Custom DNS Filtering question /problem

[EdwardRutherfordthe5th]

Hey guys decided to finally signup as this forum has been a great source of info for my Asus Merlin router.
Here is my current predicament and I need feedback on it
I have Asus RT-AC68U with Merlin 384.4.2
In the LAN/DHCP Server /DNS and WINS Server Setting - I have setup custom DNS to a local DNS of 192.168.20.241
This IP is a Pi-hole which is a network ad blocker. This works great sends all the requests through there and can see everything.
My problem is I have a wifi connected clock and since Pi-hole caches DNS when the clock requests the time from "" It sometimes returns the DNS info that is cache. Causing the time to mess up. It will eventually resync in two hours but it is annoying none the less.
For this clock I can not set an IP on it. I have set a Static IP via the Asus router but will not let me setup individual DNS servers on it.
In Pi-hole there is no option for me to stop caching certain domains and I have asked the devs and they dont even know a manual way of doing it through DNSmasq

What I am currently trying to do is setup DNS Filtering and it is not going so well.
In AiProtection/DNSFilter - I have switched this to "ON"
Global Filter mode - No filtering
C1 192.168.20.241
C2 1.1.1.1
C3 208.67.222.222

I have added the clocks MAC set it to filter Mode "Custom 3" which should be the 208 address above. Clicked + and saved everything.

Things should take effect. However I reboot the clock and it still goes through the pi-hole (192.168.20.241)
I have also tried setting the Global Fitler to "Router" but then internet stops working completely and I have no clue why as shouldn't it be 192.168.20.241 because that is what I setup in LAN DNS? I have also tried Custom 1 which does the same thing. When I have the DNS filter set to those. I check pi-hole and I see a giant spike of DNS requests coming in from 192.168.20.1 (router). I am not sure whats going on there, its almost like it is going around and around in circles but I have no way to confirm that. Also why is the router sending the requests? It should be the clients that are requesting it....
From my understanding if I set global to router it should send to the LAN DNS if specified (currently set to 192.168.20.1) right?

About a year ago I had this working with pihole and everything. I dont know what changed I have reconfirmed all the settings. I would gladly give you any setting (within reason) to help me troubleshoot it.

Here is a thread I mainly used
https://www.snbforums.com/threads/d...c-hosts-on-lan-rt-ac68u-asuswrt-merlin.23694/
Edit: Side note there is no VPN client or Server involved I have turned those off for now to overcomplicate the issues

 

[daviworld]

Hi, and welcome offcially to the forum's

While I have some theories, I am still a bit confused on what's going on in your network, so gonna ask some clarifying question's. From my understanding so far, it sound's as though the router is trying to request lookup information from pi-hole but not getting any responses, which = no internet/ DNS Failure

1. For WAN DNS are you using ISP or are using your pi-hole or some other custom DNS for your router lookups?

2. Have you tried clearing your LAN DNS(blank), and just setting up your just your DNS Filters & WAN DNS?

3. What happen's with the clock and router when you remove pi-hole from the equation?

4. I see for C2 & C3 you are using Cloudflare & OpenDNS. Have you tried setting the C3 DNS for another device and confirming DNS works on that device?

5. Lastly, you mentioned you had this all working before, but there has been a lot of change's in the firmware over the last year. So, it is possible something older, may no longer work or may work differently. However, you didn't mention this in your post. But, have you also made any change's to the router yourself recently?

 

[ColinTaylor]

I think you are misunderstanding how DNS Filtering works. Answering @daviworld's questions should help to clarify things somewhat.

That said, your original problem is your clock not obtaining the correct time. I can't imagine why you think this problem has anything to do with DNS or its cache. It doesn't matter whether a DNS record is in the cache or not, the IP address returned will be the same. Or am I missing something here? Can you elaborate on how the clock obtains its time.

 

[EdwardRutherfordthe5th]

Hi, and welcome offcially to the forum's

While I have some theories, I am still a bit confused on what's going on in your network, so gonna ask some clarifying question's. From my understanding so far, it sound's as though the router is trying to request lookup information from pi-hole but not getting any responses, which = no internet/ DNS Failure

Thanks and yes it would go device DNS requst to pi hole (20.251) and pi hole would reach out if it did not have anything cached on the domain. the DNS for the pi hole is Ad Guard DNS. This is working fine for all devices. I can see requests coming in to pi hole every few seconds.

1. For WAN DNS are you using ISP or are using your pi-hole or some other custom DNS for your router lookups?

I am currently leaving it "blank" which means the ips are automatically assigned from the ISP
I will get screenshots for everyone tomorrow, was about to head to bed then saw responses.

2. Have you tried clearing your LAN DNS(blank), and just setting up your just your DNS Filters & WAN DNS?

I can try this again. I am partially confused by this. So if I am to set my DNS and have my OWN DNS. wouldn't I set my LAN DNS? or should I leave those blank and set the WAN DNS? WAN trumps LAN wouldn't it?

3. What happen's with the clock and router when you remove pi-hole from the equation?

The problem goes away. It does it randomly as well. My clock gets the time every 2 hours and it an get the correct time for a day but then can get the incorrect time.

4. I see for C2 & C3 you are using Cloudflare & OpenDNS. Have you tried setting the C3 DNS for another device and confirming DNS works on that device?
C2 and C3 are currently not used by anything. I can remove them if you'd like. They were mainly place holders.

5. Lastly, you mentioned you had this all working before, but there has been a lot of change's in the firmware over the last year. So, it is possible something older, may no longer work or may work differently. However, you didn't mention this in your post. But, have you also made any change's to the router yourself recently?

[/QUOTE]
see below - only major change is introducing pi-hole which has caused the issue

@ColinTaylor I agree however it is. Some background for everyone. I just moved a month ago so i took it upon myself to do a refresh of my ENTIRE network. I reset every single device updated all firmwares of all devices could find and I have slowly reintroduced them to the network. About 5 days ago I reimplemented Pi-hole in installed beautifully and everything is working dandy, within that same day the clock got the wrong time. I thought it was a one off, Reset the clock did it again eventually, and again and again. I have removed pi-hole and it is fine. The only thing I can think of is the DNS cache as about 50-70% of the response the clock gets are cached responsed. Because I can not see the responses I can not verify this 100% of the time
In addition I had the clock at my work originally but brought it home. It was there for 6 months with zero glitches at all
When I said I had "this" working before. What I truely meant by that was. I originally had DNS filtering setup for a different device. However about 3 months ago I removed the device from the network so I turned of DNS filtering. I set it up for that device as I had pi hole installed and the device would call out to baidu website every second which I did not like as that is chinese owned. So I setup that device to redirect to a non existent DNS server of a random internal IP

 

[daviworld]

Thanks and yes it would go device DNS requst to pi hole (20.251) and pi hole would reach out if it did not have anything cached on the domain. the DNS for the pi hole is Ad Guard DNS. This is working fine for all devices. I can see requests coming in to pi hole every few seconds.


I am currently leaving it "blank" which means the ips are automatically assigned from the ISP
I will get screenshots for everyone tomorrow, was about to head to bed then saw responses.


I can try this again. I am partially confused by this. So if I am to set my DNS and have my OWN DNS. wouldn't I set my LAN DNS? or should I leave those blank and set the WAN DNS? WAN trumps LAN wouldn't it?


The problem goes away. It does it randomly as well. My clock gets the time every 2 hours and it an get the correct time for a day but then can get the incorrect time.

see below - only major change is introducing pi-hole which has caused the issue

@ColinTaylor I agree however it is. Some background for everyone. I just moved a month ago so i took it upon myself to do a refresh of my ENTIRE network. I reset every single device updated all firmwares of all devices could find and I have slowly reintroduced them to the network. About 5 days ago I reimplemented Pi-hole in installed beautifully and everything is working dandy, within that same day the clock got the wrong time. I thought it was a one off, Reset the clock did it again eventually, and again and again. I have removed pi-hole and it is fine. The only thing I can think of is the DNS cache as about 50-70% of the response the clock gets are cached responsed. Because I can not see the responses I can not verify this 100% of the time
In addition I had the clock at my work originally but brought it home. It was there for 6 months with zero glitches at all
When I said I had "this" working before. What I truely meant by that was. I originally had DNS filtering setup for a different device. However about 3 months ago I removed the device from the network so I turned of DNS filtering. I set it up for that device as I had pi hole installed and the device would call out to baidu website every second which I did not like as that is chinese owned. So I setup that device to redirect to a non existent DNS server of a random internal IP[/QUOTE]


2. WAN DNS would be what the router uses to get its lookup information(ISP/custom). LAN would be what the devices get, however if you're going to use DNS filtering. I would leave LAN DNS blank & configure your DNS for your devices in the DNS filtering section.

Sound's like the clock itself might need a fresh response, rather than a cache one, while pi-hole is good for caching, they may be at odd's with each other.

Since it was working at your job. Do you know if while the clock was at your place of employment, it was also behind a pi-hole type of set-up or was it allowed to reach out via VPN or direct to the internet to get its time?

However, see if this will work for you in the meantime. In DNS filtering, remove the clock from going through pi-hole and allow it to go through the router, Cloudflare, or OpenDNS and see if the time syncing issue will correct itself. You can leave pi-hole as is, since no other device's are being affected.

Oh, I also forgot to ask but does your router and pi-hole time also match?

 

[EdwardRutherfordthe5th]

Ok here are some things from my testing
I have removed all settings of WAN DNS , LAN DNS and turned off DNS Filtering.
With this I have internet and my DNS server is my router. I veified that Pi-hole is not getting any DNS requests
From there I turn on DNS Filtering with Global Filter set to Router
I have internet my DNS is still the router as no LAN DNS was specified
PI-hole still not recieving DNS requests like it should
I then proceed to edit LAN DNS and change it to 20.241 (pi hole)
Save and then I have no internet, I check pi-hole and DNS requests Sky rocket
from about 50 a min to over 6000 in a course of 10 min. I have no internet but it appears that
its forwarding requests like it should be. I have tested 3 devices to make sure its not my device


Today I also did a drastic measure I setup a brand new instance of pi hole. From scratch brand new raspberry pi image as well.
I also backed up my current asus router settings and then reset everything to factory.
Once factory was complete I tested internet, it worked.
I then turned on DNS Filtering with "router" enabled as the global filter and the defaults for customer 1-3 which are just google. Saved and tested internet, worked perfectly fine this is working with the standard router 192.168.1.1 as "router"
I then setup LAN DNS to the new IP of pihole 192.168.1.173, selected no for"advertise router IP in addition to specified DNS" Saved everything and internet did not work. I could see DNS requests coming in and being resolved though.
I proceeded and removed pihole from LAN DNS and saved everything, internet back up and running. After saying yes to advert router IP
I put the pihole in the WAN DNS - internet not working, could see tons of requests all coming from router and not clients because clients are going to router then router is going out.

Router system time is correct
new instance of pi hole time is 1 hour behind. I have corrected this. no change

So from basic troubleshooting/narrowing it down. I know DNS filter works with router enabled, if it has nothing specified in LAN DNS

I also know Pi hole works but it appears however the router or pihole is handing the requests either on the outgoing or incoming it is getting messed up. I am guessing its on the incoming because I can see requests going out via pi hole. just cant see incoming
Can you guys suggest any DNS tools/diagnostics/ troubleshooting techniques. DNS has always been my weak spot in terms of troubleshooting

I am going to revert to my standard asus backup and pihole config as reset instances proved that it was not a setting i had on some page. will continue to troubleshoot

For the clock I am not sure if they had something similar to pi hole. I would image so as they are a high security place i know they do have proxies setup and they make you install a SSL cert which gives them acess to ALL HTTPS traffic to inspect it essentially a giant corperate man in the middle attack.

I have removed it previously and it does correct itself. Every 2 hours it reaches out for the correct time if it does not recieve a cached response then it corrects itself. If it recieves a cached response, only sometimes it messes up on the time (i have found no correlation on it) and if it does mess up it is off by 2 hours slow. Meaning the DNS response that was given to it was cached from the DNS request 2 hours ago producing the wrong time. Hence why I want to setup DNS filtering to set it to a different DNS other than my pi hole.

haha very sorry for all the information

 

[EdwardRutherfordthe5th]

Small little update.
I fired up wireshark. Did a wifi capture just on my local PC as suspected for some reason the return traffic is not coming in see attached
The first one is without DNS Filtering on and working pihole
https://s7.postimg.org/8jq4kz1gb/working.png
The second one is with it on you can see there is no response returning from pihole
https://s7.postimg.org/x1i88g3wb/no_working.png

Do you guys have any suggestions for troubleshooting this?

 

[ColinTaylor]

I haven't got time to plow through your reply at the moment but I'll make a couple of general points.

If you set the Global Filter to something it will effect all DNS request that aren't otherwise set in the Custom entries. This applies equally to the DNS requests sent upstream by the PiHole. So it's quite easy to setup a situation where the DNS requests are just looping endlessly back to the PiHole.

The router's WAN DNS settings should be set to "automatic" or manually to some external DNS server (like 8.8.8.8). Don't try and be clever and set it to an internal server, there's no point.

Any DNS servers set on the LAN > DHCP page will only be picked up by DHCP clients, and if you make changes here the clients need to be rebooted or their NIC's refreshed to pick up the changes.

I'd speculate that the effect of the DNS Filter might be bypassed if the local DNS server and local client are both physically attached to the same network (i.e. LAN & LAN, or 2.4GHz & 2.4GHz, or 5GHz & 5GHz). The reason I think that is because the DNS filter works in the prerouting chain.

 

[daviworld]

Small little update.
I fired up wireshark. Did a wifi capture just on my local PC as suspected for some reason the return traffic is not coming in see attached
The first one is without DNS Filtering on and working pihole
https://s7.postimg.org/8jq4kz1gb/working.png
The second one is with it on you can see there is no response returning from pihole
https://s7.postimg.org/x1i88g3wb/no_working.png

Do you guys have any suggestions for troubleshooting this?

As @ColinTaylor said, WAN should either be ISP or some external DNS like 8.8.8.8 or Ad Guard since you are using them for your pi-hole

since your router works fine, we can assume pi-hole is interfering with the DNS process somehow. Try this, point pi-hole to your router as a DNS forwarder

If you already have a local DNS server you can point pi-hole to it as it's DNS forwarder.

For instance Clients -> Pi-Hole -> local DNS server -> 8.8.8.8(Ad Guard)

It's 2 separate things. You're setting the dns servers your clients use via dhcp scope options. However pi-hole can point to anything as its dns server.

 

[EdwardRutherfordthe5th]

oh man i thought i replied to this like 2 days ago... haha but i wrote it in a text file on my computer and never copied it over
see below

I haven't got time to plow through your reply at the moment but I'll make a couple of general points.
If you set the Global Filter to something it will effect all DNS request that aren't otherwise set in the Custom entries. This applies equally to the DNS requests sent upstream by the PiHole. So it's quite easy to setup a situation where the DNS requests are just looping endlessly back to the PiHole.

Correct that is what I understood it to be it affects ALL DNS. Currently there is nothing in custom

The router's WAN DNS settings should be set to "automatic" or manually to some external DNS server (like 8.8.8.8). Don't try and be clever and set it to an internal server, there's no point.

Understood. This is currently automatic

Any DNS servers set on the LAN > DHCP page will only be picked up by DHCP clients, and if you make changes here the clients need to be rebooted or their NIC's refreshed to pick up the changes.

Does this include reserved ip that is set by the router? I would imagine so. Currently my laptop is on DHCP not reseved ip. Yes you are correct, everytime I make a change i do , ipconfig - release , renew , flushdns

I'd speculate that the effect of the DNS Filter might be bypassed if the local DNS server and local client are both physically attached to the same network (i.e. LAN & LAN, or 2.4GHz & 2.4GHz, or 5GHz & 5GHz). The reason I think that is because the DNS filter works in the prerouting chain.

Pi is on cable LAN and my laptop is on 5g

As @ColinTaylor
If you already have a local DNS server you can point pi-hole to it as it's DNS forwarder.
For instance Clients -> Pi-Hole -> local DNS server -> 8.8.8.8(Ad Guard)
It's 2 separate things. You're setting the dns servers your clients use via dhcp scope options. However pi-hole can point to anything as its dns server.

right now as I understand it, it goes clients > router giving DHCP out telling clients to go to Pihole DNS (pihole is a DNS server) >pihole > out to ad guard 176.103.130.130
Performing a NSlookup with no DNS filter on returns
C:\Windows\System32>nslookup www.dogpile.com
Server: rpi3
Address: 192.168.20.241

if DNSfilter on
C:\Windows\System32>nslookup www.dogpile.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.20.241
DNS request timed out.
timeout was 2 seconds.

 

[ColinTaylor]

if DNSfilter on
C:\Windows\System32>nslookup www.dogpile.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.20.241
DNS request timed out.
timeout was 2 seconds.

What do you have set for DNS Filter's Global Filter mode and any Custom settings?

 

[EdwardRutherfordthe5th]

Settings are as follows
DNS Setting - On
Global Filter - Router
Custom 1 - 192.168.20.241
Custom 2 - 1.1.1.1
Custom 3 - 208.67.222.222

LAN DNS 1 192.168.20.241
LAN DNS 2 208.67.222.222
I partially give up on this to be honest. So a few more things I have tried. I am 99% sure DNS filtering is working like it should with zero bugs. I have removed the pihole all together and if I set the LAN DNS to something like OpenDNS and put Global Filter to router. It works 100% it takes all DNS requests and shoves them through the global filter router to OpenDNS. As soon as I add pihole back again it stops working.
I originally thought I was just being stupid or there was a bug or something but that does not appear to be the case at least when it concerns Asus Merlin firmware.
I think I will have to head over to pi hole forum and see if they can help because pi hole is not returning DNS requests like it should when DNS filtering is on and set to router.
Is it possible that it would be a combination of pi hole and DNS filtering not working? How does DNS filtering force everything through the specified DNS does it modify the packets and the come in?

 

[ColinTaylor]

Settings are as follows
DNS Setting - On
Global Filter - Router
Custom 1 - 192.168.20.241
Custom 2 - 1.1.1.1
Custom 3 - 208.67.222.222

LAN DNS 1 192.168.20.241
LAN DNS 2 208.67.222.222

Are these settings the ones I asked for above where you were getting the errors? If so, did you have any entries in the Client List?

As soon as I add pihole back again it stops working.

Where are you adding the PiHole address. We can't debug the problem unless you provide specific information about your configuration when it's not working.

How does DNS filtering force everything through the specified DNS does it modify the packets and the come in?

Yes. It intercepts the DNS request packets and rewrites the destination IP address.

 

[EdwardRutherfordthe5th]

Are these settings the ones I asked for above where you were getting the errors? If so, did you have any entries in the Client List?

sorry im being as detailed as possible and i thought thats what you asked for when you said "
What do you have set for DNS Filter's Global Filter mode and any Custom settings?"
which i provided all the customs that I had including the LAN DNS which when DNS Filtering is on and "router" is selected by description on the page "
No Filtering" will disable/bypass the filter, and "Router" will force clients to use the DNS provided
by the router's DHCP server (or, the router itself if it's not defined)
"

Where are you adding the PiHole address. We can't debug the problem unless you provide specific information about your configuration when it's not working.

pretty sure ive written pages above of exactly what ive tried. I am not sure what else to give to be honest. I have given all custom DNS settings, LAN DNS settings, All details of my troubleshooting, wireshark traces, nslookups etc
the pihole is LAN DNS 1 192.168.20.241 which was above a few times.
As for errors, there is no errors. The pages just time out because no replies from the DNS,

Yes. It intercepts the DNS request packets and rewrites the destination IP address.

[/QUOTE]
I believe by this answer, it "solves" my problem(solves it by explaining/sheding light on the problem not actually a solution). So since DNS filtering is on and it rewrites the part of the packet it sends it to the pihole, pihole goes and reaches out to the domain requested, it then sends the reply back to the router, the router recieves it and doesn't know what to do with it and probably just drops it because it never makes it back to the original PC. Why? I have no clue as I have asked for troubleshooting tools but none have been suggested. so I have resorted to wireshark and basic windows tools. I could go more invasive and setup a proxy between my router and WAN but that is a little overkill for just something as simple as a clock....that I was just trying to set a DNS. I might as well reflash the clock with a hard codeded IP as this stage,

In Pihole I see all the requests come from the router 192.168.20.1 which makes sense why pihole replies back to it then nothing ever happens to it.

Please see attached PNG. I know this is not technically accurate of how everything works, i can't be bothered to write every single detail of exactly how DNS/a lan/wan works but this gives you a graphical representation of details that I have already stated above a few times and what i think the problem may be

 

[EdwardRutherfordthe5th]

maybe these will also help. Also 192.168.30.5 does not exist on my network, that is ok and i want it like that. I am forwarding a dodgy devices DNS to a DNS server that does not exist so it will just time out and not go anywhere

 

[ColinTaylor]

Sorry for asking the same questions over again, but this should work and be quite straight forward. The fact that it doesn't makes me think I'm missing something. And because you've tried a few different combinations I want to be absolutely sure we're talking about the same thing.

The pictures are good and it should work as far as I can tell. Can you double check that your WAN DNS setting (WAN > Internet Connection > Connect to DNS Server automatically) is still set to Yes. Also, what is device #2 in the Client List pointing to Custom 2?

 

[EdwardRutherfordthe5th]

no worries. It should work as you said, i've had it working 6 or so months ago with another device.
Device 2 is my laptop which I was using for testing to go through the pihole and it works fine. the Nixie clock as you see is set to OpenDNS which in theory should work but I know its not working on that either. Because 2 times the time change on it and it automatically corrected itself 2 hours later. Also if it was truley putting all DNS requests to OpenDNS and bypassing Custom 1. It should NOT show up in my list in pi hole. The main dashboard shows a 24 hour rolling log of clients.
When I set this up last time the clients that I moved to a different DNS eventually dropped off the pihole list like it should because the DNS is not going to it anymore. I'm willing to give as many logs as you want

 

[ColinTaylor]

Well I can't see any reason why it doesn't work, so maybe it's simply a bug in the firmware. What was the previous hardware/firmware that worked?

If you could log onto the router (SSH) and post the output of the following command we might be able to spot something:

iptables-save -t nat

Obviously this is done when the router is in the non-working configuration.

 

[EdwardRutherfordthe5th]

It was the same hardware RT-AC68U. I do upgrade the firmware everytime a new one comes out. Just to give you a general time frame. I bought this router maybe 9 months ago. Set it up within about a month had DNS filtering on. Worked great. However I stopped using DNS filtering after about 2-3 months, as I took the dodgy chinese wifi device offline. Since then I haven't used it until now.

Interesting command as normally i have SSH disabled/don't use it. It does show the two device I have currently setup. The clock and a test device going to a non existant ip. I can also confirm the nixieclock is still going through pihole. (it has been rebooted) see attached screenshot from pihole the lastest request from the nixie clock
Maybe it is a bug. i remeber reading about 2 months ago the dev rewrote a lot of the code and optimised it and once you upgrade to a certain firmware there is no downgrading and it was highly recommended to perform a full factory reset (which i did)

myusername@myrouter:/tmp/home/root# iptables-save -t nat
# Generated by iptables-save v1.4.15 on Wed Apr 18 01:36:35 2018
*nat
:PREROUTING ACCEPT [146:16518]
:INPUT ACCEPT [60:4045]
:OUTPUT ACCEPT [53:4935]
:POSTROUTING ACCEPT [53:4935]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d mypublicip/32 -j VSERVER
-A PREROUTING -s 192.168.20.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.20.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s mypublicip/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.20.0/24 -d 192.168.20.0/24 -o br0 -j MASQUERADE
-A DNSFILTER -m mac --mac-source mynixieclockmac -j DNAT --to-destination 208.67.222.222
-A DNSFILTER -m mac --mac-source atestdevicemac -j DNAT --to-destination 192.168.30.5
-A VSERVER -j VUPNP
COMMIT
# Completed on Wed Apr 18 01:36:35 2018
myusername@myrouter:/tmp/home/root#

 

[ColinTaylor]

OK those rules looks correct.

Can you try something for me. On the LAN - DHCP Server page, can you change DNS Server 1 to an external address, like 8.8.8.8. Then reboot your clients. I suspect it might work then, although I'm not sure how you would know for sure which DNS server the clock was going to.

If you let it run for a while and then issue the following command we should be able to see the packet counts.

iptables -t nat -L -v -n