Guest networks and DNS director

[dmolavi]

I'd like to use DNS director to force everyone on my main network to use my pihole, but I don't want that setting applied to my guest networks (using YazFi I have them set to use Google dns). Anyone know if this will work or do I have to specify the force dns option in YazFi to the upstream dns servers?

 

[bennor]

What router and what firmware version are you running on the router?
How is the router configured to use Pi-Hole? Do you have the Pi-Hole device IP address in the router's WAN DNS fields or in the LAN DHCP DNS fields?

There may be easy ways to accomplish what you ask but it depends on your router's firmware version and settings.

PS: If you are using YazFi then your YazFi WiFi clients will use what ever is configured in the YazFi DNS fields. Your main LAN clients will use what ever is configured in the LAN DHCP DNS fields (if anything) and if nothing is configured in the LAN DHCP DNS fields then the main LAN clients will use the router and it's WAN DNS setting.

All the YazFi Force DNS Option does is force YazFi clients to use DNS #1.

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

wl01_FORCEDNS​

Should Guest Network DNS requests be forced/redirected to DNS1? (true/false) N.B. This setting is ignored if sending to VPN, and VPN Client's DNS configuration is Exclusive

 

[dmolavi]

AX88U with 3004.388.8_4. My current DHCP settings use the pihole as the DNS resolver for everyone on the primary network.

I think the first sentence of your PS answers it. As long as the guest network DNS is independent of the DNS director forcing all requests to my pihole, I'm good.

 

[wizza]

I was actually about to make my own post about this exact topic as I am facing an issue, but saw this post first. Hopefully someone can help me. If I'm derailing the discussion I'm happy to make my own post, but it might also impact your plans if you experience the same as me.

Note, I am not currently using YazFi (I tried it to see if it would make a difference but it hasn't).

My setup:
RT-AX56U running 3004.388.8_4
2x Pi-hole on LAN (10.1.1.5, 10.1.1.6)
A guest network for IoT devices with access intranet set to disable
If I DO NOT assign DNS servers in the DCHP Server tab of my LAN settings, my internet + DNS Director config works:

I connect my mobile device to the "IoT" guest network and using DNS Director pass on DNS 1.1.1.1:

My mobile device can access the internet and is also confirmed to use cloudflare's DNS:

While other devices on my LAN use my ISP's DNS:

The problem is, as soon as I configure the DNS servers in the DHCP Server tab to be my pi-hole servers, devices on the IoT network lose internet. If I configure them to 1.1.1.1 or 8.8.8.8, internet is restored.

I would have thought since I am using DNS Director these DNS servers would be ignored for my mobile device, but it seems that isn't the case. Is anyone able to explain why and how I can resolve this issue? I'm still learning so please be kind!

 

[Tech9]

2x Pi-hole on LAN

Where is your No Redirection for the Pi-hole devices on your LAN? You have to review basic Pi-hole setup with Asuswrt-Merlin.

 

[dave14305]

Where is your No Redirection for the Pi-hole devices on your LAN?

The Global mode IS “No redirection”, so this is not the issue so far.

 

[Tech9]

I see. I would still start with correct Pi-hole setup first and go from there.

 

[ColinTaylor]

The problem is, as soon as I configure the DNS servers in the DHCP Server tab to be my pi-hole servers, devices on the IoT network lose internet. If I configure them to 1.1.1.1 or 8.8.8.8, internet is restored.

This is expected behaviour. You have setup your guest network with Access Intranet = Disabled. So clients on the guest network are blocked from accessing your pi-hole servers.

 

[dave14305]

The problem is, as soon as I configure the DNS servers in the DHCP Server tab to be my pi-hole servers, devices on the IoT network lose internet. If I configure them to 1.1.1.1 or 8.8.8.8, internet is restored.

I would have thought since I am using DNS Director these DNS servers would be ignored for my mobile device, but it seems that isn't the case. Is anyone able to explain why and how I can resolve this issue?

When the DNS servers provided by the DHCP server point to an internal LAN IP (pi-holes), the guest network clients also receive this internal IP via DHCP, but cannot access the intranet to send the queries when Access Intranet is disabled. DNS Director never gets a chance to send the guest’s queries to 1.1.1.1 because LAN to LAN traffic does not go through the firewall.

 

[wizza]

I see. I would still start with correct Pi-hole setup first and go from there.

I think my setup (aside from the guest network aspect, which isn't working as I intend) is correct for my purpose. I am not trying to **force** all clients to use the Pi-hole servers for DNS resolution which is why I am choosing a global no redirection. My understanding is that if I wanted that, I would choose global mode to be router and set Pi-holes to no redirection. This still would then still have the same result for devices on the guest network with access intranet disabled, right? So are there other aspects I can correct that would resolve this issue for me?

This is expected behaviour. You have setup your guest network with Access Intranet = Disabled. So clients on the guest network are blocked from accessing your pi-hole servers.

Yes, but the point is I am intending to sidestep that issue by using DNS Director. It seems perhaps I misunderstand the actual capabilities/functionality of DNS Director? Is there more I need to read about how it functions aside from here: https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Director

DNS Director never gets a chance to send the guest’s queries to 1.1.1.1 because LAN to LAN traffic does not go through the firewall.

Thanks, this sounds like the explanation. As I said I'm a beginner, are you able to explain or give me a push in the right direction to understand the flow of data in this scenario? My (naive) understanding was: if you enable DNS Director for a device, when it connects to the network instead of the router providing the standard DNS servers defined in DHCP settings (or ISP servers if blank), it would provide the server defined in DNS Director. But are you implying the device is still provided the DHCP DNS servers, but the router intercepts any DNS queries by the device?
It is a shame that traffic is blocked by the firewall when it was to be redirected anyway, I guess that is just "how it works"?

With all that said, is there then a suggested approach for how to achieve what I want within my router config? That is: devices on my network use my local Pi-holes by default for DNS but devices with access intranet disabled are still able to reach the internet, with whichever DNS makes this possible (Pi-holes, CloudFlare, device-preferred, whatever)
Ideally this is supported by the GUI

 

[dave14305]

My (naive) understanding was: if you enable DNS Director for a device, when it connects to the network instead of the router providing the standard DNS servers defined in DHCP settings (or ISP servers if blank), it would provide the server defined in DNS Director.

This is possible through the LAN DHCP Server tab, where you can manually assign IP addresses to devices. There is a DNS Server field available per-device when you make such an assignment. Then the client would receive that DNS server to use.

DNS Director is a feature implemented in the router's firewall, not the DHCP server (well, DNS Director for IPv6 uses both the DHCP server and the firewall; IPv4 uses only the firewall).

 

[wizza]

This is possible through the LAN DHCP Server tab, where you can manually assign IP addresses to devices. There is a DNS Server field available per-device when you make such an assignmenet. Then the client would receive that DNS server to use.

DNS Director is a feature implemented in the router's firewall, not the DHCP server (well, DNS Director for IPv6 uses both the DHCP server and the firewall; IPv4 uses only the firewall).

Of course! Thanks so much, resolved my issue. As I said still learning so thanks for taking the time to explain!