What's new

Can't get DNSFilter to work... RT-AC3100

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Skruf

Occasional Visitor
I can't seem to get DNSFilter to work. I thought I'd just try a simple setup and see if I could have DNSFilter force a computer on the network to use Quad9.

I turned on DNSFilter and set Global to No Filtering... Set the computer MAC in the Client MAC Address space and chose Quad9... No go... Still uses the local DNS (pi-hole) set in the static setup on the computer.

I have tried it with local DNS servers setup in LAN-DHCP Server-DNS Server 1 & 2... tried it with them blank... Tried it setting Global to Router... Nothing seems to work for me.

I do have the local DNS server (pi-hole) going through a VPN but I disabled that when I was doing the testing (removed it from the VPN).

I've tried all the variations I can think of (except for the right one) but nothing seems to work. I've even reset the router and did a manual reconfigure with no difference... Any suggestions?

Here's what iptables shows when the router is setup up as above (Global No Filtering)...

Code:
admin@gateway:/tmp/home/root# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 335 packets, 28757 bytes)
 pkts bytes target     prot opt in     out     source               destination
   28  4067 VSERVER    all  --  *      *       0.0.0.0/0            84.123.134.64
  147 11506 DNSFILTER  udp  --  *      *       192.168.10.0/24      0.0.0.0/0            udp dpt:53
    0     0 DNSFILTER  tcp  --  *      *       192.168.10.0/24      0.0.0.0/0            tcp dpt:53

Chain INPUT (policy ACCEPT 186 packets, 10107 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      tun12   192.168.10.0/24      0.0.0.0/0
    0     0 MASQUERADE  all  --  *      tun11   192.168.10.0/24      0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       192.168.10.0/24      0.0.0.0/0            policy match dir out pol ipsec
  201 15399 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  175 13691 MASQUERADE  all  --  *      eth0   !84.123.134.64        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      br0     192.168.10.0/24      192.168.10.0/24

Chain DNSFILTER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 3C:W9:E5:54:26:42to:9.9.9.9

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
   28  4067 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Thanks...
 
For DNS filter to work, the DNS traffic has to be routing through the router. If the computer is configured to use a pi-hole address on your LAN, DNSfilter will not see that traffic. Set the computer to get DNS automatically and then it will probably work.

Edit: LAN DHCP dns is also set for which DNS servers? Internal pi-hole or external DNS?
 
For DNS filter to work, the DNS traffic has to be routing through the router. If the computer is configured to use a pi-hole address on your LAN, DNSfilter will not see that traffic. Set the computer to get DNS automatically and then it will probably work.

Edit: LAN DHCP dns is also set for which DNS servers? Internal pi-hole or external DNS?

Thanks... I did set the computer to get a DHCP address at one point... But, I think I did have the DHCP-DNS Servers set to the pi-hole... I've also left those blank and had the WAN DNS set to external...

I thought that when I had Global set to Router that would capture ALL DNS (53) requests no matter what was hard set on a device.

I'll give it a shot as you describe...
 
Thanks... I did set the computer to get a DHCP address at one point... But, I think I did have the DHCP-DNS Servers set to the pi-hole... I've also left those blank and had the WAN DNS set to external...

I thought that when I had Global set to Router that would capture ALL DNS (53) requests no matter what was hard set on a device.

I'll give it a shot as you describe...
LAN-to-LAN traffic doesn’t get routed, it gets switched as I best understand it. If pi-hole is set in the LAN DHCP server page, at least manually configure the computer to use the router ip for DNS.
 
Well, tried it like you described and got better results. I mistakenly thought that the way I had it set up the router would grab any DNS traffic but like you mention it wasn't pointed that way and since it was local traffic it didn't need the router anyway.

Thanks for the clarity!
 
You might consider this:
  1. Clear LAN DHCP DNS 1 and 2.
  2. Advertise router's IP in addition to user-specified DNS = yes.
  3. DNSFilter custom 1 = pi-hole ip
  4. DNSFilter global mode = Custom 1
  5. DNSFilter computer MAC = Quad9
  6. DNSFilter pi-hole MAC = No filtering
Just be careful using DNSFilter so you don’t mistakenly block your pi-hole. Now I’ll shut my pie-hole.
 
LOL... Yeah, I'll give that a try... I've already killed internet access in playing with the DNSFilter so I know what that's like!

I really don't have any purpose in mind for DNSFilter other than wanting to know what possibilities it provides... Then I can really break things!

Thanks for your help.
 
LOL... Yeah, I'll give that a try... I've already killed internet access in playing with the DNSFilter so I know what that's like!

I really don't have any purpose in mind for DNSFilter other than wanting to know what possibilities it provides... Then I can really break things!

Thanks for your help.
Have you considered retiring pi-hole in favour of Diversion and Skynet via AMTM? If you do, you’d probably wish you’d done it ages ago. And, you’ll save on the amount of cables and stuff hanging off the back of the router.
 
I can't seem to get DNSFilter to work. I thought I'd just try a simple setup and see if I could have DNSFilter force a computer on the network to use Quad9.

I turned on DNSFilter and set Global to No Filtering... Set the computer MAC in the Client MAC Address space and chose Quad9... No go... Still uses the local DNS (pi-hole) set in the static setup on the computer.

I have tried it with local DNS servers setup in LAN-DHCP Server-DNS Server 1 & 2... tried it with them blank... Tried it setting Global to Router... Nothing seems to work for me.

I do have the local DNS server (pi-hole) going through a VPN but I disabled that when I was doing the testing (removed it from the VPN).

I've tried all the variations I can think of (except for the right one) but nothing seems to work. I've even reset the router and did a manual reconfigure with no difference... Any suggestions?

Here's what iptables shows when the router is setup up as above (Global No Filtering)...

Code:
admin@gateway:/tmp/home/root# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 335 packets, 28757 bytes)
 pkts bytes target     prot opt in     out     source               destination
   28  4067 VSERVER    all  --  *      *       0.0.0.0/0            84.123.134.64
  147 11506 DNSFILTER  udp  --  *      *       192.168.10.0/24      0.0.0.0/0            udp dpt:53
    0     0 DNSFILTER  tcp  --  *      *       192.168.10.0/24      0.0.0.0/0            tcp dpt:53

Chain INPUT (policy ACCEPT 186 packets, 10107 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      tun12   192.168.10.0/24      0.0.0.0/0
    0     0 MASQUERADE  all  --  *      tun11   192.168.10.0/24      0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       192.168.10.0/24      0.0.0.0/0            policy match dir out pol ipsec
  201 15399 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  175 13691 MASQUERADE  all  --  *      eth0   !84.123.134.64        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      br0     192.168.10.0/24      192.168.10.0/24

Chain DNSFILTER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 3C:W9:E5:54:26:42to:9.9.9.9

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
   28  4067 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Thanks...
Add pi with no filter to the DNS list of devices and global is custom one is the pi's up address that's how mine is set up.

But I'm using a rock64 instead of a raspberry pi.
 
Have you considered retiring pi-hole in favour of Diversion and Skynet via AMTM? If you do, you’d probably wish you’d done it ages ago. And, you’ll save on the amount of cables and stuff hanging off the back of the router.

Yeah, actually I have and will probably give it a go in the near future... Especially considering the DNS changes and such I'm seeing in .11 Merlin alpha release...

Pi-hole/Unbound/NSD is running on a VM on VirtualBox on a OMV server... I like a good challenge... And of course it keeps the brain active... I ain't getting any younger as they say...

Thanks for the nudge.
 
Add pi with no filter to the DNS list of devices and global is custom one is the pi's up address that's how mine is set up.

But I'm using a rock64 instead of a raspberry pi.

I'm running pi-hole on a VM with VirtualBox... Started out on a Raspberry Pi 3... Makes sense how you did it especially after @dave14305 enlightened me. I'll give it a try to see how it works.

Thanks for help.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top