What's new

Where to put iptables script to execute on boot?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@dave14305 Is this by design for DNAT'ed traffic for it to reappear as having come from the router (192.168.1.1) as a client on pihole as opposed to the offending device that is trying to reach outside to a hardcoded dns server?

I assume there is no workaround for this?


Edit:
Just a thought, could you run DNSFilter set to custom and set a bogus local dns entry say (192.168.1.2) that is attached to no device to route the request no where and drop it?

Pointed DNSFilter to custom - set it to 192.168.2.2 (different subnet entirely) and seems to not be showing any redirections from router and I guess just sinks any request trying to go outside so far devices have been doing well.
 
Last edited:
Still got some requests coming blocked from other devices from the router. Do you get the same result or do you have strictly coming from the devices only?
I don’t run a Pi-Hole anymore. You probably need to re-post your configuration again to get a sanity check.
  • WAN DNS settings
  • LAN DHCP DNS settings
  • DNS Filter settings
  • dnsmasq.conf.add / dnsmasq.postconf
  • firewall-start
  • nat-start
  • Pi-Hole conditional forwarding setup
Is this by design for DNAT'ed traffic for it to reappear as having come from the router (192.168.1.1) as a client on pihole as opposed to the offending device that is trying to reach outside to a hardcoded dns server?
Yes, the answer is to not redirect it at all to the Pi-Hole, but force them to the router (and dnsmasq) and let dnsmasq forward to Pi-Hole. This also technically reaches the Pi-Hole from the router IP, but those extra dnsmasq config options also pass the client IP and MAC address in the query, letting Pi-Hole use that info for client identification.
Just a thought, could you run DNSFilter set to custom and set a bogus local dns entry say (192.168.1.2) that is attached to no device to route the request no where and drop it?

Pointed DNSFilter to custom - set it to 192.168.2.2 (different subnet entirely) and seems to not be showing any redirections from router and I guess just sinks any request trying to go outside so far devices have been doing well.
That will eventually break something.
 
  • WAN DNS settings
1626604711734.png


  • LAN DHCP DNS settings
1626604730985.png


  • DNS Filter settings
1626604776844.png

  • dnsmasq.conf.add
1626604907657.png


Could you let me know the commands for the other info? :) I'll get it to you.
 
DNSFilter Custom 1 should be changed to 192.168.1.1 and WAN DNS 2 should be 192.168.1.20. At least for my suggested setup.
Does the custom matter in DNSFilter? the 192.168.1.20 is a shared virtual IP so I can make the changes in WAN settings. I've made a load of changes over the past couple of days. Do you need the other info you asked for earlier??
 
Does the custom matter in DNSFilter? the 192.168.1.20 is a shared virtual IP so I can make the changes in WAN settings. I've made a load of changes over the past couple of days. Do you need the other info you asked for earlier??
Yes it matters if you want to see the actual client IPs for intercepted DNS queries. But it does no good if you don’t change the WAN DNS 2 also, because we need dnsmasq to forward the request to Pi-Hole instead of an iptables rule doing it.
 
Last edited:
Yes it matters if you want to see the actual client IPs for intercepted DNS queries. But it does no good if you don’t change the WAN DNS 2 also, because we need dnsmasq to forward the request to Pi-Hole instead of a iptables rule doing it.
I've made the changes. Never thought to set DNSFilter to custom so dnsmasq to forward it. Thank you I think this may do the trick!! :D
 
Just a follow up. Want to thank you again for your help Dave looks like we have achieved the result we were looking for. :) One question I have is a few ptr records every hour popping up. Is there a file anywhere I can put the details so it stops querying every hour or is that just going to be how it is? No biggie I can deal with it if thats how it will be but very happy we resolved the issue at hand of redirected queries are now being as coming from themselves rather than all bundled as coming from the router itself.

Code:
198.1.168.192.in-addr.arpa
207.1.168.192.in-addr.arpa
177.1.168.192.in-addr.arpa
 
One question I have is a few ptr records every hour popping up. Is there a file anywhere I can put the details so it stops querying every hour or is that just going to be how it is?
I think that's how pi-hole updates its client list.
 
Cool, and do you keep your edit your /etc/ hosts file on the pi or leave at default with conditional forwarding enabled?
I would just use Conditional Forwarding.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top