DNS filter with fallback

hambone

New Around Here
Hi all,

Does anyone have a recommended way to have a fallback DNS server setup?

For background, we have a pihole on our network that serves up all our DNS queries and does its ad blocking thing. Forcing all DNS to go there is great but, every now and then, the pihole fails or needs to be taken offline and this stops the entire network from functioning until it's back online.

What I'd like to do is have the pihole as the primary server then an external provider (e.g. 9.9.9.9) for cases where the pihole cannot resolve the query. Any tips on how to do this? I've searched through SNB and Google to no avail. I don't really want to list every device manually and give them an exception if I can help it.

Current config is:

Enable DNS-based Filtering: On
Global Filter Mode: Router
Client list: No filtering for pihole

DHCP issues 192.168.1.12 and 9.9.9.9 to clients.
 
Last edited:

dave14305

Part of the Furniture
The issue is if you put Pi-hole in the LAN DHCP DNS page, the router will never see the clients’ requests because they go direct (switched not routed). So intervention is difficult.
 

hambone

New Around Here
The issue is if you put Pi-hole in the LAN DHCP DNS page, the router will never see the clients’ requests because they go direct (switched not routed). So intervention is difficult.
I forgot to add my config, so edited the post. Right now we have filtering on and set to use the Router then the pihole has an exception in the client list. The Router has the local and external IP's set as primary and secondary as I had hoped the router would forward to one or the other as required.
 

coxhaus

Part of the Furniture
I think you can do this by using QUAD9 on pihole and have pihole forward to your router. Have your router set for QUAD9 and forward to QUAD9. Does pihole get it's IP from the router or is it a DHCP server?

You can skip the router if pihole will forward to QUAD9 but I think that is your problem you are having.
 

hambone

New Around Here
I think you can do this by using QUAD9 on pihole and have pihole forward to your router. Have your router set for QUAD9 and forward to QUAD9. Does pihole get it's IP from the router?
Yeah, the router is the DHCP server and the pihole is on a static address. I'm not quite clear how the pihole forwarding to the router helps here? If the pihole is dead then we're still unable to resolve queries?
 

coxhaus

Part of the Furniture
Yes you are correct. If you try 2 DNS entries then problem becomes the router may win in a DNS request. How do you slow down a DNS request to the router.

I could probably do it because I use a layer 3 switch and route to the router which pickups a ms of routing time. So layer 2 requests would be faster. But a layer 3 switch will not work with an all-in-one router.
 

K-2SO

Very Senior Member
Does anyone have a recommended way to have a fallback DNS server setup?
I had at some point Pi-hole with Unbound DNS resolver. Pi-hole IP in LAN DNS, Advertise Router IP and a slow response DNS in WAN. After Unbound builds up the cache it responds in 1ms and 99% of the queries go through Pi-hole. If the Pi-hole goes down, the slow DNS in WAN starts responding. I had a DNS server in WAN somewhere in Australia with 200+ ms response time. :)
 

--Manu--

Occasional Visitor
Redundancy is of course important. But a distinction should be made as to whether a failure is "annoying" or critical.
if it is critical, use 2 identical pi-holes and set both as DNS.

yes ... probably not the answer you want to hear^^
This is often done in appropriate environments
 

hambone

New Around Here
Redundancy is of course important. But a distinction should be made as to whether a failure is "annoying" or critical.
if it is critical, use 2 identical pi-holes and set both as DNS.

yes ... probably not the answer you want to hear^^
This is often done in appropriate environments
Yeah, I have the gear to do that and will go down that route if I have to. I was more asking the question because I wanted to know if there was a way around this issue that I missed during the configuration, rather than immediately jumping to adding more complexity to my network.
 

ColinTaylor

Part of the Furniture
If you specify 9.9.9.9 as your router's WAN DNS server it should work as best it can.

1. DHCP clients will go to the PiHole first. They will only go to 9.9.9.9*** if the PiHole doesn't respond within 1 second. This is normal Windows/Linux behaviour, I don't know about Apple devices.

2. LAN clients that ignore the DHCP server's DNS list (e.g. Android devices) will be intercepted by DNSFilter and redirected to the router's DNS and then forwarded to 9.9.9.9 instead.

*** Actually it doesn't matter what the second DNS server is set to because DNSFilter will redirect it to the the router's DNS server regardless (and then forward it to 9.9.9.9). So setting a second LAN DNS server is pointless, so long as "Advertise router's IP in addition to user-specified DNS" is enabled.
 
Last edited:

dave14305

Part of the Furniture
I like the idea of sharing two DHCP DNS servers with DNS filter enabled. If you could reliably script a check for Pihole online/offline and then disable or reconfigure DNS Filter, it would be a poor man’s solution. When Pi-hole is up, any requests making it to the router would be forced back to Pihole. If Pi-hole is down, the reconfigured DNSFilter would still let traffic pass to Quad9.

The magic is in the yet-to-be-invented script I’m imagining. :(
 

jsbeddow

Senior Member
I like the idea of sharing two DHCP DNS servers with DNS filter enabled. If you could reliably script a check for Pihole online/offline and then disable or reconfigure DNS Filter, it would be a poor man’s solution. When Pi-hole is up, any requests making it to the router would be forced back to Pihole. If Pi-hole is down, the reconfigured DNSFilter would still let traffic pass to Quad9.

The magic is in the yet-to-be-invented script I’m imagining. :(
Calling @Jack Yaz , right? :)
 

hambone

New Around Here
If you specify 9.9.9.9 as your router's WAN DNS server it should work as best it can.

1. DHCP clients will go to the PiHole first. They will only go to 9.9.9.9*** if the PiHole doesn't respond within 1 second. This is normal Windows/Linux behaviour, I don't know about Apple devices.

2. LAN clients that ignore the DHCP server's DNS list (e.g. Android devices) will be intercepted by DNSFilter and redirected to the router's DNS and then forwarded to 9.9.9.9 instead.

*** Actually it doesn't matter what the second DNS server is set to because DNSFilter will redirect it to the the router's DNS server regardless (and then forward it to 9.9.9.9). So setting a second LAN DNS server is pointless, so long as "Advertise router's IP in addition to user-specified DNS" is enabled.
Thanks for that. I'll give it a try and see if that solves the problem for me.
 

hambone

New Around Here
So I tried your suggestion @ColinTaylor and it doesn't seem to be working.

WAN:
Connect to DNS Server automatically: No
DNS Server1: 9.9.9.9
DNS Server2: blank

LAN - DHCP Server:
DNS Server1: 192.168.1.12
DNS Server 2: blank

LAN - DNSFilter:
Enable DNS-based Filtering: On
Global filter mode: Router
Client list: 192.168.1.12

Can anyone see if there's anything I'm missing in this config?
 

ColinTaylor

Part of the Furniture
How are you testing this? What makes you think it's not working?

Do you have (LAN - DHCP Server) "Advertise router's IP in addition to user-specified DNS" set to Yes?
 
Last edited:

hambone

New Around Here
How are you testing this? What makes you think it's not working?

Do you have "Advertise router's IP in addition to user-specified DNS" set to Yes?
Yup, advertise routers IP is selected. Clients are showing 192.168.1.12 and 192.168.1.1 in the DNS list.

For testing, I take the primary DNS server (192.168.1.12) offline and the clients fail to resolve. Dig times out but I can still ping a server directly.
 

ColinTaylor

Part of the Furniture
dig and nslookup are not a valid tests because they query the primary DNS server. They're not meant to fail-over. Close and reopen your browser and try going to a web site. Try going to https://dnsleaktest.com/.

Correction: dig and nslookup may fail-over but it depends on how exactly you have configured the client.

EDIT: I've just tried this on Windows and Ubuntu and it's working as expected.
 
Last edited:

john9527

Part of the Furniture
This should work on my fork....not sure if it still works on the latest Merlin builds.

Make a dnsmasq.conf.add with the line
strict-order
in /jffs/configs

Enter your desired servers in order on the WAN page,
Leave the LAN DNS servers blank. Check the advertise router's IP to yes.

Note if you use a VPN some of the DNS options can break this scheme.

strict-order
By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf
 

hambone

New Around Here
@ColinTaylor definitely not working on my network. Tested on 2 devices (macOS and Windows) and 2 browsers.
  1. Disabled the DNS on 192.168.1.12
  2. Confirmed devices have DNS records set (both show 192.168.1.12 and 192.168.1.1)
  3. Browsing to dnsleaktest.com on primary browser fails
  4. Browsing to dnsleaktest.com on secondary browser (clean browser only used for testing) fails
  5. Dig google.com fails
  6. Dig @9.9.9.9 google.com fails
  7. Whitelist device in DNSFilter settings, browsing works fine
Interestingly, if everything is up and running fine I can run dig @192.168.1.1 and it resolves fine.

I'm not sure if that's DNSFilter redirecting the queries to point to the primary DNS, or whether the devices aren't recognizing the primary DNS is down.

I'm leaning towards the redirection being the issue at the moment as the DNS fails when the server is completely unplugged too.
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top