DNS Director (Global redirection = router, User defined 1 = pihole) not sending anything to user defined 1

[palo857]

Hi,

I recently decided to try DNS Director after I found an astonishing number of IoT things circumventing my piholes (plural). I think I have it configured correctly, but my devices that are configured to use the second pihole in DNS director are still using the main pihole advertised in the LAN settings.

My setup:

• ASUS AX5400 as main router running 3004.388.8_2-gnuton1
• ASUS AC68U as AiMesh node (wired)
• Pihole at 192.168.1.9 defined in the DNS field of LAN DHCP. Router is not advertised. This is the default locked down pihole for kids and IoT devices.
• DNS Director configured with global redirection to router, then select devices configured to use User Defined 1, which is the pihole for grownups at 192.168.1.10.
• The kid/IoT pihole at 192.168.1.9 blocks YouTube, Netflix, social media, and redirects to safe search for search engines

These settings are saved. Router was rebooted. But the grownup devices that should be given 192.168.1.10 as dns server (according to DNS director client list) still get the default 192.168.1.9. I find social media blocked and search engine requests are rerouted to safe search URLs.

Am I doing something wrong?

Is this gnuton? I've been using merlin for years, but recently upgraded to an AX router that requires gnuton, so I'm not very familiar yet with the quirks and nuances.

Thanks

ETA: I also populate /jffs/configs/dnsmasq.conf.add to assign hostnames and IP addresses by MAC ID. Before I used DNS Director, I used dnsmasq to define dns servers for each device as well, but I removed all that so it didn't collide with DNS Director. Now entries look like this:

dhcp-host=20:A1:71:BB:3F:EA,id:*,echo-flex,192.168.1.100
dhcp-host=5C:41:5A:72:71:63,id:*,amzn-plug1,192.168.1.110
dhcp-host=74:A7:EA:D3:C8:8C,id:*,amzn-plug2,192.168.1.111
dhcp-host=08:C2:24:5A:15:CC,id:*,amzn-plug3,192.168.1.112
dhcp-host=08:C2:24:21:37:25,id:*,amzn-plug4,192.168.1.113

And these are commented out

# dhcp-option=tag:infra,option:dns-server,1.1.1.2,1.0.0.2          # cloudflare malware blocking
# dhcp-option=tag:kid,option:dns-server,192.168.1.9                # pihole on raspi 5
# dhcp-option=tag:iot,option:dns-server,192.168.1.9                # pihole on raspi 5
# dhcp-option=tag:adult,option:dns-server,192.168.1.10             # pihole on raspi 4b1

ETA also: I use Apple devices, and all of my devices have MAC ID randomization turned fully off on my home network so they can be handled correctly by the router. I have triple-checked MAC IDs were entered correctly in DNS Director. So it's not that.

 

[bennor]

See my post at the following link that has an example of how to configure an Asus-Merlin firmware router to use Pi-Hole(s) and DNS Director:
https://www.snbforums.com/threads/pihole-dns.74646/page-3#post-712319

 

[palo857]

Thanks, yes, I've done all that already.

DNS queries from devices that are supposed to use the default pihole at 192.168.1.9 are being routed just as expected. That's the pihole defined in the LAN DNS field of the DHCP screen in Asus Merlin/gnuton.

The global redirection by DNS Director seems to be working as expected. I see queries that *appear* to be coming from the router that clearly come from multiple devices looking up multiple known destinations. So the Global Redirection=Router setting of DNS director seems to be working fine.

But nothing is going to User defined DNS 1, even from clients with MAC IDs configured to do that. And when I look at their network settings, the DNS server they're getting from the router's DHCP is 192.168.1.9, the default, and not 192.168.1.10, which they should be getting because their MAC IDs match client entries assigned to User defined DNS 1 in DNS Director.

 

[bennor]

But nothing is going to User defined DNS 1, even from clients with MAC IDs configured to do that. And when I look at their network settings, the DNS server they're getting from the router's DHCP is 192.168.1.9, the default, and not 192.168.1.10, which they should be getting because their MAC IDs match client entries assigned to User defined DNS 1 in DNS Director.

Leave User Defined fields blank in DNS Director when Global Redirection is set to Router. When set to Router, DNS requests that try to bypass the Pi-Hole's are routed to the LAN DHCP DNS Server #1 (and possible #2) which should contain the Pi-Hole IP addresses. Make sure to put the Pi-Holes into the DNS Director's Client List like the example above shows.

 

[ColinTaylor]

@palo857 I don't see anywhere in your post where you're specifying which hosts should be using 192.168.1.10. Can you provide screenshots for that along with all corresponding entries in /etc/dnsmasq.conf.

 

[palo857]

@palo857 I don't see anywhere in your post where you're specifying which hosts should be using 192.168.1.10. Can you provide screenshots for that along with all corresponding entries in /etc/dnsmasq.conf.

Hi Colin, here are the screenshots. The top part of the DNS director that shows the definition of User Defined DNS 1 and the other settings is in the original post. Thanks for your help.

 

[ColinTaylor]

Hi Colin, here are the screenshots. The top part of the DNS director that shows the definition of User Defined DNS 1 and the other settings is in the original post. Thanks for your help.

The entries shown in dnsmasq.conf - did you put them there or were they created by the router itself?

Do you have any other dhcp-host lines in that file for the same MAC address?

P.S. Your DNS Director screenshot is too small to clearly read.

 

[palo857]

Leave User Defined fields blank in DNS Director when Global Redirection is set to Router. When set to Router, DNS requests that try to bypass the Pi-Hole's are routed to the LAN DHCP DNS Server #1 (and possible #2) which should contain the Pi-Hole IP addresses. Make sure to put the Pi-Holes into the DNS Director's Client List like the example above shows.

I have two piholes. They're not a cascading main and backup like usual. It's two distinct DNS servers for two mutually exclusive sets of devices.

One is the default, so it's defined in the LAN DHCP screen on the router. The second one pihole is used by a few specific clients. I used to use dnsmasq to configure this, and it worked great. Every device used the pihole it was supposed to. Except for the IOoT devices that circumvented. So I'm trying to switch to using DNS Director instead of dnsmasq to define this.

Yes, I know pihole allows each device to be a part of any number of groups to customize blocking per device. However, I use the Local DNS Records section on the pihole to force the kids' devices to use safe search at big search engines, and I don't want adult devices to have to do that. That's not configurable using pihole's groups feature, so I have two piholes.

Maybe this is an off-label use of DNS director?

 

[palo857]

The entries shown in dnsmasq.conf - did you put them there or were they created by the router itself?

Do you have any other dhcp-host lines in that file for the same MAC address?

P.S. Your DNS Director screenshot is too small to clearly read.

I created them by putting them in a file called dnsmasq.conf.add in /jffs/configs on the router.

I have no other dhcp-host lines in that file for the same MAC addresses. One line per MAC address.

Pasting dnsmasq lines here for clarity:

# dhcp-option=tag:infra,option:dns-server,1.1.1.2,1.0.0.2          # cloudflare malware blocking
# dhcp-option=tag:kid,option:dns-server,192.168.1.9                # pihole on raspi 5
# dhcp-option=tag:iot,option:dns-server,192.168.1.9                # pihole on raspi 5
# dhcp-option=tag:adult,option:dns-server,192.168.1.10             # pihole on raspi 4b1

# 192.168.1.0/24:
#
# 01  - 10:  Raspberry Pi
# 11  - 50:  All Computers
# 51  - 84:  Mobile
# 85  - 90:  Frequent guests
# 91  - 130: IOT
# 170 - 199: APs, Apple TVs, and AirPlay
# 200 - 229: Reserved for future need
# 230 - 254: DHCP assignable


# desktop
dhcp-host=F8:4D:89:69:16:0A,id:*,bernhard,192.168.1.20
dhcp-host=D0:11:E5:88:7D:9A,id:*,pminiz-wifi,192.168.1.22
dhcp-host=E4:A4:71:B0:0D:B5,id:*,tpad-palo-wifi,192.168.1.26
dhcp-host=98:90:96:BD:DF:E2,id:*,home-assistant,192.168.1.29

# mobile
dhcp-host=F4:39:A6:99:99:45,id:*,iphone15pm-palo,192.168.1.52
dhcp-host=94:0B:CD:05:13:50,id:*,pwatchx,192.168.1.53
dhcp-host=60:8C:4A:F2:2F:7C,id:*,ipad-adult,192.168.1.59

# routers and APs
dhcp-host=90:72:40:00:B0:6A,id:*,tallboy-ramada,192.168.1.170
dhcp-host=64:A5:C3:62:0C:1E,id:*,tallboy-garage,192.168.1.171
dhcp-host=48:A1:95:E5:6E:F0,id:*,tunes-garage,192.168.1.180
dhcp-host=20:C9:D0:9D:D5:9B,id:*,tunes-ramada,192.168.1.181
dhcp-host=54:E4:3A:E7:D6:E4,id:*,tunes-mbr,192.168.1.182
dhcp-host=78:CA:39:47:16:B8,id:*,xprs1-corral,192.168.1.183

dhcp-host=C8:69:CD:7A:A9:80,id:*,atv4-lvg-wifi,192.168.1.186
dhcp-host=6C:4A:85:0A:8C:5D,id:*,atv4-mbr-wifi,192.168.1.188

The commented-out lines at the top show how I used dnsmasq tags to define dns servers. Each dhcp-host line then had an additional item that associated each MAC address with a tag, which defined its dns server. Worked great.

 

[ColinTaylor]

Then I'd say that this is working as designed.

These settings are saved. Router was rebooted. But the grownup devices that should be given 192.168.1.10 as dns server (according to DNS director client list) still get the default 192.168.1.9. I find social media blocked and search engine requests are rerouted to safe search URLs.

DNS Director doesn't change the DNS server address(es) given to the clients by DHCP.

DNS Director intercepts DNS requests as they leave your LAN and redirects it elsewhere. In your case your "adult" clients have been given an address of 192.168.1.9 by DHCP. As this IP address is on the local LAN the client send its requests directly to that server. Local traffic is not routed therefore the request never goes to the router, therefore DNS Director has no role to play.

EDIT: The solution is to use LAN - DHCP Server to manually assign IP addresses and DNS server addresses to the "adult" clients.

 

[palo857]

Ah, ok, thanks, that makes sense. It was the "as they leave the LAN" part that I wasn't understanding. I'll try to reintroduce the dnsmasq definitions, and maybe I can achieve both the dns assignment I want AND catching the dns circumventers.

Thanks for your help!

 

[bennor]

Maybe this is an off-label use of DNS director?

From what you describe you probably have to reconfigure DNS Director entirely. Put the kids Pi-Hole into User Defined #1, configure Global Redirect to Router, put the non kids Pi-Hole as LAN DHCP DNS #1, then put both the Pi-Holes in the DNS Director's Client list set to No Redirect along with all the kids devices MAC addresses and configure the kids MAC Addresses to use User Defined DNS #1. Or some variation of this.

If you haven't seen it already there is some explanation for DNS Director on the Asus-Merlin website's wiki.
https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Director