RT-AC86U DNS issue

[alxnt]

Hi
I have rt-ac86u with official fw 3.0.0.4.386_44470.
I set my pihole as dns on dhcp but the devices get 2 dns on network adapter. The first one is indeed pihole and the second is the router's ip address.
When I test each device's dns from this link I see 3 dns entries, my public ip address as I have installed unbound in recursive mode and cloudflare dns(ipv4/ipv6) which is set on router wan dns(1.1.1.1 and 1.0.0.1). I also have ipv6 disabled on router.
The only way devices get only pihole as dns is to manually assign IP and add pihole's ip address in the dns field or manually set pihole as dns on each device's network adapter, something that I don't want to do for each device. That is dhcp intended to do.

I also found this link with no luck.

So is there any solution to this issue?

 

[bbunge]

Well, it is working as intended. And it should be a comfort that if the Pi-Hole crashes your router will provide a backup DNS.
You also need to upgrade your firmware. With the new version you can set the router to use DoT which will give you an extra layer of protection.

Edit: if it is any comfort the clients will use the Pi-Hole first as it is the first DNS resolver in the list. I have run Pi-Hole like this on my network with good results. Except, with the Pi-Hole/Unbound setup I was getting a significant number of blocks on AiProtect as compairde to using a filtering DNS resolver such as Quad9 or Cloudflare Secure. So I dropped the Pi-Hole and am using just Quad9 on DoT. The family is much happier and I have the Pi to use for something else.

 

[alxnt]

Well, it is working as intended. And it should be a comfort that if the Pi-Hole crashes your router will provide a backup DNS.
You also need to upgrade your firmware. With the new version you can set the router to use DoT which will give you an extra layer of protection.

Edit: if it is any comfort the clients will use the Pi-Hole first as it is the first DNS resolver in the list. I have run Pi-Hole like this on my network with good results. Except, with the Pi-Hole/Unbound setup I was getting a significant number of blocks on AiProtect as compairde to using a filtering DNS resolver such as Quad9 or Cloudflare Secure. So I dropped the Pi-Hole and am using just Quad9 on DoT. The family is much happier and I have the Pi to use for something else.

I'm not sure that clients use primary and secondary dns that way.
Have a look here:
https://discourse.pi-hole.net/t/primary-vs-secondary-dns/1536
So if pihole isn't the only dns some queries will be answered directly from public dns provider(in my case cloudflare). This means that maybe filtering will not function as it is should and unbound in recursive mode, too.

I have not upgraded fw yet because I got the router some days ago and I want to notice current fw performance just to compare with the newer fw.

 

[ColinTaylor]

I'm not sure that clients use primary and secondary dns that way.

This is true. Which servers the client chooses to use (from the DHCP-supplied list) from one request to another is down to it's own behaviour. Microsoft for example has published the methods that it uses in different versions of Windows.

As stock firmware always appends the router's own IP address to the list of DNS servers this creates the problem you're describing. The solution therefore is in that link you provided (assuming a recent firmware version). Leave the DHCP-DNS servers blank so that the client is only using the router for DNS. Then set the WAN-DNS to your pi-hole address. Unfortunately this has the effect of the pi-hole seeing all DNS requests as coming from the router rather than the client.

 

[jd24]

This is true. Which servers the client chooses to use (from the DHCP-supplied list) from one request to another is down to it's own behaviour. Microsoft for example has published the methods that it uses in different versions of Windows.

As stock firmware always appends the router's own IP address to the list of DNS servers this creates the problem you're describing. The solution therefore is in that link you provided (assuming a recent firmware version). Leave the DHCP-DNS servers blank so that the client is only using the router for DNS. Then set the WAN-DNS to your pi-hole address. Unfortunately this has the effect of the pi-hole seeing all DNS requests as coming from the router rather than the client.

I'm still scratching my head over this one with my RT-AC86U (latest firmware.

If I leave lan dns blank and have the wan dns fields with my 2 pihole servers then all I see if the router information on the pihole dashboard. Not ideal but it works.

If I have the pihole address in the LAN DNS and nothing in wns then lookups fail. If I put the pihole IP in WAN DNS it works again.

If I have pihole ip in both lan and wan and conditional forwarding off - this works but at what expense?

How would the dns lookup work if I have my main pihole in lan dns and cloudfare 1.1.1.1 in dns for example?
Will some traffic bypass my lan dns pihole?

Been searching for a definitive answer for days on this.

 

[Crimliar]

Just playing captain obvious here. So long as this is not being caused by:

Not having the "Advertise router's IP" set to yes!

 

[ColinTaylor]

Just playing captain obvious here. So long as this is not being caused by:

Not having the "Advertise router's IP" set to yes!

That's a Merlin-only option. This thread was discussing stock firmware so I'm assuming that's what @jd24 is using.