What's new

Set up router to use Pi-Hole with selected clients

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Johno

Regular Contributor
I'm trying to configure my RT-AC68U to use Pi-Hole on my RaspPi3 as the DNS server for certain devices on the home LAN, in particular my smart TVs and media streamers which track my viewing habits and usage.

So far I have the DNS settings in the WAN config set to automatically get DNS servers (i.e. my ISP DNS servers):
1613147412381.png

In the LAN DHCP config I've left the DNS Server addresses blank so that the router handles DNS:
1613147503606.png

I have DNS filtering enabled with the TVs and media streamer configured to use Pi-Hole (the RaspPi3 is at 192.168.1.81):
1613147616495.png

I'm assuming that the Global Filter Mode setting of No Filtering will mean that filtering will only occur on the defined clients? What's the difference between No Filtering and Router for Global Filter Mode ?

This setup appears to work in that only the devices I've specified seem to hit Pi-Hole. but when looking at the query log I see either localhost or the router hostname appearing as the client rather than the name or IP address of the device which should be hitting Pi-Hole with it's DNS queries:
1613148190265.png

I've looked through various posts which describe how to set up Pi-Hole with an Asus router but they're focussed on blocking ads for all devices rather than just selected ones, as I'm doing.
Does anyone have any idea what I need to do in order to get the correct source hostnames displayed in the Pi-Hole query log?
 
Edit; I might have missunderstood your question. However, the below way ensures that all clients go through Pi-Hole.

Basically you are telling all the clients to use the router IP as DNS when the clients request DNS settings.
This means that when you put the Pi-Hole IP in WAN section, the ASUS router will sent all the requests there instead of the clients doing it themselves. This method has benefits, you can just change DNS easily without restarting each client but how often do you do this?
Downside is, all DNS requests are done by the router to the Pi-Hole and all of them come in this case from the router.

My advise is:

ASUS router:
On WAN > WAN DNS Setting, see below.
1613150246148.png

This makes sure that the heartbeat pings aren't shown in Pi-Hole and the router does this through a different DNS.

On LAN > DHCP Server > DNS and WINS Server Setting, fill in the Pi-Hole IP on DNS Server 1 and DNS Server 2.
Make sure you choose No in the section below the DNS Server 2.
1613150324729.png


To ensure the correct client hostname is shown in Pi-Hole instead of IP address go into Pi-Hole > Settings > Conditional forwarding (at the bottom)
This is what I have but if you use a different IP
1613150499926.png


Let me know if it worked.
 
I would try belts and suspenders. On the LAN DHCP Server page, assign a static IP to the 3 devices AND assign the Pi-Hole as the DNS Server at the same time. This will let those devices communicate directly with the Pi-Hole, and avoid the router name showing up instead. If those devices try to use a hard-coded DNS server, the DNS Filter rule will kick in, but device names won't be accurate.

Or you can use Pi-Hole as the LAN DHCP DNS server for all devices and control the filtering using Pi-Hole group management.
 
May I recommend you use 1.1.1.2 and 1.0.0.2 in WAN/DNS Server 1 and 2
Also use DoT with the Cloudflare resolvers manually set to 1.1.1.2 and 1.0.0.2
LAN/DNS Filter/Global Filter mode set to router, Client Filter List for the Pi set to unfiltered.
As dave14305 mentioned set a manually assigned IP Address in LAN/DHCP Server and put the Pi-Hole IP address in DNS Server (Optional).
May I also recommend you set up the Pi-Hole to use Stubby DoT. See: https://discourse.pi-hole.net/t/implementing-dns-over-tls/27538/7 my instructions down the page a bit.
 
I'm assuming that the Global Filter Mode setting of No Filtering will mean that filtering will only occur on the defined clients? What's the difference between No Filtering and Router for Global Filter Mode ?

Does anyone have any idea what I need to do in order to get the correct source hostnames displayed in the Pi-Hole query log?
If you haven't done so already you may want to see the Asus-Merlin Wiki which has general information about DNS Filter.

https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Filter

Edit to add: If I understand the way DNS Filter works (and I could be wrong). I think you would need to set the Global Filter Mode to Router. Then have the Client List entries use the Custom user defined 1, 2 or 3 fields.
 
Last edited:
If you haven't done so already you may want to see the Asus-Merlin Wiki which has general information about DNS Filter.

https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Filter

Edit to add: If I understand the way DNS Filter works (and I could be wrong). I think you would need to set the Global Filter Mode to Router. Then have the Client List entries use the Custom user defined 1, 2 or 3 fields.
Thanks, that's what I understand from that helpful page too, though I would've thought that Global Filter of no filtering and router amounted to the same thing, I.e. the router DNS being used?
 
Thanks, that's what I understand from that helpful page too, though I would've thought that Global Filter of no filtering and router amounted to the same thing, I.e. the router DNS being used?
No filtering lets clients use whatever DNS server they may be configured to use. There is no enforcement. The Router filter enforces the LAN DHCP DNS 1 server (if set), otherwise it will enforce the router's LAN IP as the DNS server. The difference is how heavy-handed you want to be with your clients.
 
Another option is to point all clients to the pihole as DNS, and use groups on the pihole to control which clients get blocked and which don't.

Multiple fairly straightforward ways to solve this :)
 
Hey I do this and it works perfect for me.
I have Pihole and ensure all devices including Alexa, Smart TV and other stuff just go through pihole for DNS

This is how I did it
Pihole is my DHCP and DNS server

In the LAN page on the router
Disable DHCP server
I point DNS server 1 and 2 within Asus router to my pihole address in the
I don't advertise my routers IP in addition to my user specified DNS
In the DNS filter page
Enable DNS based filtering to On
Global filter mode is set to router
I add in my Pihole as a client with no filtering

On my WAN page
Connect to DNS automatically is set to no
I have manually set DNS server addresses for cloudflare

That's pretty much it I think.
To test you can do a tcpdump on the router via SSH and see what is hitting port 53 and see it bounce back to the pihole for resolution

Hope it helps
 
Thanks to everyone for your help, I decided to avoid using the Pi-Hole for DHCP.

I've managed to get hostname reporting working with the following settings on the router:

WAN
DNS is set to connect automatically (so that'll be my ISP's DNS servers)

LAN
DHCP page - DNS and WINS Server setting has both DNS Server 1 and DNS Server 2 blank, with Advertise Router's IP to to No and WINS Server is blank
DNS Filter page - Global Filter Mode is router and Custom DNS 1 points to the Pi-Hole, to where a number of clients are directed for their DNS queries:
1613414781015.png


The Pi-Hole query log is showing lots of these type of requests, which I'm guessing are the reverse DNS lookups? Is there any way to filter those out?
1613414927621.png


Also I'm seeing requests from clients which I haven't specified as using Pi-Hole for DNS queries (for example the below is my Windows laptop) so I'm also at a loss to see why that's happening, unless it's because conditional forwarding is enabled in the Pi-Hole's DNS setting? If so then I still don't understand as the host JOC-SP4 isn't set to use the Pi-Hole as a DNS server and wouldn't know anything about the Pi-Hole.
1613415777790.png
 
This setup appears to work in that only the devices I've specified seem to hit Pi-Hole. but when looking at the query log I see either localhost or the router hostname appearing as the client rather than the name or IP address of the device which should be hitting Pi-Hole with it's DNS queries:
View attachment 30674
I've looked through various posts which describe how to set up Pi-Hole with an Asus router but they're focussed on blocking ads for all devices rather than just selected ones, as I'm doing.
Does anyone have any idea what I need to do in order to get the correct source hostnames displayed in the Pi-Hole query log?

Hi,

By the way, could you please name the application used for this log in sceenshot?

Thank you in advance,
amplatfus
 
Hi,

By the way, could you please name the application used for this log in sceenshot?

Thank you in advance,
amplatfus
It's just the Windows 10 built-in snipping tool that's invoked using shift-Windows-S on the keyboard, then copied/pasted the screenshot into my forum post.
But if you were asking which application displayed the screenshot of the log, then that's just Pi-Hole's Query Log screen/page
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top