Custom DNS Filtering question /problem
- Thread starter EdwardRutherfordthe5th
- Start date
EdwardRutherfordthe5th
Occasional Visitor
Well I have done what you said. I have changed the LAN DNS server 1 to 37.235.1.174 freeDNS
here is the before
here is the after 5 hours later after a reboot Of ALL devices, router , switch and AP.
With this change of LAN DNS one. I have checked a few phones and laptops. my laptop when I do ipconfig /all which proves it has taken effect
" DNS Servers . . . . . . . . . . . : 37.235.1.174"
in addition I checked pi hole (see attached photo) the graph shows that ALL clients have stopped sending DNS requests to pihole 192.168.20.241. which would mean the LAN DNS server 37.* has taken effect
It also shows that my nixie clock HAS actually stopped sending DNS requests to pi hole 20.241. DNS filtering is still on and still set to the settings above on the screen shot
here is the before
Code:
ASUSWRT-Merlin RT-AC68U 384.4-2 Sat Mar 24 17:01:45 UTC 2018
myusername@myrouter:/tmp/home/root# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 4406 packets, 705K bytes)
pkts bytes target prot opt in out source destination
236 14158 VSERVER all -- * * 0.0.0.0/0 mypubip
1672 118K DNSFILTER udp -- * * 192.168.20.0/24 0.0.0.0/0 udp dpt:53
0 0 DNSFILTER tcp -- * * 192.168.20.0/24 0.0.0.0/0 tcp dpt:53
Chain INPUT (policy ACCEPT 680 packets, 73901 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2253 packets, 188K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2840 packets, 226K bytes)
pkts bytes target prot opt in out source destination
2944 448K PUPNP all -- * eth0 0.0.0.0/0 0.0.0.0/0
2314 407K MASQUERADE all -- * eth0 !mypubip 0.0.0.0/0
7 2414 MASQUERADE all -- * br0 192.168.20.0/24 192.168.20.0/24
Chain DNSFILTER (2 references)
pkts bytes target prot opt in out source destination
1 59 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC nixieclock:96 to:208.67.222.222
0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC mytestdevice to:192.168.30.5
Chain LOCALSRV (0 references)
pkts bytes target prot opt in out source destination
Chain PCREDIRECT (0 references)
pkts bytes target prot opt in out source destination
Chain PUPNP (1 references)
pkts bytes target prot opt in out source destination
Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
236 14158 VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VUPNP (1 references)
pkts bytes target prot opt in out source destinationhere is the after 5 hours later after a reboot Of ALL devices, router , switch and AP.
Code:
myusername@mypubip:/tmp/home/root# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 11982 packets, 2182K bytes)
pkts bytes target prot opt in out source destination
1068 56923 VSERVER all -- * * 0.0.0.0/0 mypubip
3964 258K DNSFILTER udp -- * * 192.168.20.0/24 0.0.0.0/0 udp dpt:53
17 1020 DNSFILTER tcp -- * * 192.168.20.0/24 0.0.0.0/0 tcp dpt:53
Chain INPUT (policy ACCEPT 2120 packets, 224K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6804 packets, 578K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 6782 packets, 568K bytes)
pkts bytes target prot opt in out source destination
9356 1519K PUPNP all -- * eth0 0.0.0.0/0 0.0.0.0/0
7552 1404K MASQUERADE all -- * eth0 !mypubip 0.0.0.0/0
29 10076 MASQUERADE all -- * br0 192.168.20.0/24 192.168.20.0/24
Chain DNSFILTER (2 references)
pkts bytes target prot opt in out source destination
3 177 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC mynixieclock to:208.67.222.222
0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC mytestdevice to:192.168.30.5
Chain LOCALSRV (0 references)
pkts bytes target prot opt in out source destination
Chain PCREDIRECT (0 references)
pkts bytes target prot opt in out source destination
Chain PUPNP (1 references)
pkts bytes target prot opt in out source destination
Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
1068 56923 VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VUPNP (1 references)
pkts bytes target prot opt in out source destination" DNS Servers . . . . . . . . . . . : 37.235.1.174"
in addition I checked pi hole (see attached photo) the graph shows that ALL clients have stopped sending DNS requests to pihole 192.168.20.241. which would mean the LAN DNS server 37.* has taken effect
It also shows that my nixie clock HAS actually stopped sending DNS requests to pi hole 20.241. DNS filtering is still on and still set to the settings above on the screen shot
I could potentially do this but that is a ton of micro managing to do and once I get my home automation all setup its going to have probably about 100 or so clients attached so i dont want to be dealing with that. Global filter should work and has worked in the past. Colin is very helpful so hopefully we can figure that out
Attachments
ColinTaylor
Part of the Furniture
OK @EdwardRutherfordthe5th can you give me a sanity check on this please.
1) After the changes you made all DHCP clients are told to use 37.235.1.174 and 176.103.130.131 as their DNS servers.
2) This seems to be confirmed by the checks you've done and the fact that the PiHole isn't receiving anything.
3) After 5 hours of running we can see there have been over 3900 DNS packets that have been sent externally.
4) Of those 3900+ packets only 3 of them were from the clock and they were redirected to 208.67.222.222.
So, unless I'm missing something, this appears to be working as expected. Do you concur?
1) After the changes you made all DHCP clients are told to use 37.235.1.174 and 176.103.130.131 as their DNS servers.
2) This seems to be confirmed by the checks you've done and the fact that the PiHole isn't receiving anything.
3) After 5 hours of running we can see there have been over 3900 DNS packets that have been sent externally.
4) Of those 3900+ packets only 3 of them were from the clock and they were redirected to 208.67.222.222.
So, unless I'm missing something, this appears to be working as expected. Do you concur?
EdwardRutherfordthe5th
Occasional Visitor
Yes I would say you are correct it is working with DNS Filtering on and global option set to "no filtering"
Maybe you can answer this then because clearly I am confused.
When I select no filtering, a client automatically bypasses the DNS filtering and then either uses the LAN DNS 1/2 provided by DHCP or if it has a hard coded DNS such as chromecast 8.8.8.8 it uses that. Correct? so with no filtering on, I MAY not be getting all DNS requests to my pi hole if they have a hard coded address?
In addition global filter "router" forces all clients no matter what to use LAN DNS that is specified in DHCP Lan 1/2?
The reason I ask these clarifications is when I select Global filter "Router" with a DHCP LAN DNS say google 8.8.8.8. It works flawlessly it forces EVERY DNS request to 8.8.8.8 like it should. However, when i change it to 192.168.20.241 (pihole) it doesn't work. Im not asking you to troubleshoot pihole as i believe you sufficiently narrow down the problem to pihole.
The part I am confused about. After I change it to what I said above, Global filter "router" DHCP LAN DNS 192.168.20.241. I see a TON of requests going to pihole. actually so many that it makes the interface of pihole super slow (besides the point) but when I check the logs. All the requests are coming from the router 192.168.20.1 NOT the devices. Why is that? See screenshot attached.
In the screenshot below. I went to duckduckgo and youtube from MY laptop router intercepts it and forces it to LAN DNS1 which is pihole however in the log it shows those DNS requests that I made my from laptop are from 192.168.20.1, my laptop is 20.10 (DHCP)
Maybe you can answer this then because clearly I am confused.
When I select no filtering, a client automatically bypasses the DNS filtering and then either uses the LAN DNS 1/2 provided by DHCP or if it has a hard coded DNS such as chromecast 8.8.8.8 it uses that. Correct? so with no filtering on, I MAY not be getting all DNS requests to my pi hole if they have a hard coded address?
In addition global filter "router" forces all clients no matter what to use LAN DNS that is specified in DHCP Lan 1/2?
The reason I ask these clarifications is when I select Global filter "Router" with a DHCP LAN DNS say google 8.8.8.8. It works flawlessly it forces EVERY DNS request to 8.8.8.8 like it should. However, when i change it to 192.168.20.241 (pihole) it doesn't work. Im not asking you to troubleshoot pihole as i believe you sufficiently narrow down the problem to pihole.
The part I am confused about. After I change it to what I said above, Global filter "router" DHCP LAN DNS 192.168.20.241. I see a TON of requests going to pihole. actually so many that it makes the interface of pihole super slow (besides the point) but when I check the logs. All the requests are coming from the router 192.168.20.1 NOT the devices. Why is that? See screenshot attached.
In the screenshot below. I went to duckduckgo and youtube from MY laptop router intercepts it and forces it to LAN DNS1 which is pihole however in the log it shows those DNS requests that I made my from laptop are from 192.168.20.1, my laptop is 20.10 (DHCP)
Attachments
ColinTaylor
Part of the Furniture
Thanks for confirming that.
Correct.
Last edited:
Vexira
Part of the Furniture
i was refering to only the things you want as exceptions, divces than you dont want filtered.
EdwardRutherfordthe5th
Occasional Visitor
are you sure about this? Because when I set it to global filter router and reboot all devices it appears to go to DHCP DNS LAN 1/2
Here is log from me changing it via the command you gave me (very useful by the way, wish i would have known about this ages ago)
Code:
Chain DNSFILTER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC nixie clock to:208.67.222.222
0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC mytestdevice to:192.168.30.5
498 38281 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.20.241AH HA!!!!!!!!!!!!!!!!!!!!!!!!!!! this would explain it. Also last night before I saw this reply I came to a relvalation as to why its not working. So for global filter router with a DNS of 8.8.8.8. As you said the router grabs it all then forces it upstream. Google sees it replies to my public ip. router grabs it and returns it to the client.
The difference in pihole is its an internal IP. Router grabs the DNS request sends it upstream to pihole even though its internal. Pihole goes and grabs the DNS record and returns it back to the router and it never gets back to the client (which would explain why i only see requests for 20.1. i THINK if i were to setup pihole as an outside server then it would work just as if I was sending it to google. I am not going to do this because this raises a lot of security concerns as it wouldn't be behind a firewall then. I will test my theory though later, the other downside is I wouldn't see individual clients it would just all be from my public IP
Thanks for clarification and taking the time out to help me. I guess I didn't understand what "router" actually did,. I thought it just forwarded everything to whatever DNS server I set it to but the router is actually using DNSmasq and processing it. I was going based on the description on that page.
ColinTaylor
Part of the Furniture
You've cracked it! And highlighted an incorrect assumption that I was making about how this works
. (Note to self: Read the instructions idiot!)No, you were right and I was wrong. Doh!
So what happens is: When Global Filter Mode = Router,
1. If LAN>DHCP>DNS Server 1 is set to something this is the address the DNS requests will be forced to go to (unless there is a custom exception).
2. If LAN>DHCP>DNS Server 1 is not set to something it will force requests to go to the router's address (typically 192.168.1.1) and use the router's DNS server (dnsmasq). It will not use the DNS Server 2 address.
And just to add to my embarrassment it actually says this clearly on the DNSFilter page: '"Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined)'.
So what I think is happening in your setup above is;
1. A client makes a DNS request.
2. It is intercepted by DNSFilter and redirected to the PiHole. ***
3. The PiHole tries to forward the request to an external upstream DNS server.
4. DNSFilter intercepts the PiHole's request and sends it back to the PiHole.
5. Infinite Loop between 3 and 4.
The PiHole shows the client address as the router (192.168.20.1) because the source address is still being NATed in the NAT/POSTROUTING chain (with -j MASQUERADE).
*** I have a suspicion (that I can't prove) that in some circumstances the very first client DNS request might go straight to the PiHole, because the traffic is switched not routed, and therefore never gets to the router. But that's by the by.
Last edited:
EdwardRutherfordthe5th
Occasional Visitor
YESSS!!! that makes total sense. DUH we've both been saying it intercepts ALL DNS traffic. Of course it would still intercept the internal Pihole DNS traffic without exception. That explains my screenshot of pihole because when i make a single DNS request for example youtube. In the log it will show 3-6 (on average) DNS requests for the same thing. SO as you said its an infite loop till the request somewhere in there dies and doesn't get rerequested.
So there are 2 options I see to fix this. One when I set DNS filter to Router. I make a custom rule to forward traffic from pihole to an external DNS/set to "no filtering" (no filtering might still put it in a loop) which lets the global filter go, client, router interception, to pihole > to custom filter > to outside DNS
Two, Would it be possible to put the pi-hole in a DMZ? or would the router still get that DNS traffic as well?
Last edited:
ColinTaylor
Part of the Furniture
I think option 1 would work, assuming that LAN DNS 1 = PiHole address. But I'm not keen on it because it's a bit obtuse. You're saying "Use 'router'", but 'router' is really just redirecting to the PiHole.
Personally I would have Custom #1 set to the PiHole address. Then set Global Filter Mode to Custom #1. Then I'd have an exception for the PiHole's MAC address that is set to No Filtering. This setup seems more obvious to my mind. It also means that there's no reason to have anything at all set for LAN DNS 1 & 2 (whether that's more or less confusing I'll let you decide).
Putting the PiHole in the DMZ won't achieve anything useful.
Personally I would have Custom #1 set to the PiHole address. Then set Global Filter Mode to Custom #1. Then I'd have an exception for the PiHole's MAC address that is set to No Filtering. This setup seems more obvious to my mind. It also means that there's no reason to have anything at all set for LAN DNS 1 & 2 (whether that's more or less confusing I'll let you decide).
Putting the PiHole in the DMZ won't achieve anything useful.
EdwardRutherfordthe5th
Occasional Visitor
boom! that works. Now I shall wait a few days /week to see how my original problem is doing the clock
ColinTaylor
Part of the Furniture
That's great news.
As an aside, now that you're using the PiHole as your local DNS server, does local name resolution work? Say, if you had a Windows PC called "fred" that was a normal DHCP client. Would "nslookup fred" work?
As an aside, now that you're using the PiHole as your local DNS server, does local name resolution work? Say, if you had a Windows PC called "fred" that was a normal DHCP client. Would "nslookup fred" work?
EdwardRutherfordthe5th
Occasional Visitor
unfortunately no, the router is not able to do that now. However pihole is able to do that, but you have to turn on DHCP for that. I'd rather not turn that on in the pihole. When I get a proper microserver (instead of a raspberry pi), I will turn the DHCP on for pihole and turn DHCP router off.
ColinTaylor
Part of the Furniture
Thanks for the info.
Similar threads
Similar threads
Similar threads
-
custom domains report NXDOMAIN for IPv6 DNS and fail to resolve in Alpine OS
- Started by icanfly
- Replies: 2
-
-
-
Problem with my New ASUS RT-88U PRO Merlin and NordVPN pre-configured/custom configuration and DNS settings .
- Started by Redskins16
- Replies: 36
-
ASUS RT-86U Merlin and NordVPN pre-configured/custom configuration and DNS settings ?
- Started by zillah
- Replies: 53
-
-
-
-
Lower refresh rate for custom DDNS update on failure, do avoid update loop
- Started by ksa
- Replies: 0
-
Solved OpenVPN clients can't resolve custom domains defined in dnsmasq config
- Started by jkbach
- Replies: 2
Latest threads
-
Can't get 2gbps to my unraid server
- Started by zekesdad
- Replies: 2
-
changed AC68U to AX86U Pro, same guest network setting but all devices gone?
- Started by Heronimos
- Replies: 1
-
-
-
GT-BE98 Force Guest Network To Use 5GHz-2 Radio
- Started by Wimbus
- Replies: 3
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!