Entware Pi-hole directly on the router? Yes!

[heslo]

Please go to Settings -> DNS and set upstream servers, you have none selected.

The instructions were made based on 388 firmware, the options might be called differently or be somewhere else in the older firmware.

Can you execute:

opkg search /opt/bin/tput

tput is usually not an available command and I put a polyfill in the package, but it looks like you have it, though it isn't working.
It shouldn't affect anything, it's used for detection of available colors in your terminal, without it you will probably not see any colors when executing Pi-hole related commands.
Nevermind, it seems like Entware have ncurses-bin package containing that command now.

Your log indicates that something killed the process:

   Sep  2 19:03:43 dnsmasq[2022]: exiting on receipt of SIGTERM

Is it possible that router was running low on memory at that time?
You will have to restart the service manually.

I did a full restart of the router and still was the same behaviour so it shouldn't have been running low on memory. I'll try again tonight and report back

 

[capitantrueno]

Hi there!

Please go to Settings -> DNS and set upstream servers, you have none selected.

I have set them in the corresponding PiHole section:

Your log indicates that something killed the process:

   Sep  2 19:03:43 dnsmasq[2022]: exiting on receipt of SIGTERM

Is it possible that router was running low on memory at that time?
You will have to restart the service manually.

I have your script for swap, but it doesn't seem to be running:

SWAP_FILE="/tmp/mnt/ENTWARE/swap.img" # swap file path, like /tmp/mnt/USBDEVICE/swap.img, leave empty to search for it in /tmp/mnt/*/swap.img
SWAP_SIZE=2097152 # swap file size, changing after swap is created requires it to be manually removed, 1048576 = 1GB

This is the new debug link.

Thanks!

 

[jacklul]

Hi there!


I have set them in the corresponding PiHole section:
View attachment 67732

I have your script for swap, but it doesn't seem to be running:

SWAP_FILE="/tmp/mnt/ENTWARE/swap.img" # swap file path, like /tmp/mnt/USBDEVICE/swap.img, leave empty to search for it in /tmp/mnt/*/swap.img
SWAP_SIZE=2097152 # swap file size, changing after swap is created requires it to be manually removed, 1048576 = 1GB

View attachment 67733

This is the new debug link.

Thanks!

That swap script will not mount a new swap file if one is already mounted.
It will not resize the file if you change the size on config after it has been created.

Debug log is fine, except no devices query Pi-hole.

 

[capitantrueno]

Hi there!

That swap script will not mount a new swap file if one is already mounted.
It will not resize the file if you change the size on config after it has been created.

Debug log is fine, except no devices query Pi-hole.

I created the swap file manually with these commands:

#--------------------------------------------
# Create a swap file
#--------------------------------------------
dd if=/dev/zero of=/tmp/mnt/ENTWARE/myswap.swp bs=1k count=2097152
mkswap /tmp/mnt/ENTWAREl/myswap.swp

I then modified the swap configuration file to match my path and size (I assumed it was necessary to specify the actual swap file values for your script to work correctly).
Are you suggesting I delete the file and let your path recreate it from scratch?

Here is the LAN IP tab of my 4G-AC86U:

And my DHCP Server tab:

Here is the pihole.tml configuration:

# Pi-hole configuration file (v6.2.3)


[dns]
  # Array of upstream DNS servers used by Pi-hole
  # Example: [ "8.8.8.8", "127.0.0.1#5335", "docker-resolver" ]
  #
  # Possible values are:
  #     array of IP addresses and/or hostnames, optionally with a port (#...)
  upstreams = [
    "1.1.1.1",
    "1.0.0.1"
  ] ### CHANGED, default = []



  # The DNS domain used by your Pi-hole.
  #
  # This DNS domain is purely local. FTL may answer queries from its local cache and
  # configuration but *never* forwards any requests upstream *unless* you have
  # configured a dns.revServer exactly for this domain. In the latter case, all queries
  # for this domain are sent exclusively to this server (including reverse lookups).
  #
  # For DHCP, this has two effects; firstly it causes the DHCP server to return the
  # domain to any hosts which request it, and secondly it sets the domain which it is
  # legal for DHCP-configured hosts to claim. The intention is to constrain hostnames so
  # that an untrusted host on the LAN cannot advertise its name via DHCP as e.g.
  # "google.com" and capture traffic not meant for it. If no domain suffix is specified,
  # then any DHCP hostname with a domain part (ie with a period) will be disallowed and
  # logged. If a domain is specified, then hostnames with a domain part are allowed,
  # provided the domain part matches the suffix. In addition, when a suffix is set then
  # hostnames without a domain part have the suffix added as an optional domain part.
  # For instance, we can set domain=mylab.com and have a machine whose DHCP hostname is
  # "laptop". The IP address for that machine is available both as "laptop" and
  # "laptop.mylab.com".
  #
  # You can disable setting a domain by setting this option to an empty string.
  #
  # Possible values are:
  #     <any valid domain>
  domain = "lan"


  # Interface to use for DNS (see also dnsmasq.listening.mode) and DHCP (if enabled)
  #
  # Possible values are:
  #     a valid interface name
  interface = "lo" ### CHANGED, default = "eth0"


  # Pi-hole interface listening modes
  #
 
  listeningMode = "BIND" ### CHANGED, default = "LOCAL"

  # Log DNS queries and replies to pihole.log
  queryLogging = true

  # List of CNAME records which indicate that <cname> is really <target>. If the <TTL> is
  # given, it overwrites the value of local-ttl
  #
  # Possible values are:
  #     Array of CNAMEs each on in one of the following forms: "<cname>,<target>[,<TTL>]"
  cnameRecords = []

  # Port used by the DNS server
  port = 5053 ### CHANGED, default = 53


  revServers = [
    "true,192.168.50.0/24,127.0.0.1#53,4G-AC86U.lan"
  ] ### CHANGED, default = []

  [dns.cache]
    # Cache size of the DNS server. Note that expiring cache entries naturally make room
    # for new insertions over time. Setting this number too high will have an adverse
    # effect as not only more space is needed, but also lookup speed gets degraded in the
    # 10,000+ range. dnsmasq may issue a warning when you go beyond 10,000+ cache entries.
    size = 10000

  [dns.blocking]
    # Should FTL block queries?
    active = true



  [dns.specialDomains]
    # Should Pi-hole always reply with NXDOMAIN to A and AAAA queries of
    # use-application-dns.net to disable Firefox automatic DNS-over-HTTP? This is
    # following the recommendation on
    # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
    mozillaCanary = true

    # Should Pi-hole always reply with NXDOMAIN to A and AAAA queries of mask.icloud.com
    # and mask-h2.icloud.com to disable Apple's iCloud Private Relay to prevent Apple
    # devices from bypassing Pi-hole? This is following the recommendation on
    # https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay
    iCloudPrivateRelay = true

    # Should Pi-hole always reply with NODATA to all queries to zone resolver.arpa to
    # prevent devices from bypassing Pi-hole using Discovery of Designated Resolvers? This
    # is based on recommendations at the end of RFC 9462, section 4.
    designatedResolver = true

    [dns.reply.host]
      # Use a specific IPv4 address for the Pi-hole host? By default, FTL determines the
      # address of the interface a query arrived on and uses this address for replying to A
      # queries with the most suitable address for the requesting client. This setting can
      # be used to use a fixed, rather than the dynamically obtained, address when Pi-hole
      # responds to the following names: [ "pi.hole", "<the device's hostname>",
      # "pi.hole.<local domain>", "<the device's hostname>.<local domain>" ]
      force4 = false

[dhcp]
  # Is the embedded DHCP server enabled?
  active = false

  [ntp.ipv4]
    # Should FTL act as network time protocol (NTP) server (IPv4)?
    active = false ### CHANGED, default = true

    # IPv4 address to listen on for NTP requests
    #
    # Possible values are:
    #     <valid IPv4 address> or empty string ("") for wildcard (0.0.0.0)
    address = ""

  [ntp.ipv6]
    # Should FTL act as network time protocol (NTP) server (IPv6)?
    active = false ### CHANGED, default = true

    # IPv6 address to listen on for NTP requests
    #
    # Possible values are:
    #     <valid IPv6 address> or empty string ("") for wildcard (::)
    address = ""

  [ntp.sync]
    # Should FTL try to synchronize the system time with an upstream NTP server?
    active = false ### CHANGED, default = true

    # NTP upstream server to sync with, e.g., "pool.ntp.org". Note that the NTP server
    # should be located as close as possible to you in order to minimize the time offset
    # possibly introduced by different routing paths.
    #
    # Possible values are:
    #     valid NTP upstream server
    server = "pool.ntp.org"

    # Interval in seconds between successive synchronization attempts with the NTP server
    interval = 3600

    # Number of NTP syncs to perform and average before updating the system time
    count = 8

    [ntp.sync.rtc]
      # Should FTL update a real-time clock (RTC) if available?
      set = false

[resolver]
  # Should FTL try to resolve IPv4 addresses to hostnames?
  resolveIPv4 = true

  # Should FTL try to resolve IPv6 addresses to hostnames?
  resolveIPv6 = true

[database]
  # Should FTL load information from the database on startup to be aware of the most
  # recent history?
  DBimport = true

  # How long should queries be stored in the database [days]?
  # Setting this value to 0 will disable the database.
  maxDBdays = 31 ### CHANGED, default = 91

[webserver]
  # On which domain is the web interface served?
  #
  # Possible values are:
  #     <valid domain>
  domain = "pi.hole"

  # Ports to be used by the webserver.
  port = "5080,5443s" ### CHANGED, default = "80o,443os,[::]:80o,[::]:443os"

  # Maximum number of worker threads allowed.
  # The Pi-hole web server handles each incoming connection in a separate thread.
  # Therefore, the value of this option is effectively the number of concurrent HTTP
  # connections that can be handled. Any other connections are queued until they can be
  # processed by a unoccupied thread.
  # The total number of threads you see may be lower than the configured value as
  # threads are only created when needed due to incoming connections.
  # The value 0 means the number of threads is 50 (as per default settings of CivetWeb)
  # for backwards-compatible behavior.
  threads = 10 ### CHANGED, default = 50

[misc]
  # Set niceness of pihole-FTL. Defaults to -10 and can be disabled altogether by setting
  # a value of -999. The nice value is an attribute that can be used to influence the
  # CPU scheduler to favor or disfavor a process in scheduling decisions. The range of
  # the nice value varies across UNIX systems. On modern Linux, the range is -20 (high
  # priority = not very nice to other processes) to +19 (low priority).
  nice = -999 ### CHANGED, default = -10

  # Additional lines to inject into the generated dnsmasq configuration.
  # Warning: This is an advanced setting and should only be used with care. Incorrectly
  # formatted or duplicated lines as well as lines conflicting with the automatic
  # configuration of Pi-hole can break the embedded dnsmasq and will stop DNS resolution
  # from working.
  # Use this option with extra care.
  #
  # Possible values are:
  #     array of valid dnsmasq config line options
  dnsmasq_lines = [
    "strip-subnet",
    "strip-mac"
  ] ### CHANGED, default = []


# Configuration statistics:
# 155 total entries out of which 142 entries are default
# --> 13 entries are modified

And here is the new debug log
Thanks

 

[heslo]

Ok, I just erased my USB storage to eliminate anything left over from other installs. New install only has Entware and pihole but issues still persist

If I have dnsmasq.postconf and port set to 53 I get this

Port 53 (GUI says DNS server failure but shows no traffic or queries in GUI, internet works) https://lurking-cat.appspot.com/upload/EXC4JmNJ

If I have dnsmasq.postconf and port set to 5053 I get this

Port 5053 (GUI says DNS active but shows no traffic or queries in GUI, internet works) https://lurking-cat.appspot.com/upload/u7hWDXNr

Curiously now internet traffic works on both ports while dnsmasq.postconf is there where as before it did not but definitely no traffic is being routed through pihole and I have absolutely no idea why. I don't know why it was "working" the other day besides the disconnect/connect issue and then turned into this. I thought starting with a clean USB might help but it's exactly the same. Perhaps those logs can tell you something. I'm very much at my wits end with this and I'm sure you're sick of reading my logs

 

[jacklul]

Are you suggesting I delete the file and let your path recreate it from scratch?

Run 'swap.sh stop', delete /tmp/mnt/ENTWARE/swap.img, run 'swap.sh start', it will create it automatically.
You can also 'swap.sh create'.

And here is the new debug log

Seems like pihole-FTL.db got corrupted:

2025-09-03 06:47:14.994 UTC [27372M] ERROR: SQLite3: database corruption at line 102669 of [17144570b0] (11)
2025-09-03 06:47:14.994 UTC [27372M] ERROR: export_queries_to_disk(): Failed to export queries: database disk image is malformed

Try renaming pihole-FTL.db to something else while Pi-hole is not running then restart it.

And my DHCP Server tab:

I can only assume that entering no DNS servers means that the router becomes the DNS server, I have no idea how it works on older firmware.
On Windows you can verify this by executing 'ipconfig /all' and checking if router's IP is listed there as DNS server.

 

[jacklul]

If I have dnsmasq.postconf and port set to 53 I get this

2025-09-03 19:09:54.741 ACST [12950M] CRIT: Error in dnsmasq configuration: failed to create listening socket for port 53: Address in use

Remember that after changing dnsmasq.postconf you gotta run `service restart_dnsmasq` to apply it.
In this case you've set Pi-hole back to listen on port 53, but since changes from dnsmasq.postconf didn't apply firmware's dnsmasq is still listening on port 53.

 

[capitantrueno]

Run 'swap.sh stop', delete /tmp/mnt/ENTWARE/swap.img, run 'swap.sh start', it will create it automatically.
You can also 'swap.sh create'.

Done! But if I use the 'free' command:

admin@4G-AC86U:/tmp/home/root# free
             total       used       free     shared    buffers     cached
Mem:        498132     232176     265956       5464      16408      87480
-/+ buffers/cache:     128288     369844
Swap:       135160          0     135160

Seems like pihole-FTL.db got corrupted:

2025-09-03 06:47:14.994 UTC [27372M] ERROR: SQLite3: database corruption at line 102669 of [17144570b0] (11)
2025-09-03 06:47:14.994 UTC [27372M] ERROR: export_queries_to_disk(): Failed to export queries: database disk image is malformed

Try renaming pihole-FTL.db to something else while Pi-hole is not running then restart it.

Done:

admin@4G-AC86U:/tmp/home/root# mv /opt/etc/pihole/pihole-FTL.db /opt/etc/pihole/
pihole-FTL.db.bak
admin@4G-AC86U:/tmp/home/root# service restart_dnsmasq ; /opt/etc/init.d/S65piho
le-FTL start

Done.
Failed to set capabilities on file '/opt/bin/pihole-FTL': Operation not supported
Warning: Starting in an unsupported way - expect issues to happen!
Warning: Starting pihole-FTL as 'admin' (then changing to 'pihole') because setting capabilities is not supported on this system
 Starting pihole-FTL...              done.

That 'Failed to set capabilities...' message is important?

I can only assume that entering no DNS servers means that the router becomes the DNS server, I have no idea how it works on older firmware.
On Windows you can verify this by executing 'ipconfig /all' and checking if router's IP is listed there as DNS server.

I think you are right. On MacOS I can use:

➜  ~ scutil --dns | grep 'nameserver\[[0-9]*\]'
  nameserver[0] : 192.168.50.1
  nameserver[0] : 192.168.50.1

And that is my router IP.

 

[jacklul]

Done! But if I use the 'free' command:
Code:

Didn't your script you had in script_usbmount enabled swap ?
Did you see something like 'Enabled swap file XXXX' after running 'swap.sh start'? If you did not then it did not enable /tmp/mnt/ENTWARE/swap.img because another swap file is already enabled.
Run 'cat /proc/swaps' to see what file.

That 'Failed to set capabilities...' message is important?

This message means 'setcap' command doesn't work on your device or your storage drive is not formatted in a Linux compatible format (I recommended ext4).
It is important because running with setcap is how Pi-hole developers intended the daemon to run.
I did some fixes in the scripts so you can start it in such unsupported cases but as the message says - some issues might happen.

And that is my router IP.

So it should be working.
Please check if /tmp/etc/dnsmasq.conf contains changes made by /jffs/scripts/dnsmasq.postconf:
You should see bunch of lines being commented (starting with # sign) and server=127.0.0.1#5053 somewhere at the top and "# Modified by custom-configs" at the bottom.
Without changes to /tmp/etc/dnsmasq.conf firmware's dnsmasq will not forward queries to Pi-hole, it will use router's settings instead.

 

[bibikalka]

@heslo - you probably would already be running if you used my guide for the additional PiHole on its own virtual IP instead of trying to replace the main DNS on 127.0.0.1:53

​

 

[heslo]

2025-09-03 19:09:54.741 ACST [12950M] CRIT: Error in dnsmasq configuration: failed to create listening socket for port 53: Address in use

Remember that after changing dnsmasq.postconf you gotta run `service restart_dnsmasq` to apply it.
In this case you've set Pi-hole back to listen on port 53, but since changes from dnsmasq.postconf didn't apply firmware's dnsmasq is still listening on port 53.

This was after running the `service restart_dnsmasq` command. Even tried a full router reset, same thing

 

[heslo]

@heslo - you probably would already be running if you used my guide for the additional PiHole on its own virtual IP instead of trying to replace the main DNS on 127.0.0.1:53

​

That's my next port of call if I can't get this to work but if the simple setup isn't working that the author of this came up with I don't see how introducing complexity will make it any different. I just want to understand why it isn't working for me when it's seemingly working for others no issue

 

[dave14305]

This was after running the `service restart_dnsmasq` command. Even tried a full router reset, same thing

Put the router’s LAN IP on the LAN DHCP Server DNS 1 field. When the dnsmasq port is not 53, dnsmasq won’t advertise the router’s IP as the DNS server over DHCP. The “Advertise router IP…” option has no effect if the DNS servers are blank.

 

[heslo]

Put the router’s LAN IP on the LAN DHCP Server DNS 1 field. When the dnsmasq port is not 53, dnsmasq won’t advertise the router’s IP as the DNS server over DHCP. The “Advertise router IP…” option has no effect if the DNS servers are blank.

Tried that, same behaviour. But I did not need to do that before when it was "working"

 

[bibikalka]

That's my next port of call if I can't get this to work but if the simple setup isn't working that the author of this came up with I don't see how introducing complexity will make it any different. I just want to understand why it isn't working for me when it's seemingly working for others no issue

Complexity is relative I guess. My changes are localized to pihole.toml , and creating a virtual IP is needed anyway for PiHole webserver to be accessible. At least I don't have to touch dnsmasq.conf myself and can go with the stock Unbound manager script.

 

[dave14305]

Tried that, same behaviour. But I did not need to do that before when it was "working"

It wouldn’t have been noticeable until clients tried to renew their dhcp lease and suddenly no dns server was offered to them. Next time it isn’t working, capture this info:

netstat -nltup | grep -E ":53 |:8053 "
cat /jffs/scripts/dnsmasq.postconf
grep -E "^port=|^dhcp-option=" /etc/dnsmasq.conf

 

[heslo]

It wouldn’t have been noticeable until clients tried to renew their dhcp lease and suddenly no dns server was offered to them. Next time it isn’t working, capture this info:

netstat -nltup | grep -E ":53 |:8053 "
[/QUOTE]

[CODE]netstat -nltup | grep -E ":53 |:8053 "
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      14715/dnsmasq
tcp        0      0 192.168.50.1:53         0.0.0.0:*               LISTEN      14715/dnsmasq
udp        0      0 0.0.0.0:53              0.0.0.0:*                           15953/pihole-FTL
udp        0      0 127.0.0.1:53            0.0.0.0:*                           14715/dnsmasq
udp        0      0 192.168.50.1:53         0.0.0.0:*                           14715/dnsmasq

cat /jffs/scripts/dnsmasq.postconf

#!/bin/sh

[ -z "$1" ] && exit 1

# Make firmware Dnsmasq listen for DNS on non-default port (we need it for the reverse lookups)
if ! grep -q "^port=8053" "$1"; then
    sed '/^port=/ s/^/#/' -i "$1"
    sed "/^user=/a port=8053" -i "$1"
fi

# Make sure system uses Pi-hole for DNS requests
# This is optional, you can skip it if you don't want software
# and addons installed on the router to query Pi-hole
resolvconf="$(readlink -f /etc/resolv.conf)"
if ! head -n 1 "$resolvconf" | grep -q "^nameserver 127.0.0.1"; then
    sed '/127.0.0.1/d' -i "$resolvconf"
    sed '1i nameserver 127.0.0.1' -i "$resolvconf"
fi

grep -E "^port=|^dhcp-option=" /etc/dnsmasq.conf[/CODE]

dhcp-option=lan,3,192.168.50.1
dhcp-option=lan,15,AX88U
dhcp-option=lan,44,192.168.50.1
dhcp-option=lan,252,"\n"
dhcp-option=lan,42,0.0.0.0
dhcp-option=br1,3,192.168.101.1
dhcp-option=br2,3,192.168.102.1

That's what I get back

 

[dave14305]

Is the postconf script actually running? What is in the syslog after running service restart_dnsmasq

 

[heslo]

Is the postconf script actually running? What is in the syslog after running service restart_dnsmasq

Seems not!

Getting this in the syslog

Sep  4 12:36:06 rc_service: service 21050:notify_rc restart_dnsmasq
Sep  4 13:36:06 custom_script: Found dnsmasq.postconf, but script is not set executable

How do I make it executable? Didn't need to do anything to it before and yes "Enable JFFS custom scripts and configs" is set to Yes in the GUI

 

[dave14305]

How do I make it executable? Didn't need to do anything to it before and yes "Enable JFFS custom scripts and configs" is set to Yes in the GUI

chmod u+x /jffs/scripts/dnsmasq.postconf