Asus RT-AC68U Merlin DNSFilter + 2 PiHole's?

[josh3003]

This could be a good use case for the "free tier" of NextDNS to be the fallback public server (WAN DNS 1)

Hey Dave, I had to actually disable caching in PiHole under /etc/dnsmasq.d/01-pihole.conf
Turned out when I fellback to other provider I think it was trying to cache some queries and it wasn't getting anywhere. I had IOT thing devices screaming saying they can't connect lol. At least that's what I think was happening anyway, seems to of fixed it.

 

[dave14305]

Hey Dave, I had to actually disable caching in PiHole under /etc/dnsmasq.d/01-pihole.conf
Turned out when I fellback to other provider I think it was trying to cache some queries and it wasn't getting anywhere. I had IOT thing devices screaming saying they can't connect lol. At least that's what I think was happening anyway, seems to of fixed it.

I suggested NextDNS as an alternate for the router’s WAN DNS. Pi-Hole upstream could still be Quad9 or other favorite DNS. I wouldn’t combine Pi-Hole and NextDNS (not sure if you did that or not), so I’m not sure how caching on Pi-Hole would matter. Having no local caching almost negates any benefit to run a local DNS server, unless the Pi-Hole‘s upstream is Unbound with its own local cache.

 

[josh3003]

Yeah I switched to quad 9 and re-enabled caching shortly after. I figured caching was too important to give up.

 

[SomeWhereOverTheRainBow]

I followed a thread on reddit and set up DNSFilter and forcing all requests both normal and hardcoded/DNS over HTTPS queries through my router. It works great. I do however have a few queries I am hoping some of you could address.


As mentioned, everything seems to go through primary pihole and any query that has hardcoded dns forces itself back to the router which comes up as a query under my router. Awesome.


I've been thinking about redundancy, I was trying to maintain a 2nd pihole using pihole-gemini? Doesn't seem to work with the new Pihole version 5. Nonetheless I also followed a guide and I also have a pihole running in the cloud. I was thinking of pointing my 2nd DNS server to that cloud based server, in the event of a corrupt sd card or the primary pi failing. However, with the DNSfilter enabled I'd drop my connection as when it would go down, so would too my DNS queries. As a workaround I do have WAN access to my router so I can access it at anytime and disable the DNSFilter to enable DNS queries to continue and point to my 2nd DNS server.

There isn't anyway to force all clients to primary local pihole and in the event if it goes offline, dns queries would then go to the pi in the cloud or a 2nd local pihole with the same forced requests through the router or is that a limitation of DNS filter? I don't want to disable it all together and run 2 piholes as I want all the stats on one and save the other for reduncany if it is ever required. Hope this makes sense, if you need any clarification please let me know. Thanks.

I made a setup where i load balance mine using nginx stream. I assigned the streaming listen address to an address that resides outside my DHCP pool and I pass that address to my clients using LAN DNS DHCP.

 

[josh3003]

Quick update. I am running 386.2_2 now and it seems I dont get the DNS requests, or very many logs like I used to that the router makes being forwarded through Pi-Hole. Is this just a funny config being that the WAN DNS #2 is actually forced and perhaps the router uses WAN DNS #1 with the strict-order in my dnsmasq.conf.add file? Thanks.

 

[SomeWhereOverTheRainBow]

I know this has fallen off topic for a bit now @dave14305, In case anybody ever ask, it is doable with ipv6 as well the concept is alittle more involved as it requires modifying dnsmasq.postconf to make sure it knows to share both primary piholes ipv6 dns address as well as router lan ipv6 dns address. The concept for the wan ipv6 dns still applies like it does with ipv4, secondary pihole goes in the first spot while primary pihole goes in the second (reverse order for johns fork). The only nuance is the needing to modify dnsmasq.postconf. Your add add-subnet can include 128 as =32,128. the local option would look something like local=/Some annoying ipv6 arpa that matches your Lan.0.6.2.ip6.arpa/

 

[dave14305]

I know this has fallen off topic for a bit now @dave14305, In case anybody ever ask, it is doable with ipv6 as well the concept is alittle more involved as it requires modifying dnsmasq.postconf to make sure it knows to share both primary piholes ipv6 dns address as well as router lan ipv6 dns address. The concept for the wan ipv6 dns still applies like it does with ipv4, secondary pihole goes in the first spot while primary pihole goes in the second (reverse order for johns fork). The only nuance is the needing to modify dnsmasq.postconf. Your add add-subnet can include 128 as =32,128. the local option would look something like local=/Some annoying ipv6 arpa that matches your Lan.0.6.2.ip6.arpa/

Do you have a written out example of the changes necessary to make it happen? My Raspberry Pi is currently running as my router with OpenWRT, so I can’t test it out at the moment. I’m wondering aloud why we couldn’t just turn a Raspberry Pi 4 with Pi-Hole (dns+dhcp) into a router and relegate the Asus as an AP. Been researching this for a while on the side.

 

[josh3003]

I have kind of changed my config since this thread. While it was working I ended up running a secondary pihole which acts as a slave pi. Both PiHole devices are running keepalived which both share a virtual dns ip in which I followed the instructions here.

As now I have a master and slave pihole when the master dies or goes offline my slave pihole kicks over to handle any dns queries. As I no longer have an issue of needing to worry about multiple dns servers I run the custom option on DNSFilter in Merlin. I actually only changed it over from Router to Custom today and noticing less traffic being force redirected through the router and now coming explicitly from the offending device/s. It's a pretty great setup to have going now.

Also I am running DOH using cloudflared on each of the PiHole's and to this thread I am also now using NextDNS as they give me excellent CDN routing. I am about to find out however if I lose the performance benefits such as the anonymised CDN queries and cname flattening etc as I am nearing their free 300k query per month quota. However, I understand that to only affect the black/whitelisting of domains which doesn't bother me as PiHole handles that stuff for me.

 

[SomeWhereOverTheRainBow]

Do you have a written out example of the changes necessary to make it happen? My Raspberry Pi is currently running as my router with OpenWRT, so I can’t test it out at the moment. I’m wondering aloud why we couldn’t just turn a Raspberry Pi 4 with Pi-Hole (dns+dhcp) into a router and relegate the Asus as an AP. Been researching this for a while on the side.

It is possible to turn RP4 into a router and run Asus router as an AP, but it requires some slight modifications using the usb3.0 port with a gigabit adapter and some clever linux modifications. there are several guides across google search to do such. I prefer to keep asus as my router because of the slew of already available scripts and this great community.

 

[SomeWhereOverTheRainBow]

@dave14305
This is a continuation of earlier guides

Current Assumptions
DNSFIL- Custom 1 defines ROUTERS IP
LAN DHCP DNS1 = PRIMARY PIHOLES IP
LAN DHCP DNS2 = ROUTERS IP
WAN DNS1 = SECONDARY PIHOLES IP
WAN DNS2 = PRIMARY PIHOLES IP
Required strict-order in dnsmasq.conf.add


Modify dnsmasq.postconf with the addition of the following line using the helper script

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "dhcp-option=dnsf11,option6:23,[::]" "dhcp-option=dnsf11,option6:23,[Primary Piholes IPV6DNS],[::]" $CONFIG

optional commands for dnsmasq.conf.add

add-mac
local=/0.1.168.192.in-addr.arpa/ #this should reflect of your networks ARP for ipv4
local=/SOME.IPV6.ARPA.ip6.arpa/  #this should reflect of your networks ARP for ipv6
add-subnet=32,128

 

[gspannu]

See this thread for potential hope for the future, or now if you want to test it and add add-subnet=32 to the router’s dnsmasq.conf.add. But there could be privacy concerns sending this out to the real external DNS server.

Support for add-subnet option from dnsmasq (ECS/EDNS0 Client Subnet)

I must say I like this idea and see a lot of potential value in it (given routers can be made to send ECS data). Over the past two hours, I went back and forth between RFC 6891 and RFC 7871 and finished a first implementation of the Extension Mechanisms for DNS ("EDNS(0)"). FTL should now be...

discourse.pi-hole.net

Hi @dave14305 @josh3003 @ColinTaylor others...

Hoping that you can help me find a solution...

• I am running my own VPS server (on DigitalOcean, Debian 10 instance) and this hosts an OpenVPN server and PiHole.
• I connect to the OpenVPN server from my Asus-AX88U router (Client1)
• All my devices (except 3 of them) go through the OpenVPN. I have managed this through VPN director. This ensures that all devices (except 3) get ad-blocking and the traffic is via VPN.

On the PiHole, I see all traffic coming from the router (10.8.0.2 address) - as expected !

I then read about the ECS/EDNS0 feature in PiHole... and this would allow me to identify my individual clients on the PiHole.

I have added the lines add-mac add-subnet=32 to dnsmasq.conf.add on the Asus Router, so that I can identify my router clients at the PiHole.

However, all traffic at the PiHole is still showing as from 10.8.0.2 (OpenVPN Client 1) ...

I have separately tested that the router is definitely sending out a ECS DNS request by pointing the Router Primary WAN DNS to such a server; and it resolves the various IP addresses/MAC addresses behind the router. This test was done outside the VPN tunnel by just using WAN DNS; and it all works great - so proving that the PiHole does work as expected and that the router can/ does send ECS DNS requests outside the VPN.​

How do I ensure that the add-mac add-subnet=32 parameters as defined in dnsmasq are used by the OVPN tunnel?
Is there any way to force that the dnsmasq configuration on the VPN tunnel?

References:

OpenVPN server.config file on VPN server in the Cloud
......
.....
push "redirect-gateway def1 bypass-dhcp"
.....
.....

VPN Client1 on Asus Router
Accept DNS Configuration: Exclusive
Redirect Internet Traffic Through Tunnel: VPN Director (policy rules)

VPN Director Settings on Asus Router
Bypass-Laptop1; 192.168.1.20; Blank; WAN
Bypass-AppleTV; 192.168.1.21; Blank; WAN
All-through-VPN; 192.168.1.0/24; Blank; OVPN1

 

[SomeWhereOverTheRainBow]

Hi @dave14305 @josh3003 @ColinTaylor others...

Hoping that you can help me find a solution...

• I am running my own VPS server (on DigitalOcean, Debian 10 instance) and this hosts an OpenVPN server and PiHole.
• I connect to the OpenVPN server from my Asus-AX88U router (Client1)
• All my devices (except 3 of them) go through the OpenVPN. I have managed this through VPN director. This ensures that all devices (except 3) get ad-blocking and the traffic is via VPN.

On the PiHole, I see all traffic coming from the router (10.8.0.2 address) - as expected !

I then read about the ECS/EDNS0 feature in PiHole... and this would allow me to identify my individual clients on the PiHole.

I have added the lines add-mac add-subnet=32 to dnsmasq.conf.add on the Asus Router, so that I can identify my router clients at the PiHole.

However, all traffic at the PiHole is still showing as from 10.8.0.2 (OpenVPN Client 1) ...

I have separately tested that the router is definitely sending out a ECS DNS request by pointing the Router Primary WAN DNS to such a server; and it resolves the various IP addresses/MAC addresses behind the router. This test was done outside the VPN tunnel by just using WAN DNS; and it all works great - so proving that the PiHole does work as expected and that the router can/ does send ECS DNS requests outside the VPN.​

How do I ensure that the add-mac add-subnet=32 parameters as defined in dnsmasq are used by the OVPN tunnel?
Is there any way to force that the dnsmasq configuration on the VPN tunnel?

References:

OpenVPN server.config file on VPN server in the Cloud
......
.....
push "redirect-gateway def1 bypass-dhcp"
.....
.....

VPN Client1 on Asus Router
Accept DNS Configuration: Exclusive
Redirect Internet Traffic Through Tunnel: VPN Director (policy rules)

VPN Director Settings on Asus Router
Bypass-Laptop1; 192.168.1.20; Blank; WAN
Bypass-AppleTV; 192.168.1.21; Blank; WAN
All-through-VPN; 192.168.1.0/24; Blank; OVPN1

you need to make sure EDNS0_ECS=true is added to your /etc/pihole/pihole-ftl.conf this tells pihole to look for this additional information provided by add-mac and add-subnet options. you also need to make sure your pihole is using the latest up-to-date pihole version. The add-mac and add-subnet need to be present in your dnsmasq.conf.add or dnsmasq.postconf options on your router(dnsmasq.conf.add is the easiest option). Openvpn dns settings must be properly configured to use options present in dnsmasq.conf

 

[gspannu]

you need to make sure EDNS0_ECS=true is added to your /etc/pihole/pihole-ftl.conf this tells pihole to look for this additional information provided by add-mac and add-subnet options. you also need to make sure you pihole is using the latest up-to-date pihole version.

Both are already done.
pihole-FTL.conf file contains EDNS0_ECS=true
and running latest versions Pi-hole v5.3.1; Web Interface v5.5.1; FTL v5.8.1

On a side note; EDNS0_ECS=true should not be needed as it is by default=true (as per PiHole documentation), but I have still put it in the file...

 

[ColinTaylor]

I think the issue is because you have set Accept DNS Configuration to Exclusive which means you are not using dnsmasq at all for those devices. I don't know of a way around this. The only VPN DNS option that might work is Strict but I don't know exactly how that works.

 

[SomeWhereOverTheRainBow]

I think the issue is because you have set Accept DNS Configuration to Exclusive which means you are not using dnsmasq at all for those devices. I don't know of a way around this. The only VPN DNS option that might work is Strict but I don't know exactly how that works.

As @ColinTaylor has alluded to and I also mention Openvpn dns settings must be properly configured to use options present in dnsmasq.conf. Open VPN must be using the correct dns parameter @ColinTaylor suggest trying out Strict. I concur with this line of thought as well.

 

[gspannu]

I think the issue is because you have set Accept DNS Configuration to Exclusive which means you are not using dnsmasq at all for those devices. I don't know of a way around this. The only VPN DNS option that might work is Strict but I don't know exactly how that works.

As @ColinTaylor has alluded to and I also mention Openvpn dns settings must be properly configured to use options present in dnsmasq.conf. Open VPN must be using the correct dns parameter @ColinTaylor suggest trying out Strict. I concur with this line of thought as well.

If I do not use Exclusive, the query does not even go to the VPN server. I have tried strict, but the query is then resolved by the Wan DNS setting, rather than being sent over the VPN to the PiHole.

There must be some way for the VPN connection to respect the dnsmasq flags or some means to achieve this...

 

[SomeWhereOverTheRainBow]

If I do not use Exclusive, the query does not even go to the VPN server. I have tried strict, but the query is then resolved by the Wan DNS setting, rather than being sent over the VPN to the PiHole.

There must be some way for the VPN connection to respect the dnsmasq flags or some means to achieve this...

Set pihole as the dns servered through WAN. It will still see your device's since you have used the add-mac and add-subnet options

 

[gspannu]

Set pihole as the dns servered through WAN. It will still see your device's since you have used the add-mac and add-subnet options

2 reasons cannot do that.

1) The DNS server (is a private address) and is only accessible once the OVPN is connected.
2) Even if I made PiHole accessible as a public resolver [which I do not want to do] and put up the address as the WAN server; this means that other devices that are not supposed to go through the VPN tunnel will also be using this DNS address.

 

[bennor]

There is another reason why using Pi-Hole in the WAN DNS fields is not necessarily a good idea. If one has Conditional Forwarding enabled on the Pi-Hole and inputs Pi-Hole into the router's WAN DNS field(s); it can setup a situation where a loop is created between the Pi-Hole and the router that floods the local network. (See here, and here for some discussion on this loop issue.)

 

[gspannu]

Set pihole as the dns servered through WAN. It will still see your device's since you have used the add-mac and add-subnet options

Update:
2 reasons cannot do that.

1) The DNS server (is a private address) and is only accessible once the OVPN is connected.
2) Even if I made PiHole accessible as a public resolver [which I do not want to do] and put up the address as the WAN server; this means that other devices that are not supposed to go through the VPN tunnel will also be using this DNS address and will also then use PiHole blocking. <These are the very clients that I do not want to be blocked, hence they are not routed through the VPN>

I can confirm though that by setting the WAN DNS to public PiHole server address; I am able to see the clients IP addresses & MAC addresses. So it does prove that my setup (at the router and PiHole end) is working.​

Now it is a matter of finding how to get OVPN traffic to also send add-mac and add-subnet and respect the dnsmasq flags.