DNSFilter issue

[timonoj]

Hi guys!

First I'll explain my current setup...I have an Asus AC68U with Merlin v384.13 at the moment.
IP: 192.168.1.1
Router DNS1: 192.168.1.50 (it's a pihole container)
Router DNS2: 192.168.1.55 (another pihole on a different machine, for redundancy)
So far, these work if manually set on any computer, both resolve adequately and seem to work. They have the same DNS and blocklists. This setup works. Any device getting DHCP also works.

Today I found the switch for DNSFilter (LAN - DNSFilter). I found it interesting...I believe I'd be able to assign custom DNS servers per MAC, in effect allowing me to set up more restricted DNS filtering based on which device (as in, I could block the smart TV from fetching ads, or certain untrusted devices from resolving their call home server, by setting them to another super restricted DNS resolver, not affecting the rest of the devices that could run from their default DNS).
So...I set myself to try this. I created a third pihole, first with basic lists, on 192.168.1.56. And enabled the DNSFilter. Global Filter mode: Router (I reckon that's the default any undefined MAC should get right?)
Custom DNS 1: My restricted (still unrestricted during testing) DNS, 192.168.1.56 .
Custom DNS 2&3: empty at the moment.

So...The moment I apply this...all DNS resolution goes to the crapper. Nothing resolves, everything times out. Even for the computers that have manually set the DNS to 192.168.1.50. What am I doing wrong? The moment I turn it off, DNS resolution gets back to work again.

Thanks!

 

[Vexira]

Set global filter to custom one, that's what I'm using for my pihole.

 

[timonoj]

Hmmm thanks! Seems that doesn't work. If I set the Global Filter Mode to Custom 1 (Custom DNS 1 being 192.168.1.50), the DNS resolution immediately stalls. Is there any other setting outside of this page that could affect how the DNSFilter behaves?

EDIT: I might have found it. I changed the WAN DNS settings to disable the auto DNS provided by my ISP and set to my own servers. Seems now resolution continues to work while DNSFilter is enabled. I'll continue setting it up and see if it stays online.

 

[Vexira]

It's probably because you didn't set the pi to no filter, that creates a loop

 

[timonoj]

Thanks for the help! I'm actually not sure how that setting on the pihole would be. I made the opposite, setting the DNSfilter global rule to no filter. The default DHCP setting is going to grant them the pihole DNS address anyway, filtering will happen there regardless. Then any specific addresses I want extra filtered, those get rules aiming at custom servers.

Thanks!

 

[Vexira]

DNS filter, set the piholes Mac to no filter, then it should work

 

[Jack Yaz]

Thanks for the help! I'm actually not sure how that setting on the pihole would be. I made the opposite, setting the DNSfilter global rule to no filter. The default DHCP setting is going to grant them the pihole DNS address anyway, filtering will happen there regardless. Then any specific addresses I want extra filtered, those get rules aiming at custom servers.

Thanks!

DNS Filter enforces the DNS choice - DHCP just tells a client which DNS address they should use. Some clients/apps (e.g. Google apps) are hardcoded to use a specific DNS, e.g. 8.8.8.8. DNS Filter intercepts these and forces them to your chosen destination.

 

[SomeWhereOverTheRainBow]

DNS Filter enforces the DNS choice - DHCP just tells a client which DNS address they should use. Some clients/apps (e.g. Google apps) are hardcoded to use a specific DNS, e.g. 8.8.8.8. DNS Filter intercepts these and forces them to your chosen destination.

I like how it can be used to separate which device uses what, the only thing I don't like is it is limited to 65 devices, it would be nice if the list could be expanded with a custom script and list storage location for people wanting to do this for more than 65 devices.

 

[dave14305]

I like how it can be used to separate which device uses what, the only thing I don't like is it is limited to 65 devices, it would be nice if the list could be expanded with a custom script and list storage location for people wanting to do this for more than 65 devices.

There’s only 14 filter choices. How many of your devices would need unique settings (not the Global mode)? You could use a nat-start script (I believe) to add additional iptables rules with a little research.

Of course, nvram is the constraint of the firmware feature.

 

[SomeWhereOverTheRainBow]

There’s only 14 filter choices. How many of your devices would need unique settings (not the Global mode)? You could use a nat-start script (I believe) to add additional iptables rules with a little research.

Of course, nvram is the constraint of the firmware feature.

Yep I figured.