Pi hole DNS Filtering ?

[Protos]

Hello fellas,

I have been playing around with Pi-ihole and an old AC5300.
According to the documentation at https://docs.pi-hole.net/routers/asus/
I have set the ip of the Pi-hole in the Lan-DHCP configuration area.

My question is will this keep clients on the lan from bypassing this field or do I need to use DNS Filtering to prevent that ?
Do I need both options populated or will one suffice ??

 

[dave14305]

Setting the LAN DHCP DNS server is a “suggestion” that a client can override if manually configured to do so. Therefore a firewall-based approach like DNS Filter set to “Router” mode will enforce the LAN DHCP DNS 1 server entry, if populated. If no LAN DHCP DNS 1 server is populated, “Router” mode will direct all DNS requests to the router and its dnsmasq resolver.

Is this on stock firmware or Merlin?

 

[Protos]

Thank you dave.
I will populate the suggestion ... and the firewall. I am on Merlin firmware.

 

[cptnoblivious]

If you're not running Merlin, I believe the router will auto-add its IP to the DNS servers (Merlin makes it configurable).
Probably best to double check that on the client to ensure consistent filtering.

 

[qzip]

If you're not running Merlin, I believe the router will auto-add its IP to the DNS servers (Merlin makes it configurable).
Probably best to double check that on the client to ensure consistent filtering.

What do you suggest for the folks who can’t run Merlin ?

 

[cptnoblivious]

What do you suggest for the folks who can’t run Merlin ?

See if you can put Pihole in the WAN DNS settings. At one point Asus stock firmware worked that way, then it didn't (they made a change) but I _believe_ they may have reverted it recently. Since I don't run the stock firmware, I'm not 100% on that of course, you'll have to try it.

If it doesn't work, make the DHCP scope = 1 IP address only on the router, reserve that address for the pihole, and use PIhole's DHCP service, which can then properly hand out the Pihole address for DNS.

 

[Ellenswamy]

See if you can put Pihole in the WAN DNS settings. At one point Asus stock firmware worked that way, then it didn't (they made a change) but I _believe_ they may have reverted it recently. Since I don't run the stock firmware, I'm not 100% on that of course, you'll have to try it.

If it doesn't work, make the DHCP scope = 1 IP address only on the router, reserve that address for the pihole, and use PIhole's DHCP service, which can then properly hand out the Pihole address for DNS.

To reply to this, they recommend that if you run the latest version of stock, to put pihole in the WAN. However doing this will have all devices run through the router and then be sent to pihole. This will work, but you can also put the IP in your LAN and then all of your devices will get your PiHole IP. I am not sure how this would work with pihole in your LAN and quad9 in your wan for instance, as far as DNS sometimes not going through your pihole.

 

[bbunge]

What do you suggest for the folks who can’t run Merlin ?

Turn off DHCP on the router and set up the Pi-Hole to do DHCP. In the router WAN use valid upstream resolvers so the router can set its time on boot. I do not recommend the use of Unbound with a Pi-Hole. You can set up the Pi-Hole to use DoT.

However, this is not a sure fire solution if you are trying to prevent someone from visiting inappropriate web sites. They can still set the DNS server in their client to by-pass your efforts. Asus did have DNS Filter in a couple of there releases but it was removed as someone did not like them using that name. It should be back in time under a different name. Asus firmware with DNS set to Quad9 and DoT set to Quad9 and AiProtect enabled gives pretty good protection for most.

 

[Ellenswamy]

Turn off DHCP on the router and set up the Pi-Hole to do DHCP. In the router WAN use valid upstream resolvers so the router can set its time on boot. I do not recommend the use of Unbound with a Pi-Hole. You can set up the Pi-Hole to use DoT.

However, this is not a sure fire solution if you are trying to prevent someone from visiting inappropriate web sites. They can still set the DNS server in their client to by-pass your efforts. Asus did have DNS Filter in a couple of there releases but it was removed as someone did not like them using that name. It should be back in time under a different name. Asus firmware with DNS set to Quad9 and DoT set to Quad9 and AiProtect enabled gives pretty good protection for most.

Why would you say no unbound with pihole? I am using that and it sets up a true recursive dns server to use at home with minimal setup..

 

[bbunge]

Why would you say no unbound with pihole? I am using that and it sets up a true recursive dns server to use at home with minimal setup..

With Unbound I had AiProtect get more blocks even with the default Pi-Hole block list and a couple of others. Had the PC antivirus also make some blocks. With Quad9 I have had no AiProtect blocks or antivirus/antimalware blocks in over a year (maybe longer).
I just did not want to spend the time making sure the Pi-Hole blocklists were up to date and covering the malware site blocks. Also tried Diversion for a while. Am now on DoT to Quad9 with DNSSEC handled by Stubby. Works very well!

 

[OzarkEdge]

Asus firmware with DNS set to Quad9 and DoT set to Quad9 and AiProtect enabled gives pretty good protection for most.

What I do.

With Quad9 I have had no AiProtect blocks or antivirus/antimalware blocks in over a year (maybe longer).

I have few hits. It's amazing what URLs my devices are attempting, sometimes when they are sitting alone, streaming media (and ads!).

OE

 

[Ellenswamy]

What I do.



I have few hits. It's amazing what URLs my devices are attempting, sometimes when they are sitting alone, streaming media (and ads!).

OE

If you have dns set to quad9 and dot set to quad9, I would think some of your traffic would be encrypted and some wouldn’t right? I have dot quad9 for my wan and the dns portion is blank. Just making sure I am not missing something

 

[OzarkEdge]

If you have dns set to quad9 and dot set to quad9, I would think some of your traffic would be encrypted and some wouldn’t right? I have dot quad9 for my wan and the dns portion is blank. Just making sure I am not missing something

Good question. I've not seen otherwise here yet despite trolling for an answer (like above), but I still have the same concern as you. However, I've been assuming the firmware should just handle it... use DoT period, if it is usable.

Edit: Indirect supporting comment/clue by a reputable source: https://www.snbforums.com/threads/d...-downloading-at-high-speeds.77873/post-751075

OE

 

[Tech9]

If you have dns set to quad9 and dot set to quad9, I would think some of your traffic would be encrypted and some wouldn’t right?

Must be set this way (in WAN):

DNS Server1: 9.9.9.9
DNS Server2: 149.112.112.112

DNS Privacy Protocol: DNS-over-TLS
DNS-over-TLS Profile: Strict

DoT Server1: 9.9.9.9 dns.quad9.net
DoT Server2: 149.112.112.112 dns.quad9.net

On boot (before Stubby) the router will use Quad9 on port 53, after Stubby - Quad9 on port 853 (DoT).

 

[cptnoblivious]

To reply to this, they recommend that if you run the latest version of stock, to put pihole in the WAN. However doing this will have all devices run through the router and then be sent to pihole. This will work, but you can also put the IP in your LAN and then all of your devices will get your PiHole IP. I am not sure how this would work with pihole in your LAN and quad9 in your wan for instance, as far as DNS sometimes not going through your pihole.

No.

If you put pihole in your lan settings, the router will advertise itself along with the pihole. That's the whole point of what we're trying to avoid here.

 

[Ellenswamy]

Must be set this way (in WAN):

DNS Server1: 9.9.9.9
DNS Server2: 149.112.112.112

DNS Privacy Protocol: DNS-over-TLS
DNS-over-TLS Profile: Strict

DoT Server1: 9.9.9.9 dns.quad9.net
DoT Server2: 149.112.112.112 dns.quad9.net

On boot (before Stubby) the router will use Quad9 on port 53, after Stubby - Quad9 on port 853 (DoT).

Thanks for that just fixed mine. Do you recommend turning on dnssec and rebind protection?

 

[Tech9]

Do you recommend turning on dnssec and rebind protection?

Asuswrt-Merlin specific settings, not available in stock Asuswrt. This thread is in Asus Wireless forum section and I'm assuming we are talking about stock Asuswrt. In Asuswrt-Merlin I would leave the four settings below DNS Server 2 to default No.