Asus RT-AC68U Merlin DNSFilter + 2 PiHole's?

[josh3003]

I followed a thread on reddit and set up DNSFilter and forcing all requests both normal and hardcoded/DNS over HTTPS queries through my router. It works great. I do however have a few queries I am hoping some of you could address.


As mentioned, everything seems to go through primary pihole and any query that has hardcoded dns forces itself back to the router which comes up as a query under my router. Awesome.


I've been thinking about redundancy, I was trying to maintain a 2nd pihole using pihole-gemini? Doesn't seem to work with the new Pihole version 5. Nonetheless I also followed a guide and I also have a pihole running in the cloud. I was thinking of pointing my 2nd DNS server to that cloud based server, in the event of a corrupt sd card or the primary pi failing. However, with the DNSfilter enabled I'd drop my connection as when it would go down, so would too my DNS queries. As a workaround I do have WAN access to my router so I can access it at anytime and disable the DNSFilter to enable DNS queries to continue and point to my 2nd DNS server.

There isn't anyway to force all clients to primary local pihole and in the event if it goes offline, dns queries would then go to the pi in the cloud or a 2nd local pihole with the same forced requests through the router or is that a limitation of DNS filter? I don't want to disable it all together and run 2 piholes as I want all the stats on one and save the other for reduncany if it is ever required. Hope this makes sense, if you need any clarification please let me know. Thanks.

 

[ColinTaylor]

Have a look at this post and the four following it. It might be what you're after. It does require Merlin's firmware though, not stock.

 

[josh3003]

Have a look at this post and the four following it. It might be what you're after. It does require Merlin's firmware though, not stock.

Interesting, looks like a bit of a trick using the router IP. Thanks I'll give it a go later today.

 

[josh3003]

Have a look at this post and the four following it. It might be what you're after. It does require Merlin's firmware though, not stock.

Where would I add this strict-order field you mentioned also?

 

[ColinTaylor]

Where would I add this strict-order field you mentioned also?

/jffs/configs/dnsmasq.conf.add

 

[josh3003]

/jffs/configs/dnsmasq.conf.add

Literally just put in only 'strict-order' to that file and reboot router?

 

[dave14305]

Or just run service restart_dnsmasq

 

[josh3003]

Or just run service restart_dnsmasq

Thanks. I'll do that later on as well. Might be best to go with PiHole as main dns and I might try my cloud-based pihole deployment as my routers wan, might give me a bit more visibility over what's going on as well as checking logs without it flooding my primary hardwired pi
If it goes belly up, I'll use 9.9.9.9 as a fallback.

 

[josh3003]

Also, bit of an off topic question but whats best practice for getting WAN access to the router? Is it safe to have it sitting there open to the world? It's handy for me to access it when I am not at home. But wondering what might be the best way to access it apart from VPN. Anyway to check what potentially hits my login page to check for suspicious activity?

 

[ColinTaylor]

VPN on a non-standard port is the only recommended way. "Worst practice" would be enabling the web interface to the WAN.

If you have a PC or server on your LAN that is available you have more options there.

 

[josh3003]

Cool, I'll get this fallback dns configured correctly later today and then I can switch off enabling web interface to WAN. Will continue using VPN and accessing it that way.

 

[josh3003]

/jffs/configs/dnsmasq.conf.add

Is there a way to test that this strict-order is working? That all the tries are going to first DNS? How did you do the test which shows the:

server 8.8.4.4#53: queries sent 1008, retried or failed 0
server 8.8.8.8#53: queries sent 0, retried or failed 0

Seems that I followed the guide and I am getting some hits on both piholes and I have followed the guide.

 

[dave14305]

Is there a way to test that this strict-order is working? That all the tries are going to first DNS? How did you do the test which shows the:

server 8.8.4.4#53: queries sent 1008, retried or failed 0
server 8.8.8.8#53: queries sent 0, retried or failed 0

You can run this and then check the syslog or dnsmasq.log (if using a separate log file):

kill -SIGUSR1 $(pidof dnsmasq)

 

[josh3003]

Ok, so after running that it looks like although I listed the servers sequentially it's using the reverse order as it sent 206 queries to my backup DNS and failed 1 query which was forwarded to my primary DNS.

 

[josh3003]

You can run this and then check the syslog or dnsmasq.log (if using a separate log file):

Why would it be the opposite effect? Should I be using DHCP on the primary pihole as well instead of my router also?

 

[josh3003]

Update,

I've tried it again and this time when I unplug primary raspberrypi running pihole locally, my network drops connectivity alltgoether.

 

[dave14305]

Why would it be the opposite effect? Should I be using DHCP on the primary pihole as well instead of my router also?

What’s in /etc/resolv.conf? Found this discussion of strict-order:

[Dnsmasq-discuss] conf-dir load order and strict-order directive

but note the definition of --strict-order

-o, --strict-order
By default, dnsmasq will send queries to any of the upstream
servers it knows about and tries to favour servers that are
known to be up. Setting this flag forces dnsmasq to try each
query with each server strictly in the order they appear in
/etc/resolv.conf
^^^^^^^^^^^^^^^

It makes no promises about anything not appearing in /etc/resolv.conf.
Maybe it should, but it doesn't. (Or maybe the whole, sorry option
should be removed.....)

 

[dave14305]

my network drops connectivity alltgoether

Explain what you mean? DNS fails? Router stops pinging? Wireless drops?

 

[ColinTaylor]

Why would it be the opposite effect? Should I be using DHCP on the primary pihole as well instead of my router also?

No. Never run two DHCP servers on the same subnet.

 

[josh3003]

Explain what you mean? DNS fails? Router stops pinging? Wireless drops?

DNS fails and although I have a fresh 8 day dhcp lease straight from the rpi my desktop seens to lose dhcp as well. Just seems to be my PC I think.