Merlin, dnsmasq, Pi-hole Accurate Device Names How-To?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

GHammer

Senior Member
I have an RT-AX86U running 386.1 beta 2 and while it is working well, I find that many ads are being served to devices, especially mobile phones.
I have tried various suggestions for solving this and the DNSFilter option to force all DNS traffic to my Pi-hole works the best.
Unfortunately, it has a side effect of causing the Pi-hole to show all queries as coming from the router.
I use the individual device names as a troubleshooting tool. Recently, I have had a single device make ~45,000 queries for the same site per day.

So, my ask. How to set my router running Merlin's load to force all DNS queries to the Pi-hole while keeping the individual device names on the Pi-hole?

Kindly be detailed.

@dave14305 @ColinTaylor
 

sturmstar

Regular Contributor
I have an RT-AX86U running 386.1 beta 2 and while it is working well, I find that many ads are being served to devices, especially mobile phones.
I have tried various suggestions for solving this and the DNSFilter option to force all DNS traffic to my Pi-hole works the best.
Unfortunately, it has a side effect of causing the Pi-hole to show all queries as coming from the router.
I use the individual device names as a troubleshooting tool. Recently, I have had a single device make ~45,000 queries for the same site per day.

So, my ask. How to set my router running Merlin's load to force all DNS queries to the Pi-hole while keeping the individual device names on the Pi-hole?

Kindly be detailed.

@dave14305 @ColinTaylor

You have to advertise your pihole as DNS server directly to your devices - so that the devices talk direct to the pihole. You can do that by advertise the IP from your pihole as DNS server in your DHCP settings.

So - all devices talk direct to your pihole - and devices which ignore the advertised dhcp dns settings are getting redirected by asuswrt-merlin DNSfilter (and this are the only ones which are "shown as coming from the router"
 

dave14305

Part of the Furniture
I would go ahead and put the Pi-Hole IP in LAN DHCP DNS 1 and WAN DNS 2. Put a reliable public DNS Server in WAN DNS 1 (e.g. Cloudflare, Quad9, etc.). In DNSFilter, set Custom 1 to the router's IP address and set the Global mode to Custom 1, after adding an exception for the Pi-Hole IP. On the LAN DHCP Server page, check the box to advertise the router IP in addition to the custom choice.

In /jffs/configs/dnsmasq.conf.add, put the following lines:
Code:
strict-order
add-mac
add-subnet=32
local=/0.1.168.192.in-addr.arpa/
The local line is optional unless you've setup Conditional forwarding on the Pi-Hole to forward your LAN domain and subnet back to the router IP. And if you have a different LAN subnet, replace the 1 with that subnet (e.g. 50).

This should tell your LAN clients to use the Pi-Hole as their DNS server (via DHCP) with the router IP as a backup (in case of Pi-Hole failure). Any clients trying to bypass the DHCP-provided DNS will get caught by the DNSFilter and sent to the router's DNSmasq which is now configured to use strict order, which means to use WAN DNS 2 first (Pi-Hole), then if Pi-Hole fails, it will switch to the WAN DNS 1 server. Queries sent from the router to Pi-Hole will now contain the client IP and MAC due to the configuration we added above to dnsmasq.conf.add.

Haven't tested this at all since November in this other thread, but in my head it should work just fine. Just make sure you're running the latest Pi-Hole software.
 

GHammer

Senior Member
@dave14305

Thank you ever so much! This seems to work, the Pi-hole is logging devices individually now.
I do have a question though.
After restarting dnsmasq on the router, the add file was appended. However, the logs show that only the public DNS server is being used as the other DNS server entry is on the local interface. When I do an nslookup from ssh to router, I see that the public DNS is the one being used.

I'm attaching a snip of the router log showing this.

Since the devices are being directed to the Pi-hole, not certain this makes any difference.

Thanks again.

I'm going to post a summary of what I did in the sequence I did it.

Code:
 Put Pi-Hole IP in LAN DHCP DNS 1 and WAN DNS 2.
 Put a reliable public DNS Server in WAN DNS 1
 In LAN DHCP, enable  Advertise router's IP in addition to user-specified DNS
 In DNSFilter, add an exception for the Pi-Hole IP
 In DNSFilter, set Custom 1 to the router's IP address and set the Global mode to Custom 1.
 In /jffs/configs/dnsmasq.conf.add, put the following lines:
strict-order
add-mac
add-subnet=32
local=/0.100.10.10.in-addr.arpa/
When file is in place, ssh to the router and issue service restart_dnsmasq command

All DNS queries should now be sent to the Pi-hole, which in my case is using unbound as primary DNS.
 

dave14305

Part of the Furniture
@dave14305

Thank you ever so much! This seems to work, the Pi-hole is logging devices individually now.
I do have a question though.
After restarting dnsmasq on the router, the add file was appended. However, the logs show that only the public DNS server is being used as the other DNS server entry is on the local interface. When I do an nslookup from ssh to router, I see that the public DNS is the one being used.

I'm attaching a snip of the router log showing this.

Since the devices are being directed to the Pi-hole, not certain this makes any difference.

Thanks again.

I'm going to post a summary of what I did in the sequence I did it.

Code:
 Put Pi-Hole IP in LAN DHCP DNS 1 and WAN DNS 2.
Put a reliable public DNS Server in WAN DNS 1
In LAN DHCP, enable  Advertise router's IP in addition to user-specified DNS
In DNSFilter, add an exception for the Pi-Hole IP
In DNSFilter, set Custom 1 to the router's IP address and set the Global mode to Custom 1.
In /jffs/configs/dnsmasq.conf.add, put the following lines:
strict-order
add-mac
add-subnet=32
local=/0.100.10.10.in-addr.arpa/
When file is in place, ssh to the router and issue service restart_dnsmasq command

All DNS queries should now be sent to the Pi-hole, which in my case is using unbound as primary DNS.
The router itself will use the WAN DNS servers in the expected order (1, 2) from /etc/resolv.conf, but if you really wanted you can set the router to use dnsmasq on the Tools / Other Settings page. dnsmasq is a little funky about how it prioritizes multiple server entries, hence the "preference" for WAN DNS 2 when using strict-order.
 

GHammer

Senior Member
The router itself will use the WAN DNS servers in the expected order (1, 2) from /etc/resolv.conf, but if you really wanted you can set the router to use dnsmasq on the Tools / Other Settings page. dnsmasq is a little funky about how it prioritizes multiple server entries, hence the "preference" for WAN DNS 2 when using strict-order.

Nope, that answered my question. Thanks again!
 

GHammer

Senior Member
There seems to be a problem attaching a log file (as txt) or inserting code with the log entries. No problem, my question is answered.
 

bbunge

Part of the Furniture
If you want to add a bit more security to the Pi-Hole, add Stubby DoT to the Pi. There is a how to for that on the Pi-Hole forum.
About the only thing I do to add the Pi-Hole to my network is to put the Pi IP address in LAN/DHCP Server/DNS Server 1 then under LAN/DNS Filter/Global Filter Mode Router and set the Pi to unfiltered. That way if the Pi fails the router will be the backup DNS and I have that set to DoT at 1.1.1.2 and 1.0.0.2
 

dave14305

Part of the Furniture
About the only thing I do to add the Pi-Hole to my network is to put the Pi IP address in LAN/DHCP Server/DNS Server 1 then under LAN/DNS Filter/Global Filter Mode Router and set the Pi to unfiltered. That way if the Pi fails the router will be the backup DNS and I have that set to DoT at 1.1.1.2 and 1.0.0.2
I'm trying to understand how the router will be the backup if the DNSFilter rule will direct everything the router receives to the Pi-Hole IP. If the Pi-Hole goes down, you should be dead in the water theoretically.
 

bbunge

Part of the Furniture
I'm trying to understand how the router will be the backup if the DNSFilter rule will direct everything the router receives to the Pi-Hole IP. If the Pi-Hole goes down, you should be dead in the water theoretically.
You are not reading my setup but assuming I am modifying yours. My setup uses conventional router dns settings to remote resolvers not internal.
 

dave14305

Part of the Furniture
You are not reading my setup but assuming I am modifying yours. My setup uses conventional router dns settings to remote resolvers not internal.
True enough. I think it’s probably worth documenting several Merlin-based setups for Pi-Hole since the topic comes up frequently.
 

GHammer

Senior Member
@dave14305

I set all this up yesterday, tested the phones (Android and iOS), ads were gone.
So was some outgoing connectivity on a couple of servers I have here. I couldn't even ping the sites they send to.
Then, I remembered www.isitdownrightnow.com, and sure enough, the services I connect to were down. Hosted on the recently unstable AWS. Geesh!

I still do not have names in Pi-hole though.
For statically reserved (on router) IPs, yes there are names.
For devices that I have not set a static IP, no name, just the IP. I can cross reference to the routers client list or wireless log if I need to know what device it is.
My desire was not to need to do that.

@bbunge I may well look into adding Stubby.
 

dave14305

Part of the Furniture
I still do not have names in Pi-hole though.
For statically reserved (on router) IPs, yes there are names.
For devices that I have not set a static IP, no name, just the IP. I can cross reference to the routers client list or wireless log if I need to know what device it is.
My desire was not to need to do that.
Do you have Conditional Forwarding enabled on the Pi-Hole?
 

bbunge

Part of the Furniture
Interesting. My client names show up in the Pi-Hole Top Clients Total and Blocked.

My DNS settings:
Router
WAN
DNS Server 1 - 1.1.1.2
DNS Server 2 - 1.0.0.2
DNS Privacy Protocol- DoT
DNS-over-TLS Server List - Manually set to 1.1.1.2 and 1.0.0.2

LAN/DHCP Server
DNS Server 1 - set to IP of Pi-Hole
DNS Server 2 - blank

LAN/DNSFIlter - Enabled
Global Filter Mode - Router
Client List - Raspberry Pi Foundation - No Filtering

Pi-Hole
Settings/DNS
Use Conditional Forwarding - Checked
Local network - 192.168.50.0/24
IP address of your DHCP server (router) - 192.168.50.1
Local domain name (optional) - blank

I also have the Pi set to use DoT - See https://discourse.pi-hole.net/t/implementing-dns-over-tls/27538/8 but you can use any of the preconfigured DNS servers or manually assigned DNS Servers.

With the above setup each client gets two DNS servers - the Pi-Hole and Router. Using Cloudflare (or Quad9) upstream resolvers to block malware domains the Pi-Hole only has to block adds. IoT devices with hard coded DNS gets filtered by the router and they do not care about adds.

Now, if you want to have a client to only have the Pi-Hole as a DNS server:
LAN/DHCP Server
Manually Assigned IP around the DHCP list (Max Limit : 64) - set a "reserved" IP Address and DNS Server set to IP address of the Pi-Hole

The client will then only get the IP address of the Pi-Hole or other assigned DNS resolver

Edit: If you have the two blocklists enabled that came with Pi-Hole you may want to remove the one for malware domains as it has been discontinued and will not get updates.
 

dave14305

Part of the Furniture
IoT devices with hard coded DNS gets filtered by the router and they do not care about adds.
Based on your described setup, the IoT devices will get filtered to the Pi-Hole. Do you see their queries on the Pi-Hole?

It’s an obscure nuance of DNSFilter that the mode “Router” will use the LAN DHCP DNS 1 server, but if it’s blank then it defaults to the router IP.

I know I keep nagging about this point, but I just want to make sure everyone understands the behavior of DNS Filter in this scenario (including me).

Thanks for sharing your setup!
 

GHammer

Senior Member
Well, thanks to both of you.
I took the optional Local domain name out of my Pi-hole and flushed the logs, network table, then restarted the Pi-hole.
Upon its return, I do not see any unidentified devices.

@dave14305 I'm leaving all the DNS settings in the router as is. It is working at blocking ads on all devices now, even if I go hunting for them using Chrome as my browser.
I will look at the router DHCP to see if it has a name if any unidentified devices show up again.

@bbunge I'm configured differently than you as I am running unbound on the Pi. Since it's my DNS server, I don't need to obscure DNS requests. If someone is that interested to follow the call to the root servers then down the path to a authoritative answer, they are welcome to the knowledge. I (knock wood) haven't seen malware in literally years.
 

GHammer

Senior Member
Do the IPs in question show up with a hostname on the router’s DHCP leases log page?

Just got one. No, the device does not show in the DHCP tab, but is shown named in Wireless log and Network map->Client list.
 

dave14305

Part of the Furniture
Just got one. No, the device does not show in the DHCP tab, but is shown named in Wireless log and Network map->Client list.
Doesn’t show up at all, or doesn’t show up with a hostname? How does it get its IP? Names that only exist in the Client List aren’t known to dnsmasq so the Pi-Hole can’t retrieve them via a reverse lookup of the IP. You could add a reserved IP on the DHCP tab with a hostname to let dnsmasq respond with your preferred hostname. Or you can just setup the name on the Pi-Hole (I seem to remember there was some kind of configurable client list available).
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top