Asus RT-AC68U Merlin DNSFilter + 2 PiHole's?

[ColinTaylor]

Thanks Dave. It will be interesting to see if the order of priority is the opposite way around as per your other post.

 

[josh3003]

Thanks Dave. It will be interesting to see if the order of priority is the opposite way around as per your other post.

# cat /tmp/resolv.dnsmasq
server=192.168.1.146
server=35.213.232.21

Looks to be how it should be in theory.

 

[ColinTaylor]

# cat /tmp/resolv.dnsmasq
server=192.168.1.146
server=35.213.232.21

Looks to be how it should be in theory.

The question mark was whether it applies the entries from the top down or bottom up.

P.S. Make sure that you reboot the Pihole before the router so that the router doesn't immediately fail over to the external server. I'm assuming the network interface on the Pihole is statically configured.

 

[josh3003]

P.S. Make sure that you reboot the Pihole before the router so that the router doesn't immediately fail over to the external server. I'm assuming the network interface on the Pihole is statically configured.

Will do that now. Cheers won't be able to test fully for another few hours until I am home.

 

[josh3003]

P.S. Make sure that you reboot the Pihole before the router so that the router doesn't immediately fail over to the external server.

Does that mean if pihole came back up, by looking at 'strict-order' queries should start redirecting back there correct?

 

[josh3003]

Thanks Dave. It will be interesting to see if the order of priority is the opposite way around as per your other post.

Seems to be still in the reverse. Do I simply flip the server list and try that?

EDIT: I THINK flipping the server list appears to work, maybe Merlin is backwards Sent 3 to PiHole after restarting dnsmasq and none sent to the secondary pihole

 

[josh3003]

I think that's working, however, I think some clients are now using 192.168.1.1 as DNS so a heap of queries are getting logged under as my router in PiHole. To clarify, yes I understand and previously any DNS over HTTPS would be logged through as my router but a lot of standard queries are going through there now as well and clients arent using the pihole instead of the router. Can that also be fixed in an order in DNSFilter? Perhaps use 192.168.1.146 (pihole IP) as custom 1 and 192.168.1.1 as custom 2?

 

[dave14305]

Can that also be fixed in an order in DNSFilter? Perhaps use 192.168.1.146 (pihole IP) as custom 1 and 192.168.1.1 as custom 2?

There is no concept of a secondary in DNS Filter, since it’s creating iptables rules that can only redirect to a single destination. Custom 1 and 2 relate only to the dropdown menu choices and have no relation to each other.

 

[josh3003]

There is no concept of a secondary in DNS Filter, since it’s creating iptables rules that can only redirect to a single destination. Custom 1 and 2 relate only to the dropdown menu choices and have no relation to each other.

Am I out of luck that way then? Because I have devices configured through PiHole and the wife likes a lot of things unblocked so I tend to leave her devices alone and use the lists and block ads against my devices. If traffic is being passed through partly through the device IP and router IP I am not able to easily manage that.

 

[dave14305]

Am I out of luck that way then? Because I have devices configured through PiHole and the wife likes a lot of things unblocked so I tend to leave her devices alone and use the lists and block ads against my devices. If traffic is being passed through partly through the device IP and router IP I am not able to easily manage that.

See this thread for potential hope for the future, or now if you want to test it and add add-subnet=32 to the router’s dnsmasq.conf.add. But there could be privacy concerns sending this out to the real external DNS server.

Support for add-subnet option from dnsmasq (ECS/EDNS0 Client Subnet)

I must say I like this idea and see a lot of potential value in it (given routers can be made to send ECS data). Over the past two hours, I went back and forth between RFC 6891 and RFC 7871 and finished a first implementation of the Extension Mechanisms for DNS ("EDNS(0)"). FTL should now be...

discourse.pi-hole.net

 

[josh3003]

See this thread for potential hope for the future, or now if you want to test it and add add-subnet=32 to the router’s dnsmasq.conf.add. But there could be privacy concerns sending this out to the real external DNS server.

We're looking pretty good, had to follow the steps and also added the add-macto the dnsmasq.conf.add file too as well as enabling that PiHole ftl EDNS setting

 

[josh3003]

Yep, just did some testing. Although the 2nd pihole is running off gcp free tier it's notably a bit slower than my local pi I might consider switching it to 9.9.9.9 but it is nice to view for logging. However, for the redundancy purposes and reasoning for opening this thread, we are looking good to go!

Thanks for all your help guys.

 

[josh3003]

I have increased the DNS limit to 1024 in dnsmasq but was getting smashed with queries below. So much so was getting flooded in my sys log with below message:
dnsmasq[21040]: Maximum number of concurrent DNS queries reached (max: 150)

Query that was being hammered was below.
lb._dns-sd._udp.0.1.168.192.in-addr.arpa

Is that all I need to do?

 

[dave14305]

I’ve created a similar setup on my own network and it seems to also be working as designed. I just unplugged the LAN cable from my Pi and the queries were sent to Quad9 as expected. This is pretty sweet now, since I also have the need to exclude certain family devices from ad-blocking (laptops used to take school exams with lockdown browsers that must love tracking domains). strict-order also seems to be working as long as the WAN DNS 1 and 2 are reversed in terms of preference.

The minor exception on Merlin is the router’s own lookups will go to the WAN DNS 1 server from resolv.conf, but I don’t want to mess with that. If you really wanted, you could enable Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)”.

 

[dave14305]

I have increased the DNS limit to 1024 in dnsmasq but was getting smashed with queries below. So much so was getting flooded in my sys log with below message:
dnsmasq[21040]: Maximum number of concurrent DNS queries reached (max: 150)

Query that was being hammered was below.
lb._dns-sd._udp.0.1.168.192.in-addr.arpa

Is that all I need to do?

Ok I’m seeing this now too. Not sure why yet. But disabling DNSFilter seems to help for now.

EDIT: I’ve updated the AdminLTE to devel branch in case it wasn’t handling the new MAC address identification properly.

 

[ColinTaylor]

From Google it seems to be a known issue with Pihole's conditional forwarding conflicting with DNSFilter-like functions.

 

[dave14305]

From Google it seems to be a known issue with Pihole's conditional forwarding conflicting with DNSFilter-like functions.

Yes, I was just reading that and wondering if there's a way to handle PTR queries for lb._dns-sd._udp.0.1.168.192.in-addr.arpa in dnsmasq.conf.add on the router?

 

[ColinTaylor]

What about just turning off conditional forwarding?

 

[dave14305]

What about just turning off conditional forwarding?

That's the easy way out. I do want the pihole query log to still show the client hostnames, and for clients to be able to resolve local LAN (home.lan) hostnames when pointing to pihole.

 

[ColinTaylor]

That's the easy way out. I do want the pihole query log to still show the client hostnames, and for clients to be able to resolve local LAN (home.lan) hostnames when pointing to pihole.

I always regarded this as a limitation of this method. You can't on one hand say "I want Pihole to be my authoritative DNS server" and then say "oh but now I want it to be the router". Maybe there's a way to botch it. (I've never used Pihole.)