GT-BE98 pro DNS Director issue with my pihole?

[VeloxNEx]

Hi everybody... First post. I'm running the Asuswrt-merlin firmware. It's pretty great!

There's a larger story but I think my DNS director hates me. I pointed it at the User defnied 1 at my pihole and it seemed to put the iptable entry last, which mean it'll basically never get hit.

#iptables -t nat -L DNSFILTER -v
Chain DNSFILTER (4 references)
 pkts bytes target     prot opt in     out     source               destination                              
    0     0 DNAT       all  --  any    any     anywhere             anywhere                                           MAC DC:46:28:D3:9C:A3 to:1.1.1.3
    0     0 DNAT       all  --  any    any     anywhere             anywhere                                           MAC D0:AB:D5:38:A3:51 to:1.1.1.3
    0     0 DNAT       all  --  any    any     anywhere             anywhere                                           MAC 62:20:63:FA:DA:B1 to:94.140.14.15
    6   495 RETURN     all  --  any    any     anywhere             anywhere                                           MAC 02:42:C0:A8:32:2A
   87  6296 RETURN     all  --  br52   any     anywhere             anywhere                                
 1002 70167 RETURN     all  --  br0    any     anywhere             anywhere                                
    0     0 RETURN     all  --  br0    any     anywhere             anywhere                                
    0     0 DNAT       all  --  any    any     anywhere             anywhere                                           to:192.168.50.42
#@GT-BE98_Pro-C528:/tmp/home/root#

If I remove the automatically generated "RETURN" enteries the pihole gets the traffic and everything seems to be functional. But if for any reason I have to save the DNS Director again, those enteries get re-entered and the pihole is back down at the bottom.

Outside of not using the DNS director, is this expected/normal? Have I done something to break the DNS director? Does it just hate me?

 

[dave14305]

Are you running an older firmware?

 

[VeloxNEx]

Are you running an older firmware?

"No". There is a beta out. I'm not running that. I'm on the latest release. Which is dated as May. I may have a new version to play with when it's out of beta.

 

[dave14305]

Then it’s a conflict with a guest network or front haul/back haul network.
Check this thread for some ideas:

https://www.snbforums.com/threads/dnsleaktest-puzzle.93788/page-3

 

[bennor]

@VeloxNEx, how exactly is the full DNS page configured? It may help if you post a readable screen shot of the DNS Director.

I made a post a while back on how to setup DNS Director to use Pi-Hole. See the following post.

Beta - Asuswrt-Merlin 3006.102.4 Beta is now available

Ha. I am so old I thought you were talking about OS/2. I still call mine .bat files OS/2. That brings back memories. A lot of our servers and workstations at a previous employer used OS/2.

www.snbforums.com

In my case I have configured the User Defined 1 with the Pi-Hole IP address. The Pi-Hole(s) are set in the Client List and configured for No Redirection. I have further configured the LAN DHCP DNS server fields for the Pi-Hole IP addresses. Everything seems to be working correctly on a RT-AX86U Pro running 301.102.4.

 

[VeloxNEx]

Then it’s a conflict with a guest network or front haul/back haul network.
Check this thread for some ideas:

https://www.snbforums.com/threads/dnsleaktest-puzzle.93788/page-3

Thanks! I wasn't sure if I should script those out or not. I do have 1 aimesh unit, unlike that person. Not sure if that made any difference or not.

@VeloxNEx, how exactly is the full DNS page configured? It may help if you post a readable screen shot of the DNS Director.

I made a post a while back on how to setup DNS Director to use Pi-Hole. See the following post.

Beta - Asuswrt-Merlin 3006.102.4 Beta is now available

Ha. I am so old I thought you were talking about OS/2. I still call mine .bat files OS/2. That brings back memories. A lot of our servers and workstations at a previous employer used OS/2.

www.snbforums.com

In my case I have configured the User Defined 1 with the Pi-Hole IP address. The Pi-Hole(s) are set in the Client List and configured for No Redirection. I have further configured the LAN DHCP DNS server fields for the Pi-Hole IP addresses. Everything seems to be working correctly on a RT-AX86U Pro running 301.102.4.

I've seen your posts around when I've googled this issue the past few days! Attached are my screenshots. I'd be more than happy to have overlooked something silly. As soon as I logged into the router and saw the iptables, I'm worried it a bigger issue or something else is going on.

I know you didn't mention any specific pihole settings, is there anything I need to setup on that side?
But small list:
Upstream DNS Servers - cloudflare
Advanced DNS Settings - NEver forward reverse lookups for private ip ranges
Conditional frowarding - mine is a string - attached

 

[dave14305]

I do have 1 aimesh unit, unlike that person. Not sure if that made any difference or not.

Can you share the get_mtlan output?

 

[bennor]

I know you didn't mention any specific pihole settings, is there anything I need to setup on that side?

The specific Pi-Hole side settings may depend on your use case/needs. For my needs/use case I have the Permit all origins option selected on the Pi-Hole DNS settings page. If one has their Pi-Hole exposed to the internet that setting can be potentially dangerous. I also have Use Conditional Forwarding enabled as well on the Pi-Hole.

 

[VeloxNEx]

Can you share the get_mtlan output?

get_mtlan
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[DEFAULT]
|-createby:[]
|-*Network:
|--IPv4:
|-idx:[0]
|-ifname:[br0]
|-br_ifname:[br0]
|-addr:[192.168.50.1]
|-subnet:[192.168.50.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.50.50]
|-dhcp_max:[192.168.50.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[0]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[]
|-dhcp6_min:[]
|-dhcp6_max:[]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[0]
|-apg_idx:[0]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[1]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------
|-enable:[1]
|-prio:[0]
|-vid:[52]
|-port_isolation:[0]
|-name:[LEGACY]
|-createby:[WEB]
|-*Network:
|--IPv4:
|-idx:[1]
|-ifname:[br52]
|-br_ifname:[br52]
|-addr:[192.168.52.1]
|-subnet:[192.168.52.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.52.2]
|-dhcp_max:[192.168.52.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[0]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[1]
|-dhcp6_min:[1000]
|-dhcp6_max:[2000]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[1]
|-apg_idx:[1]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[1]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[MAINFH]
|-createby:[WEB]
|-*Network:
|--IPv4:
|-idx:[0]
|-ifname:[br0]
|-br_ifname:[br0]
|-addr:[192.168.50.1]
|-subnet:[192.168.50.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.50.50]
|-dhcp_max:[192.168.50.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[0]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[]
|-dhcp6_min:[]
|-dhcp6_max:[]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[2]
|-apg_idx:[1]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[1]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[MAINBH]
|-createby:[WEB]
|-*Network:
|--IPv4:
|-idx:[0]
|-ifname:[br0]
|-br_ifname:[br0]
|-addr:[192.168.50.1]
|-subnet:[192.168.50.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.50.50]
|-dhcp_max:[192.168.50.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[0]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[]
|-dhcp6_min:[]
|-dhcp6_max:[]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[3]
|-apg_idx:[2]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[1]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------

 

[dave14305]

@RMerlin It seems like DNS Director should ignore pmtl[i].name equals “MAINFH” or “MAINBH”, or when pmtl[i].nw_t.ifname is the same as lan_ifname.

asuswrt-merlin.ng/release/src/router/rc/dnsfilter.c at 0b8cbcc23caeee48928c1932bbe39e30b1c47bce · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[RMerlin]

@RMerlin It seems like DNS Director should ignore pmtl[i].name equals “MAINFH” or “MAINBH”, or when pmtl[i].nw_t.ifname is the same as lan_ifname.

asuswrt-merlin.ng/release/src/router/rc/dnsfilter.c at 0b8cbcc23caeee48928c1932bbe39e30b1c47bce · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

I'll have to take a closer look at the code, but it would probably make sense - I already do that on the webui to skip offering these two networks as options in the SDN list.

 

[VeloxNEx]

I'll have to take a closer look at the code, but it would probably make sense - I already do that on the webui to skip offering these two networks as options in the SDN list.

O. M. Goodness. It is "The" Merlin . Love your firmware! I'm not blaming you for it not liking me. Nothing to add other then that. Thanks for looking at it. iptables generaly hate me regardless of the medium I'm using them on.

 

[dave14305]

Conditional frowarding - mine is a string - attached

Your conditional forwarding specifies the domain “local.lan” but it looks like you have not specified any local domain on the router’s DHCP page.

Also, why not put 192.168.50.42 in the LAN DHCP DNS1 field so devices query Pi-Hole directly, instead of needing to be redirected.

 

[VeloxNEx]

Your conditional forwarding specifies the domain “local.lan” but it looks like you have not specified any local domain on the router’s DHCP page.

Also, why not put 192.168.50.42 in the LAN DHCP DNS1 field so devices query Pi-Hole directly, instead of needing to be redirected.

Thanks for pointing that out! I'm not sure that matters, but I can fix that local domain part pretty easily.

The reason I haven't really done that, is becaues the DNS Director is active because I have kiddos. They vary in ages and I use the built in router family filtering for different ages. So the DNS Director remains active because of that. I need it to play nice and work correctly. When I google adding the pihole to the network with the latest years (2023 - 2025) I find posts like

I made a post a while back on how to setup DNS Director to use Pi-Hole. See the following post.

Beta - Asuswrt-Merlin 3006.102.4 Beta is now available

Ha. I am so old I thought you were talking about OS/2. I still call mine .bat files OS/2. That brings back memories. A lot of our servers and workstations at a previous employer used OS/2.

www.snbforums.com

I "can" add the LAN DNS server, yes. But it was "funny". I guess I can play around with the DNS Director settings to get this to work. I suppose the global settings would be no redirection by default instead of Router? Then not to advertise the router's info with the DNS.

 

[dave14305]

I'll have to take a closer look at the code, but it would probably make sense - I already do that on the webui to skip offering these two networks as options in the SDN list.

Another breaking scenario is to create an IoT guest network, using the same subnet as main network. Since it will also be br0, if you set a DNS Director option for this IoT network, it will apply to the main network also. If you keep IoT as “No redirection”, it puts a RETURN rule before the final Global rule.

So I think the better option is going to be ignoring SDNs that use br0.

# iptables -t nat -S DNSFILTER
-N DNSFILTER
-A DNSFILTER -m mac --mac-source 4C:03:ff:ff:D7:A8 -j RETURN
-A DNSFILTER -i br0 -j DNAT --to-destination 9.9.9.9
-A DNSFILTER -j REDIRECT
# get_mtlan
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[DEFAULT]
|-createby:[WEB]
|-*Network:
  |--IPv4:
        |-idx:[0]
        |-ifname:[br0]
        |-br_ifname:[br0]
        |-addr:[192.168.50.1]
        |-subnet:[192.168.50.0]
        |-netmask:[255.255.255.0]
        |-prefixlen:[24]
        |-dhcp_enable:[1]
        |-dhcp_min:[192.168.50.2]
        |-dhcp_max:[192.168.50.254]
        |-dhcp_lease:[86400]
        |-domain_name:[]
        |-dns:[][]
        |-wins:[]
        |-dhcp_res:[1]
        |-dhscp_res_idx:[0]
        |-dot_enable:[0]
        |-dot_tls:[1]
  |--IPv6:
        |-v6_enable:[1]
        |-v6_autoconf:[0]
        |-addr6:[]
        |-dhcp6_min:[]
        |-dhcp6_max:[]
        |-dns6:[][][]
|-*SDN Feature Index/Switch:
        |-sdn_idx:[0]
        |-apg_idx:[0]
        |-vpnc_idx:[0]
        |-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
        |-dnsf_idx:[0]
        |-urlf_idx:[0]
        |-nwf_idx:[0]
        |-cp_idx:[0]
        |-gre_idx:[0][0][0][0][0][0][0][0]
        |-fw_idx:[0]
        |-killsw_sw:[0]
        |-ahs_sw:[0]
        |-wan_idx:[0]
        |-ppprelay_sw:[0]
        |-wan6_idx:[0]
        |-mtwan_idx:[0]
        |-mswan_idx:[0]
---------------------------------------
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[IoT]
|-createby:[WEB]
|-*Network:
  |--IPv4:
        |-idx:[0]
        |-ifname:[br0]
        |-br_ifname:[br0]
        |-addr:[192.168.50.1]
        |-subnet:[192.168.50.0]
        |-netmask:[255.255.255.0]
        |-prefixlen:[24]
        |-dhcp_enable:[1]
        |-dhcp_min:[192.168.50.2]
        |-dhcp_max:[192.168.50.254]
        |-dhcp_lease:[86400]
        |-domain_name:[]
        |-dns:[][]
        |-wins:[]
        |-dhcp_res:[1]
        |-dhscp_res_idx:[0]
        |-dot_enable:[0]
        |-dot_tls:[1]
  |--IPv6:
        |-v6_enable:[0]
        |-v6_autoconf:[0]
        |-addr6:[]
        |-dhcp6_min:[]
        |-dhcp6_max:[]
        |-dns6:[][][]
|-*SDN Feature Index/Switch:
        |-sdn_idx:[1]
        |-apg_idx:[1]
        |-vpnc_idx:[0]
        |-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
        |-dnsf_idx:[13]
        |-urlf_idx:[0]
        |-nwf_idx:[0]
        |-cp_idx:[0]
        |-gre_idx:[0][0][0][0][0][0][0][0]
        |-fw_idx:[0]
        |-killsw_sw:[0]
        |-ahs_sw:[0]
        |-wan_idx:[0]
        |-ppprelay_sw:[0]
        |-wan6_idx:[0]
        |-mtwan_idx:[0]
        |-mswan_idx:[0]
---------------------------------------

 

[RMerlin]

Another breaking scenario is to create an IoT guest network, using the same subnet as main network. Since it will also be br0, if you set a DNS Director option for this IoT network, it will apply to the main network also. If you keep IoT as “No redirection”, it puts a RETURN rule before the final Global rule.

So I think the better option is going to be ignoring SDNs that use br0.

# iptables -t nat -S DNSFILTER
-N DNSFILTER
-A DNSFILTER -m mac --mac-source 4C:03:ff:ff:D7:A8 -j RETURN
-A DNSFILTER -i br0 -j DNAT --to-destination 9.9.9.9
-A DNSFILTER -j REDIRECT
# get_mtlan
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[DEFAULT]
|-createby:[WEB]
|-*Network:
  |--IPv4:
        |-idx:[0]
        |-ifname:[br0]
        |-br_ifname:[br0]
        |-addr:[192.168.50.1]
        |-subnet:[192.168.50.0]
        |-netmask:[255.255.255.0]
        |-prefixlen:[24]
        |-dhcp_enable:[1]
        |-dhcp_min:[192.168.50.2]
        |-dhcp_max:[192.168.50.254]
        |-dhcp_lease:[86400]
        |-domain_name:[]
        |-dns:[][]
        |-wins:[]
        |-dhcp_res:[1]
        |-dhscp_res_idx:[0]
        |-dot_enable:[0]
        |-dot_tls:[1]
  |--IPv6:
        |-v6_enable:[1]
        |-v6_autoconf:[0]
        |-addr6:[]
        |-dhcp6_min:[]
        |-dhcp6_max:[]
        |-dns6:[][][]
|-*SDN Feature Index/Switch:
        |-sdn_idx:[0]
        |-apg_idx:[0]
        |-vpnc_idx:[0]
        |-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
        |-dnsf_idx:[0]
        |-urlf_idx:[0]
        |-nwf_idx:[0]
        |-cp_idx:[0]
        |-gre_idx:[0][0][0][0][0][0][0][0]
        |-fw_idx:[0]
        |-killsw_sw:[0]
        |-ahs_sw:[0]
        |-wan_idx:[0]
        |-ppprelay_sw:[0]
        |-wan6_idx:[0]
        |-mtwan_idx:[0]
        |-mswan_idx:[0]
---------------------------------------
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[IoT]
|-createby:[WEB]
|-*Network:
  |--IPv4:
        |-idx:[0]
        |-ifname:[br0]
        |-br_ifname:[br0]
        |-addr:[192.168.50.1]
        |-subnet:[192.168.50.0]
        |-netmask:[255.255.255.0]
        |-prefixlen:[24]
        |-dhcp_enable:[1]
        |-dhcp_min:[192.168.50.2]
        |-dhcp_max:[192.168.50.254]
        |-dhcp_lease:[86400]
        |-domain_name:[]
        |-dns:[][]
        |-wins:[]
        |-dhcp_res:[1]
        |-dhscp_res_idx:[0]
        |-dot_enable:[0]
        |-dot_tls:[1]
  |--IPv6:
        |-v6_enable:[0]
        |-v6_autoconf:[0]
        |-addr6:[]
        |-dhcp6_min:[]
        |-dhcp6_max:[]
        |-dns6:[][][]
|-*SDN Feature Index/Switch:
        |-sdn_idx:[1]
        |-apg_idx:[1]
        |-vpnc_idx:[0]
        |-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
        |-dnsf_idx:[13]
        |-urlf_idx:[0]
        |-nwf_idx:[0]
        |-cp_idx:[0]
        |-gre_idx:[0][0][0][0][0][0][0][0]
        |-fw_idx:[0]
        |-killsw_sw:[0]
        |-ahs_sw:[0]
        |-wan_idx:[0]
        |-ppprelay_sw:[0]
        |-wan6_idx:[0]
        |-mtwan_idx:[0]
        |-mswan_idx:[0]
---------------------------------------

Looking for the interface feels kludgy to me. What the firmware does to determine if it should setup a dnsmasq instance is check that both SDN index and the network index are not zero:

if (pmtl->sdn_t.sdn_idx && pmtl->nw_t.idx) // ignore main LAN or IoT SDN

I'm more enclined to test that first. At first glance that should work, both the test networks I configured (one Guest that shared the same subnet, and an IoT) were having a network index of 0.

 

[dave14305]

I'm more enclined to test that first. At first glance that should work, both the test networks I configured (one Guest that shared the same subnet, and an IoT) were having a network index of 0.

That would also seem to cover the MAINFH/MAINBH cases also.

 

[RMerlin]

That would also seem to cover the MAINFH/MAINBH cases also.

Yep.

I just finished testing on the RT-BE88U and it seemed to work properly (I also applied the same fix to the network enumeration on the DNSDirector web page as it was incorrectly listing the default IoT network which shares the default LAN).

RT-AX86U_Pro firmware is still compiling, I need to test on it as well since SDNs on Wifi 6 are still using the older architecture, so it might behave differently.

 

[RMerlin]

Looking good on Wifi 6 as well, so we'll see if it passes user testing once beta 2 is released. Thanks for tracking the issue.