

I tried this earlier, but I had to revert back. There were two disadvantages of this method:
  • All queries came from the router's IP, so the pihole couldn't tell which device send that
  • The router couldn't reach the "outside world", so there were serious time synchronization issues
I think this is a different subject. It's just about how to integrate PiHole into your network.

I interpreted your original question as "how do I intercept and redirect DNS queries that ignore my local DNS". This is what DNSFilter tries to do in Merlin's firmware. But as far as I know that feature is not available in stock firmware. Even with Merlin's firmware this technique is becoming ineffective as ios, android, etc. introduce DoH.
 

fbicknel

Occasional Visitor
Thank you to participating the brainstorming :)

I tried this earlier, but I had to revert back. There were two disadvantages of this method:
  • All queries came from the router's IP, so the pihole couldn't tell which device send that
  • The router couldn't reach the "outside world", so there were serious time synchronization issues
Sounds like you put the pihole between your home router and the ISP router. I meant put a switch there, plug all three devices into that switch. That's the "DMZ". You're not technically "on the Internet", but it's outside your home network. The ISP router is your firewall to protect the pi that's sitting on its network otherwise unprotected. Your home router can use the pi as its DNS server.

This is different from putting the pi between your two routers. Yeah, then the home router can't get to the ISP router and it's all confused.

Your first disadvantage is going to stand, however. All DNS requests from your network will get funneled through the home router, so pi can't tell where they actually come from.

Personally, my pi is inside hanging off one of the LAN ports of my home router. I point every client's DNS server at that. That's the way they intended it to work, I think. You could set up your DHCP server on the router to point there. Maybe that is closer to what you're looking for?
 

bbunge

Part of the Furniture
Thank you for sending me down a rabbit hole researching DoH. :)
DNS based Parental Control just does not work once the kids learn bypass tricks from their friends. Best attempt is to dump the Pi-Hole and use Diversion on Merlin firmware.
Or set up an old PC as a router firewall with a product such as IP-Fire. It has an IP based filtering system that works.
 

fbicknel

Occasional Visitor
DNS based Parental Control just does not work once the kids learn bypass tricks from their friends. Best attempt is to dump the Pi-Hole and use Diversion on Merlin firmware.
Or set up an old PC as a router firewall with a product such as IP-Fire. It has an IP based filtering system that works.
"The kids" will eventually learn to tether their phones and bypass the entire network. <grin>

Or use location-based bypass techniques such as... go to my friend's howse wit open netz.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top