GT-BE98 Pro 3006.102.5 DNSDirector

[stealurkill]

The two Pi-holes you have are both wired and local, but there is no fail-safe in this setup. The one used by your clients is User defined 1. The other one is just connected to the network and does nothing. What is your use case for two Pi-holes?

If one fails so i can switch everything over with the click of a button or two.

 

[Tech9]

Possible, but you also have to be local. A few clicks will restore Internet even without second device at least until you fix whatever got broken on your Pi-hole (worn out SC card most of the time or failed power supply).

 

[bennor]

As I see it if the Pi-hole on x.124 IP is out - no Internet.

Nope. With x.124 offline (powered off), Internet still accessible through the second Pi - x.58 IP address.

The way things work, as I understand it which may be wrong or incomplete. Because the LAN DHCP Server fields are configured for both Pi's, and because both Pi's are configured for No Redirection in the DNS Director's Client List, requests from both Pi's are not intercepted by DNS Director, they go straight to the Internet.

If a client (non Guest Network Pro clients) tries to use a DNS server other than the two LAN DNS servers (the two Pi-Holes), then DNS Director intercepts the client DNS request and routes it to User Defined DNS #1 per the Global Redirection being set to User Defined #1. However, if User Defined DNS #1 is unreachable, then those client requests that are trying to bypass the Pi-Holes will not reach the internet because there is no fallback DNS server (i.e. for example User Defined DNS #2) reachable.

 

[stealurkill]

Possible, but you also have to be local. A few clicks will restore Internet even without second device at least until you fix whatever got broken on your Pi-hole (worn out SC card most of the time or failed power supply).

Yes possibly. One is pi5 with nvme and other is qnap nas all e1.s nvme. its just because lol

 

[Tech9]

Nope. With x.124 offline (powered off), Internet still accessible through the second Pi - x.58 IP address.

What tells the clients redirected to DNS1 to start using DNS2? If there is such fail-safe mechanism it has to be built into DNS Director.

 

[dave14305]

What tells the clients redirected to DNS1 to start using DNS2? If there is such fail-safe mechanism it has to be built into DNS Director.

Primary LAN clients will talk to either Pi-Hole LAN-to-LAN without going through the router or firewall. I don’t know how SDN clients would fare if the primary Pi-Hole goes down.

 

[bennor]

What tells the clients redirected to DNS1 to start using DNS2? If there is such fail-safe mechanism it has to be built into DNS Director.

Normally main LAN client DNS requests would go to the local network Pi-Holes due to the LAN DHCP DNS Server #1 and #2 being set to Pi-Hole IP's. Because DNS Director is configured for No Redirection on the Pi-Hole clients, the main LAN clients request to the Pi-Holes are not intercepted and redirected to User Defined DNS #1. As I understand it (with my setup), only when a main LAN client DNS request goes to some DNS server other than the Pi-Hole (like for example a client being hard coded to use Google 8.8.8.8/8.8.4.4 DNS servers), does DNS Director intercept that main LAN client DNS request and route it to User defined DNS #1 (Pi-Hole #1). (PS: Because of the No Redirection Pi-Hole client rule(s), Pi-Hole client own DNS requests are not intercepted by DNS Director.)

DNS Director, unless I missed it, does not have the capability currently, when it intercepts a main LAN client DNS request that it would route to User defined DNS #1, to route that request to User defined DNS #2 if User defined DNS #1 is unreachable. I'm probably explaining this poorly.

 

[Tech9]

Primary LAN clients will talk to either Pi-Hole LAN-to-LAN without going through the router or firewall.

Okay, this explains what is happening.

Because DNS Director is configured for No Redirection on the Pi-Hole clients, the main LAN clients request to the Pi-Holes are not intercepted and redirected to User Defined DNS #1.

Actually, the Pi-hole devices themselves are configured for No Redirection. It's them being not redirected and not clients not redirected when trying to access Pi-holes. The fail-safe comes from what @dave14305 explained above, but for the main network only.

 

[bennor]

Actually, the Pi-hole devices themselves are configured for No Redirection. It's them being not redirected and not clients not redirected when trying to access Pi-holes. The fail-safe comes from what @dave14305 explained above, but for the main network only.

Like I said, I explained things poorly and may have misunderstood how things work. May have gotten the specific details wrong but overall general concept is roughly the same. Yes, the fail-safe (if I understand things correctly) isn't there for the Guest Network Pro clients if User defined DNS #1 isn't reachable.

Haven't personally dug into it too much. But with Guest Network Pro and how one configures the Use same subnet as main network option along with the "Access Intranet" Guest Network Pro option possibly not working properly; it apparently may present some tradeoffs with using local network Pi-Holes and the DNS Director Guest Network Pro client list redirections to User defined DNS and no fail-safe backup DNS.

 

[Tech9]

Yes, the fail-safe (if I understand things correctly) isn't there for the Guest Network Pro clients if User defined DNS #1 isn't reachable.

This setup will also fail for the main network if the Pi-hole on x.124 is down and a client insists on something else hard coded as DNS and not the DHCP suggested DNS servers. It has some fail-safe capabilities, but conditional. Some IoTs, smart TVs, Android TV boxes, etc. may consistently fail. Better than nothing though, agree.

 

[bennor]

This setup will also fail for the main network if the Pi-Hole on x.124 is down and a client insists on something else hard coded as DNS and not the DHCP suggested DNS servers. It has some fail-safe capabilities, but conditional. Some IoTs, smart TVs, Android TV boxes, etc. may consistently fail. Better than nothing though, agree.

Yes. While we've gone down a bit of a side track from the OP's issue. Its just highlights some potential issues when using the User defined DNS routing in DNS Director.

 

[Tech9]

The information is still useful for future readers. What I missed is the fact LAN-to-LAN traffic is switched and your LAN DNS servers are on the same LAN. In this case whatever is set in DNS Director for redirection doesn't matter. If the client obeys DHCP rules - all good.

About GN Pro on different VLAN - not sure where you guys are at with Asuswrt-Merlin, but I have read some threads in Ubiquiti Community forums and the situation for folks using separate AGH/Pi-hole instead of built-in ad-blocking is messy. Different VLANs with own DHCP servers, inter-VLAN rules for accessing some local DHCP server on main VLAN (or somewhere else)... and it doesn't see where the requests are coming from... some people like to overcomplicate things. Others just use it as global WAN DNS and call it a day.

 

[stealurkill]

What tells the clients redirected to DNS1 to start using DNS2? If there is such fail-safe mechanism it has to be built into DNS Director.

you could just build the list out of 64 clients that you know will use the dns from the router (pcs and laptops), then just have other stuff to keep using the director?

 

[Tech9]

Not sure I understand your question. The router can only suggest DNS servers via DHCP. The client doesn't have to use the servers suggested. What we discuss here is how to make sure clients don't go around the filtering DNS and have some fail-safe mechanism at the same time in case of failure of external device. @bennor setup will work okay for you as well with the same conditions.

 

[stealurkill]

Not sure I understand your question. The router can only suggest DNS servers via DHCP. The client doesn't have to use the servers suggested. What we discuss here is how to make sure clients don't go around the filtering DNS and have some fail-safe mechanism at the same time in case of failure of external device. @bennor setup will work okay for you as well with the same conditions.

was not a question. was also mentioning another way, but more convoluted vs @bennor said.

 

[stealurkill]

Anyways, thanks @bennor. Your suggestion of no redirection for the piholes seemed to fix the dns director issue. Cant believe it was so simple. What threw my off was the router basically locking up. I had to unplug everything from the network and then plug in one at a time to see what was causing the issue.

 

[stealurkill]

Last thing, it seems since DNS Director is working properly now within this new firmware, I don't have to point the wan dns to the piholes to get the router to use it as the dns.

Unless something else is at play?

 

[dave14305]

Unless something else is at play?

Where you see the router name as the Client, it is most likely a query redirected by DNS Director.

 

[Tech9]

it seems since DNS Director is working properly now within this new firmware

I was working properly before. From what I see the change is in what redirect to Router does.

 

[stealurkill]

Where you see the router name as the Client, it is most likely a query redirected by DNS Director.

I figured as much. Thanks