Pihole DNS

macster2075

Very Senior Member
Hi,
I have set an Ubuntu machine to run pihole and it's been working great. But, I see that if I set the pihole IP address under LAN DHCP section, it bypasses the some rules I have in order to force SafeSearch on Google and Bing.
The way I have pihole IP address now is under the DNSFilter section and it works great, but I have to point every device individually to Pihole.

Is there a way I can set Pihole under the LAN DHCP section without it affecting my configuration scripts in Dnsmasq?
 

dave14305

Part of the Furniture
Is there anything specific in your dnsmasq modifications that would prevent you from implementing the same custom settings under PiHole’s dnsmasq?
 

macster2075

Very Senior Member
Is there anything specific in your dnsmasq modifications that would prevent you from implementing the same custom settings under PiHole’s dnsmasq?
It's a simple script...
address=/www.bing.com/204.79.197.220

address=/duckduckgo.com/ 52.149.247.1


address=/www.google.com/216.239.38.120.

Once I add the Pihole address to the LAN DHCP, those scripts are bypassed.. pihole works how it's supposed to, but the scripts stop being implemented.
I tried re-adding them again, but they won't take.

Are you saying they are supposed to even if I set a specific DNS server under LAN?
 

dave14305

Part of the Furniture
Once I add the Pihole address to the LAN DHCP, those scripts are bypassed.. pihole works how it's supposed to, but the scripts stop being implemented.
I tried re-adding them again, but they won't take.
It is true that the router’s dnsmasq will be bypassed when a LAN DHCP DNS server is defined. The script or custom config is still active, but no one uses it in that scenario.
Are you saying they are supposed to even if I set a specific DNS server under LAN?
No, I was suggesting to duplicate your safesearch settings in PiHole if that’s what you are trying to accomplish. If you’re trying to do something else, please elaborate with screenshots of your LAN DNS and DNSFilter pages to clarify.
 

macster2075

Very Senior Member
Oh wow.. that's what I was told in this forum to use in order to force SafeSearch using the router. What other way is there to do that if it's not under dnsmasq?
I didn't know I could also force SafeSearch in using Pihole.

That's all I am trying to accomplish.. just to be able to set Pihole for entire network without having to point each device manually and also keep SafeSarch enabled and enforced.
 

macster2075

Very Senior Member
I think I got it! - set it in pihole
1631065467756.png
 

macster2075

Very Senior Member
So it's now working how I wanted. Thanks Dave, I didn't know I could do that in Pihole. I only started using it not too long ago.
But if I may ask... putting pihole aside.. what's another way to force SafeSearch using the router if not through Dnsmasq?
 

macster2075

Very Senior Member
I don’t think there is another way.
So in the event that the pihole machine goes down, will it auto fall back to using the router settings, meaning I shouldn't lose internet correct?
I have it like this...which is using OpenDns.

1631066966873.png
 

dave14305

Part of the Furniture
oh.. I thought I wouldn't because of this...
View attachment 36179
That option has nothing to do with resiliency.

When you configure LAN DHCP to tell your LAN clients to use a specific DNS server (e.g. Pihole), you take the router’s local DNS server (dnsmasq) out of the equation, unless you’ve kept the option to Advertise the router’s IP in addition to your user-specified DNS, but that would also undercut pihole adblocking (some requests would go to pihole, some would go to the router).

Somewhere in the forum I have a convoluted post on how to make Pihole somewhat resilient with Merlin firmware using DNSFilter and some custom dnsmasq configurations.
 

macster2075

Very Senior Member
yup, I had the "Advertise router's IP..." enabled as well. - Thank you Dave, I will do some reading.
 

macster2075

Very Senior Member
You could set up a second PiHole instance using an actual RPi, using the settings you have, as DNS2. Both would then have to go down.
I guess I thought things were so much simpler..haha "oh, if the pihole goes down, the router will kick in"... wish it was that simple.
 

macster2075

Very Senior Member
That option has nothing to do with resiliency.

When you configure LAN DHCP to tell your LAN clients to use a specific DNS server (e.g. Pihole), you take the router’s local DNS server (dnsmasq) out of the equation, unless you’ve kept the option to Advertise the router’s IP in addition to your user-specified DNS, but that would also undercut pihole adblocking (some requests would go to pihole, some would go to the router).

Somewhere in the forum I have a convoluted post on how to make Pihole somewhat resilient with Merlin firmware using DNSFilter and some custom dnsmasq configurations.
Dave, the user asking about the issue with pihole not showing the device's names.. I wonder why he didn't just enabled "Use Conditional Forwarding" in Pihole?
That did the trick for me and all my devices names started showing instead of the IPs after I enabled. that.
 

BreakingDad

Very Senior Member
Adguard has a simple tick box to enforce safe search, personally I had pi hole and find adguard a lot easier and configurable.
 

SomeWhereOverTheRainBow

Part of the Furniture
Hi,
I have set an Ubuntu machine to run pihole and it's been working great. But, I see that if I set the pihole IP address under LAN DHCP section, it bypasses the some rules I have in order to force SafeSearch on Google and Bing.
The way I have pihole IP address now is under the DNSFilter section and it works great, but I have to point every device individually to Pihole.

Is there a way I can set Pihole under the LAN DHCP section without it affecting my configuration scripts in Dnsmasq?
Tell pihole to use the routers dns server.
i.e.
On router:
Set dns filter global to router
Add pihole to lan dns 1 and add pihole to dnsfilter list via Mac address and set it to no filter.
Make sure to unselected advertise router under lan dns options.
Make sure wan dns1 and wan dns2 are set to any usable dns server such as 1.1.1.1 or DoT or isp dns.

On pihole:
Add routers address as dns server to pihole custom dns. Make sure it is the only dns that pihole forwards look ups to.

Undesired effects:

Any devices that have to be forced by dnsfilter to use pihole will appear as coming from the router.

Desired effects:

Any devices names that use pihole properly will be readable by pihole.
 
Last edited:

bennor

Very Senior Member
The way I have pihole IP address now is under the DNSFilter section and it works great, but I have to point every device individually to Pihole.
Generally the basic way to setup Pi-Hole when using the router's DHCP server is as follows.

In the LAN > DHCP Server > DNS and WINS Server Setting section:
Input the Pi-Hole device's IP address into the LAN DHCP DNS Server 1 and if needed into DNS Server 2.​
Set "Advertise router's IP in addition to user-specified DNS" to No.​
Click Apply when finished.​

In the LAN > DNSFilter section:
Set "Enable DNS-based Filtering" to On.​
Set "Global Filter Mode" to Router.​
Leave "Custom (user-defined) DNS 1" (and DNS 2/DNS 3) fields blank.​
Input or select the Pi-Hole device MAC address in the "Client MAC address" and select "No Filtering" as the Filter Mode.​
Then click the Plus icon to add the entry.​
Click Apply when finished.​

One may need to reboot all LAN/WiFi devices so they pull the updated DHCP information.

Failure to set "Advertise router's IP in addition to user-specified DNS" to No can result in DNS requests bypassing the Pi-Hole. If one has a second Pi-Hole they can input that device's IP address into the DHCP DNS Server 2 field. Some will want to put the Pi-Hole device IP address into the WAN DNS fields. If one does so make sure to uncheck "Use Conditional Forwarding" in the Pi-Hole Settings > DNS > Advanced DNS Settings. Otherwise one could setup a feedback loop that will potentially flood the local network with requests.

To block hard coded DNS servers in IoT and other devices that may bypass the Pi-Hole, one can try to do so with the following steps.
On the LAN > Route > Basic Config set "Enable static routes" to Yes.​
Input the hard coded DNS server into the "Network Host/IP field.​
Input "255.255.255.255" into the "Netmask" field.​
Input or select the router's IP address in the "Gateway" drop down box.​
Set "Metric" field to "2".​
Select "LAN" from the "Interface" dropdown box.​
Click the Plus icon to add the entry.​
Repeat as needed to add other hard coded DNS servers you want to block.​
Click the Apply button when finished.​
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
Generally the basic way to setup Pi-Hole when using the router's DHCP server is as follows.

In the LAN > DHCP Server > DNS and WINS Server Setting section:
Input the Pi-Hole device's IP address into the LAN DHCP DNS Server 1 and if needed into DNS Server 2.​
Set "Advertise router's IP in addition to user-specified DNS" to No.​
Click Apply when finished.​

In the LAN > DNSFilter section:
Set "Enable DNS-based Filtering" to On.​
Set "Global Filter Mode" to Router.​
Leave "Custom (user-defined) DNS 1" (and DNS 2/DNS 3) fields blank.​
Input or select the Pi-Hole device MAC address in the "Client MAC address" and select "No Filtering" as the Filter Mode.​
Then click the Plus icon to add the entry.​
Click Apply when finished.​

One may need to reboot all LAN/WiFi devices so they pull the updated DHCP information.

Failure to set "Advertise router's IP in addition to user-specified DNS" to No can result in DNS requests bypassing the Pi-Hole. If one has a second Pi-Hole they can input that device's IP address into the DHCP DNS Server 2 field. Some will want to put the Pi-Hole device IP address into the WAN DNS fields. If one does so make sure to uncheck "Use Conditional Forwarding" in the Pi-Hole Settings > DNS > Advanced DNS Settings. Otherwise one could setup a feedback loop that will potentially flood the local network with requests.

To block hard coded DNS servers in IoT and other devices that may bypass the Pi-Hole, one can try to do so with the following steps.
On the LAN > Route > Basic Config set "Enable static routes" to Yes.​
Input the hard coded DNS server into the "Network Host/IP field.​
Input "255.255.255.255" into the "Netmask" field.​
Input or select the router's IP address in the "Gateway" drop down box.​
Set "Metric" field to "2".​
Select "LAN" from the "Interface" dropdown box.​
Click the Plus icon to add the entry.​
Repeat as needed to add other hard coded DNS servers you want to block.​
Click the Apply button when finished.​
While you could set pihole in wan dns 1 and wan dns 2 , for this use case you wouldn't want to since we are expecting pihole to use the router for custom dns traffic, since safesearch is setup via custom scripts on the router itself.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top