DNSFilter "No Filtering" not working

[FIN]

On the tab "DNS filter" it is written that "No Filtering" will disable/bypass the filter, and "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined)".
But if I specify in "DNS Server 1" any server on the DHCP tab, and specify for the client "without filtering" in "DNS filter", it all the same passes DNS requests through the server specified in "DNS Server 1" as if i chose "Router" in "DNS filter".
It seems to me that if to specify any DNS (AGH, PiHole etc) as DNS server in dhcp , dns filter does not work at all. All the way or I that not so do?

 

[ColinTaylor]

But if I specify in "DNS Server 1" any server on the DHCP tab, and specify for the client "without filtering" in "DNS filter", it all the same passes DNS requests through the server specified in "DNS Server 1" as if i chose "Router" in "DNS filter".

That looks like it is behaving as expected.

The only difference is that with "No Filtering" the client can choose to use a different DNS server, whereas with "Router" it is forced to use the DNS server specified as "DNS Server 1".

 

[FIN]

And if I specify for example cleanbrowsing for a client in the tab dnsfilter, and in DHCP configured Dns server1 as pi-hole ip (in the pi-hole used google), then test dns leak or cloudflare I see google again. Is this how it's supposed to work? I. e. when using DNS server in DHCP , dns filter is disabled?

 

[ColinTaylor]

No, the client should be going to CleanBrowsing. Can you post screen shots of your DNS Filter page and the LAN/DHCP page.

 

[FIN]

Spoiler: s-shot

 

[ColinTaylor]

Ok, so with this setup everything is being forced to go to the PiHole apart from pi-hole, pc-1 and pc-2.

CleanBrowsing is setup as the router's default WAN DNS server but you're not using that anywhere in this setup.

 

[FIN]

Ok, so with with setup everything is being forced to go to the PiHole apart from pi-hole, pc-1 and pc-2.

CleanBrowsing is setup as the router's default WAN DNS server but you're not using that anywhere in this setup.

i try with like this setting too

Spoiler: new dnsfilter set

in pi-hole google and cloudflare dns with doh used

 

[dave14305]

Are PC-1 and PC-2 connected directly to the router and not via another access point which might obscure the real MAC address?

 

[FIN]

PC-1 connected directly. Pc-2 connected via switch which doesn't hide the real MAC address. And they both show google in dnsleek and cloudflare test.

 

[dave14305]

Other random possibilities to consider:

• PC-1 or PC-2 are using a browser such as Firefox which you may have configured at one time for DNS-over-HTTPs pointing to Google (not likely).
• PC-1 or PC-2 are caching previous DNS responses to the test (not likely due to the random hostnames the leak tests query).
• Your iptables rules are out of sync with the DNSFilter GUI (check with "iptables -t nat -S DNSFILTER" via SSH command line).
• The PCs are using IPv6
• The PCs local DNS settings are actually pointing to the Pi-Hole IP, which would bypass the DNSFilter

Just something to ponder until Colin comes back.

EDIT: Yes, I think the last bullet explains it, due to the PI-Hole being in the DHCP DNS 1.

 

[ColinTaylor]

OK I think I understand what's happening here.

pc-1 and pc-2 are getting their DNS server addresses via DHCP from LAN/DNS Server1, i.e 192.168.2.201.

Because 192.168.2.201 is a local IP address DNS requests from the clients go directly to the Pi-Hole, they are not routed which is how DNSFilter works.

So if you were to put an external DNS server address in LAN/DNS Server1 (e.g. 8.8.8.8) it should work. EDIT: Or better still, leave LAN/DNS Server1 empty.

 

[FIN]

Using chrome, before every test do ipconfig /flushdns, restart pc & pi-hole & wait, no ipv6, dns on pc netcard 'auto'
If i leave LAN/DNS Server1 empty or put 8.8.8.8, pi-hole each dns request sees as from the router's ip & can't use different filters for clients.
Probably need to wait for the revision, maybe developer fix it

Spoiler: iptables -t nat -S DNSFILTER

-N DNSFILTER
-A DNSFILTER -m mac --mac-source pi-hole MAC -j RETURN
-A DNSFILTER -m mac --mac-source pc-1 mac -j DNAT --to-destination 185.228.168.9
-A DNSFILTER -m mac --mac-source pc-2 mac -j DNAT --to-destination 185.228.168.168
-A DNSFILTER -j DNAT --to-destination 192.168.2.201

 

[dave14305]

Maybe you should start from the beginning with what you want to accomplish with Pi-Hole, Cleanbrowsing, Quad9 and DNSFilter on the router.

• All LAN clients get Pi-Hole adblock by default.
• PC1 and PC2 do not need Pi-Hole ad-block filtering.
  
• Cleanbrowsing is for ...?
• No clients should be able to subvert router/Pi-Hole DNS settings

There's not really a flaw to be fixed, just a redesign of what you want to achieve within the constraints of routing versus switching as Colin alluded to.

 

[FIN]

Cleanbrowsing is for ...?

Cleanbrowsing for Xbox because there is the smallest response time for me.

Guests in LAN (WiFi) get Pi-Hole adblock by default
PCs do not need Pi-Hole ad-block filtering, but need DOT or DOH
xbox & ps - Cleanbrowsing DNS (fastest for me)
Smarphones need AdGuard DNS for ad-block filtering.

 

[dave14305]

Cleanbrowsing for Xbox because there is the smallest response time for me.

Guests in LAN (WiFi) get Pi-Hole adblock by default
PCs do not need Pi-Hole ad-block filtering, but need DOT or DOH
xbox & ps - Cleanbrowsing DNS (fastest for me)
Smarphones need AdGuard DNS for ad-block filtering.

Does it matter which service the PCs use (Cleanbrowsing, Cloudflare, Google, Quad9, etc.)? Do you care if encryption is done by PIHole or router’s Stubby?
Is Cleanbrowsing faster responding than your ISP DNS? Or do you want to avoid your ISP DNS 100%?
Are your WiFi guests on a guest network SSID? Have you looked at @Jack Yaz YazFi script for guest networks?
How do you assign AdGuard to smartphones? Via Pi-Hole (I don’t use one, so I don’t know all the features)? Or as a DNSFilter custom dns?

 

[FIN]

AdGuard to smartphones as a default DNSFilter
ISP DNS do not support doh/dot/dnssec
For PC i need only DOH or DOT whith DNSSEC (DNS resolver do not matter)
WiFi guests on default SSID (not guest network)

 

[FIN]

The new firmware for AC88U had a choice of DNS for clients

Spoiler: I think that solves my problem.

Only had to abandon the wifi channel 157-because I can not use scripts and change the CFE or nvram in stock firmware.

 

[dave14305]

The new firmware for AC88U had a choice of DNS for clients

Spoiler: I think that solves my problem.

View attachment 19422

Only had to abandon the wifi channel 157-because I can not use scripts and change the CFE or nvram in stock firmware.

That will be a nice feature. It just won't be enforceable if a client or guest tries to override the DNS server setting on their device. I wonder if DNSFilter could be adapted in the future to enforce those individual client DNS assignments when in "Router" mode?

 

[RMerlin]

That will be a nice feature. It just won't be enforceable if a client or guest tries to override the DNS server setting on their device. I wonder if DNSFilter could be adapted in the future to enforce those individual client DNS assignments when in "Router" mode?

DNSFilter cannot enforce DHCP parameters. It sits at the firewall level.

 

[dave14305]

DNSFilter cannot enforce DHCP parameters. It sits at the firewall level.

Sure, I was imagining you parsing the dhcp_staticlist nvram variable and adding iptables rules for those clients if DNSFilter mode is set to Router and no other client-specific DNSFilter rules are defined. Just an idea, but I haven't even seen the new feature yet.

Edit: spelling