GT-BE98 Pro 3006.102.5 DNSDirector

[stealurkill]

I was working properly before. From what I see the change is in what redirect to Router does.

I was going off the changelog here

- FIXED: DNSDirector "Router" mode would not always work properly
with IPv6 (now uses REDIRECT instead of DNAT, which was
backported from iptables 1.4.19).
- FIXED: DNSDirector would try to create iptables rules even
when that SDN should not allow DNSDirector if it shares
the main LAN interface. This could break DNSDirector
on the main network.

and this thread

GT-BE98 pro DNS Director issue with my pihole?

Hi everybody... First post. I'm running the Asuswrt-merlin firmware. It's pretty great! There's a larger story but I think my DNS director hates me. I pointed it at the User defnied 1 at my pihole and it seemed to put the iptable entry last, which mean it'll basically never get hit. #iptables...

www.snbforums.com

 

[Tech9]

I see. What you need to potentially change in your setup is stop redirections through the router's LAN IP (redirect to User Defined instead of Router) and probably select unfiltered upstream DNS servers for your Pi-hole(s). You have Quad9 filtered + Cloudflare unfiltered. This will stop the router as client in Pi-hole(s) logs and allow you to see better what's filtered. If Quad9 filters something upstream you'll never know what it was. Or if you want extra layer of protection make the second upstream DNS also filtered.

 

[stealurkill]

I see. What you need to potentially change in your setup is stop redirections through the router's LAN IP (redirect to User Defined instead of Router) and probably select unfiltered upstream DNS servers for your Pi-hole(s). You have Quad9 filtered + Cloudflare unfiltered. This will stop the router as client in Pi-hole(s) logs and allow you to see better what's filtered. If Quad9 filters something upstream you'll never know what it was. Or if you want extra layer of protection make the second upstream DNS also filtered.

That's what i had before and probably will go back. I switched due to the firmware update today for testing. My network is wild and controlling what goes out is ideal lol

 

[Tech9]

With 10M+ domains blocklist you perhaps don't need a Pi-hole. Just unplug the WAN cable for similar results.

 

[stealurkill]

With 10M+ domains blocklist you perhaps don't need a Pi-hole. Just unplug the WAN cable for similar results.

Lol For some reason this container shows both piholes for the amount of blocked domains. It's only 5 million. It's really mostly malware, trackers, ads, and pron.

I was more showing the queries and blocked.

 

[bennor]

Last thing, it seems since DNS Director is working properly now within this new firmware, I don't have to point the wan dns to the piholes to get the router to use it as the dns.

Unless something else is at play?

One comment about putting the Pi-Hole IP's in the Asus router's WAN DNS fields. This isn't a configuration that the Pi-Hole documentation recommends for Asus routers. Instead they recommend using the LAN DHCP Server DNS fields. As their documentation (link follows) indicates; when using the Pi-Hole IP addresses in the WAN fields and having Conditional Forwarding enabled on the PI-Hole, you can setup a potential feedback loop of requests that can flood/cripple the local network. Been there, accidentally done that (a long time ago when first using Pi-Hole).

ASUS router - Pi-hole documentation

docs.pi-hole.net

When Conditional Forwarding is enabled on the Pi-Hole and properly resolving client names; generally when looking at the Pi-Hole Query Logs, any Client entry with the router's name tends to be an indication of DNS Director performing a Redirection.

A note on Conditional Forwarding option in Pi-Hole. If using Guest Network Pro Profile with the Use same subnet as main network disabled (or on non 3006.102.x firmware, if using YazFi), be sure to input (if you haven't done so already) the Guest Network IP address subnet class into the Conditional Forwarding field to allow the router to process the Pi-Hole Conditional Forwarding name lookup requests for the Guest Network clients. For example, in my use case on the 3006.102.x firmware with two Guest Network Pro Profiles with Use same subnet as main network disabled for both profiles, I have the following in the Pi-Hole's DNS settings Conditional Forwarding field. It allows for correct name lookup and correct client name reporting in the Pi-Hole Query Log/reporting.

true,192.168.2.0/24,192.168.2.1,lan
true,192.168.52.0/24,192.168.2.1,lan
true,192.168.53.0/24,192.168.2.1,lan

In the above example, 192.168.2.0/24 is the main LAN, 192.168.52.0/24 is the first Guest Network Pro Profile, 192.168.53.0/24 is the second Guest Network Pro Profile. 192.168.2.1 is the router IP address. And "lan" is the local domain name (set on the router's LAN > RT-AX86U Pro's Domain Name field).