Solved DNS Director not forcing manual DNS... IPtables?

[mustardquail]

Hello,
I am trying to use DNS Director to force all clients to use my DNS server on the network. I've enabled and tested DNS Director, and for most cases, it seems to work as intended and I see this traffic hitting my DNS server as it should. However, when I manually configure my Mac to use something like 9.9.9.9 and run a dig trace from this machine, I see that my queries/lookups are not being sent to my local DNS server; they go through to 9.9.9.9.

My understanding was that DNS Director is supposed to force this traffic to go to my local DNS server, but I might be misunderstanding how it handles clients who have set manual DNS servers. What I'm hoping to do is to force/redirect all DNS traffic regardless of manual DNS server; I feel like many tracking/ad services likely have their own hardcoded DNS settings like this that can easily bypass my local DNS server, so this is an attempt to halt this bypass. (Open to any recommendations for handling any sidestepped with DoH/DoT as well!)

On Asuswrt-Merlin, is there a recommended iptables script or similar that I can use to force all DNS (even manual like this) to my local DNS server?

 

[bennor]

For context, it may help if you post a screen shot of your DNS Director settings for others to review just in case they spot something that needs changing on it.

Edit to add: And based on your other post in another discussion, how is the Mac configured? Is the Mac using DoH or something similar?

And for context, what is your "local DNS server" (Pi-Hole + Unbound per your earlier postings or something else), and how is your router configured use to that "local DNS server"?

 

[mustardquail]

Totally fair, I don't think I included enough detail on my initial post. Here's what my DNS Director settings show:

I set Global Redirection to point device DNS to User Defined 1 (my testing showed this seemed to be working even though I'd read others recommend using Global Redirection set to Router); User Defined 1 is my Pihole running Unbound as a local DNS server. This client's MAC address has been set to No Redirection in the next section. I also have a Guest network that has been set to have Redirection point to Router, and my Router is also pointing to the Pihole for DNS so the Guest network should have DNS forwarded to the Pihole from the Router this way.

The Mac hasn't been configured to use DoH or similar to my knowledge; I am not using a configuration profile, I had just set the DNS setting in my network configuration to point to 9.9.9.9 as a test to see whether my test queries would hit the Pihole. When I manually point to 9.9.9.9, I don't see any test queries showing up from the Pihole query log, and running a dig trace results in 9.9.9.9 showing as the DNS server. When I remove 9.9.9.9 from the custom DNS setting or change it to my Pihole IP address, it goes through the Pihole again.

My router is configured to point to the Pihole DNS server in both the LAN settings for clients, and also in the WAN DNS settings. I initially did not have it in WAN as that seemed a bit illogical, but my Guest network queries were not hitting the DNS server at all due to AP isolation/network segmentation (I don't want the entire Guest network to see all intranet devices, only port 53 of the Pihole), so the only way my tests worked without more tinkering was to set the Router WAN DNS to hit my Pihole and forward all Guest DNS queries to the Router.

Sorry for the long-winded explanation, but wanted to provide additional context; feel like my initial post was a bit vague. At this point I'm not sure if something in my configuration is not working properly, or if I'd need to run an iptables script from the router to force DNS queries through the Pihole (and also potentially block DoH endpoints).

 

[bennor]

@mustardquail, a full posting of the DNS Director section would probably be helpful.
Do not put the Pi-Hole into the router's WAN DNS fields. Pi-Hole does not recommended it.
For example, from a post explaining how to configure Pi-Hole for use with the 3006.102.x firmware. See the following link for general Pi-Hole setup on an Asus router including the DNS Director page.

Guest Network Pro Pi Hole

Hey everyone, I have an issue with DNS resolution that I'm looking for help with. I have a RT-AX88U Pro using Guest Network Pro and a raspberry pi4 running Pi-Hole. The devices on my LAN can connect to the Pi-Hole without issue, however devices on my guest network (VLAN) cannot. In the guest...

www.snbforums.com

For the 388.x firmware a general explanation of how to setup Pi-Hole on an Asus router is explained in this post:

Solved - Device not respecting DNS Director or (Yaz)DHCP Server settings

I have an Intel NUC running Pi-hole that I'm currently using as my DNS server for my network: I have a device on my IoT network that's pretty chatty (a baby monitor), and it regularly causes my Pi-hole to throw a warning that the concurrent DNS query limit is reached. I've tried both of the...

www.snbforums.com

PS: Setting a client to No Redirection means DNS Director will not re-route that client's DNS requests to User Defined # or to the router depending on the setting.

 

[ColinTaylor]

On Asuswrt-Merlin, is there a recommended iptables script or similar that I can use to force all DNS (even manual like this) to my local DNS server?

That's what DNS Director does.

However, when I manually configure my Mac to use something like 9.9.9.9 and run a dig trace from this machine, I see that my queries/lookups are not being sent to my local DNS server; they go through to 9.9.9.9.

By "dig trace" I assume you mean "dig". DNS Director silently intercepts DNS traffic and redirects it. The client (your Mac) is unaware this is happening and therefore thinks the reply is coming from 9.9.9.9 when it actually isn't.

 

[mustardquail]

Thank you so much! I took a look at the documentation links provided, and fixed an issue where I'd manually pointed the Guest Network Pro to my Pihole IP address. After setting it to Default, I confirmed I was able to see my queries (even on the Guest network) in the Pihole. I also pointed the Router WAN DNS away from the Pihole, filled in Conditional Forwarding, and set Never Forward Non-FQDN on the Pihole end. Confirmed my queries are all still showing up in the Pihole now.

A piece I hadn't even considered might have also contributed to this; I read the part where it's recommended to do a restart. I had not done that on the Pihole end until today, so there's a chance that something simply needed to be restarted in order to function properly.

I really appreciate the helpful direction provided for this!

 

[Untried3868]

@mustardquail, a full posting of the DNS Director section would probably be helpful.
Do not put the Pi-Hole into the router's WAN DNS fields. Pi-Hole does not recommended it.
For example, from a post explaining how to configure Pi-Hole for use with the 3006.102.x firmware. See the following link for general Pi-Hole setup on an Asus router including the DNS Director page.

Guest Network Pro Pi Hole

Hey everyone, I have an issue with DNS resolution that I'm looking for help with. I have a RT-AX88U Pro using Guest Network Pro and a raspberry pi4 running Pi-Hole. The devices on my LAN can connect to the Pi-Hole without issue, however devices on my guest network (VLAN) cannot. In the guest...

www.snbforums.com

For the 388.x firmware a general explanation of how to setup Pi-Hole on an Asus router is explained in this post:

Solved - Device not respecting DNS Director or (Yaz)DHCP Server settings

I have an Intel NUC running Pi-hole that I'm currently using as my DNS server for my network: I have a device on my IoT network that's pretty chatty (a baby monitor), and it regularly causes my Pi-hole to throw a warning that the concurrent DNS query limit is reached. I've tried both of the...

www.snbforums.com

PS: Setting a client to No Redirection means DNS Director will not re-route that client's DNS requests to User Defined # or to the router depending on the setting.

FYI the hyperlink at the beginning of your Guest Network Pro Pi Hole post (an Oct post...) is broken.

 

[bennor]

FYI the hyperlink at the beginning of your Guest Network Pro Pi Hole post (an Oct post...) is broken.

Thanks, link fixed. Not sure what happened there. It was supposed to go to this Oct. post not a private conversation post that had the same information.