1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Can't get DNSFilter to work... RT-AC3100

Discussion in 'Asuswrt-Merlin' started by Skruf, Apr 20, 2019.

  1. Skruf

    Skruf Occasional Visitor

    Joined:
    Feb 26, 2019
    Messages:
    17
    I can't seem to get DNSFilter to work. I thought I'd just try a simple setup and see if I could have DNSFilter force a computer on the network to use Quad9.

    I turned on DNSFilter and set Global to No Filtering... Set the computer MAC in the Client MAC Address space and chose Quad9... No go... Still uses the local DNS (pi-hole) set in the static setup on the computer.

    I have tried it with local DNS servers setup in LAN-DHCP Server-DNS Server 1 & 2... tried it with them blank... Tried it setting Global to Router... Nothing seems to work for me.

    I do have the local DNS server (pi-hole) going through a VPN but I disabled that when I was doing the testing (removed it from the VPN).

    I've tried all the variations I can think of (except for the right one) but nothing seems to work. I've even reset the router and did a manual reconfigure with no difference... Any suggestions?

    Here's what iptables shows when the router is setup up as above (Global No Filtering)...

    Code:
    [email protected]:/tmp/home/root# iptables -t nat -L -v -n
    Chain PREROUTING (policy ACCEPT 335 packets, 28757 bytes)
     pkts bytes target     prot opt in     out     source               destination
       28  4067 VSERVER    all  --  *      *       0.0.0.0/0            84.123.134.64
      147 11506 DNSFILTER  udp  --  *      *       192.168.10.0/24      0.0.0.0/0            udp dpt:53
        0     0 DNSFILTER  tcp  --  *      *       192.168.10.0/24      0.0.0.0/0            tcp dpt:53
    
    Chain INPUT (policy ACCEPT 186 packets, 10107 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 4 packets, 236 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain POSTROUTING (policy ACCEPT 4 packets, 236 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 MASQUERADE  all  --  *      tun12   192.168.10.0/24      0.0.0.0/0
        0     0 MASQUERADE  all  --  *      tun11   192.168.10.0/24      0.0.0.0/0
        0     0 ACCEPT     all  --  *      *       192.168.10.0/24      0.0.0.0/0            policy match dir out pol ipsec
      201 15399 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
      175 13691 MASQUERADE  all  --  *      eth0   !84.123.134.64        0.0.0.0/0
        0     0 MASQUERADE  all  --  *      br0     192.168.10.0/24      192.168.10.0/24
    
    Chain DNSFILTER (2 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 3C:W9:E5:54:26:42to:9.9.9.9
    
    Chain LOCALSRV (0 references)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain PCREDIRECT (0 references)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain PUPNP (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain VSERVER (1 references)
     pkts bytes target     prot opt in     out     source               destination
       28  4067 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain VUPNP (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    Thanks...
     
  2. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,334
    For DNS filter to work, the DNS traffic has to be routing through the router. If the computer is configured to use a pi-hole address on your LAN, DNSfilter will not see that traffic. Set the computer to get DNS automatically and then it will probably work.

    Edit: LAN DHCP dns is also set for which DNS servers? Internal pi-hole or external DNS?
     
  3. Skruf

    Skruf Occasional Visitor

    Joined:
    Feb 26, 2019
    Messages:
    17
    Thanks... I did set the computer to get a DHCP address at one point... But, I think I did have the DHCP-DNS Servers set to the pi-hole... I've also left those blank and had the WAN DNS set to external...

    I thought that when I had Global set to Router that would capture ALL DNS (53) requests no matter what was hard set on a device.

    I'll give it a shot as you describe...
     
  4. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,334
    LAN-to-LAN traffic doesn’t get routed, it gets switched as I best understand it. If pi-hole is set in the LAN DHCP server page, at least manually configure the computer to use the router ip for DNS.
     
    Skruf likes this.
  5. Skruf

    Skruf Occasional Visitor

    Joined:
    Feb 26, 2019
    Messages:
    17
    Well, tried it like you described and got better results. I mistakenly thought that the way I had it set up the router would grab any DNS traffic but like you mention it wasn't pointed that way and since it was local traffic it didn't need the router anyway.

    Thanks for the clarity!
     
  6. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,334
    You might consider this:
    1. Clear LAN DHCP DNS 1 and 2.
    2. Advertise router's IP in addition to user-specified DNS = yes.
    3. DNSFilter custom 1 = pi-hole ip
    4. DNSFilter global mode = Custom 1
    5. DNSFilter computer MAC = Quad9
    6. DNSFilter pi-hole MAC = No filtering
    Just be careful using DNSFilter so you don’t mistakenly block your pi-hole. Now I’ll shut my pie-hole.
     
    martinr likes this.
  7. Skruf

    Skruf Occasional Visitor

    Joined:
    Feb 26, 2019
    Messages:
    17
    LOL... Yeah, I'll give that a try... I've already killed internet access in playing with the DNSFilter so I know what that's like!

    I really don't have any purpose in mind for DNSFilter other than wanting to know what possibilities it provides... Then I can really break things!

    Thanks for your help.
     
  8. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,206
    Location:
    Manchester, United Kingdom
    Have you considered retiring pi-hole in favour of Diversion and Skynet via AMTM? If you do, you’d probably wish you’d done it ages ago. And, you’ll save on the amount of cables and stuff hanging off the back of the router.
     
  9. Vexira

    Vexira Very Senior Member

    Joined:
    Jan 20, 2017
    Messages:
    1,848
    Location:
    Australia
    Add pi with no filter to the DNS list of devices and global is custom one is the pi's up address that's how mine is set up.

    But I'm using a rock64 instead of a raspberry pi.
     
  10. Skruf

    Skruf Occasional Visitor

    Joined:
    Feb 26, 2019
    Messages:
    17
    Yeah, actually I have and will probably give it a go in the near future... Especially considering the DNS changes and such I'm seeing in .11 Merlin alpha release...

    Pi-hole/Unbound/NSD is running on a VM on VirtualBox on a OMV server... I like a good challenge... And of course it keeps the brain active... I ain't getting any younger as they say...

    Thanks for the nudge.
     
    L&LD and martinr like this.
  11. Skruf

    Skruf Occasional Visitor

    Joined:
    Feb 26, 2019
    Messages:
    17
    I'm running pi-hole on a VM with VirtualBox... Started out on a Raspberry Pi 3... Makes sense how you did it especially after @dave14305 enlightened me. I'll give it a try to see how it works.

    Thanks for help.