Setup for two Pi-Holes, IPv4 and IPv6, no DNS leaks

[Lightning]

First, let me say that I have searched SNB and other fora, and gotten too much conflicting and out-of-date information. I am tired or running around in circles. So I am posting my needs here, in the hope of getting consolidated latest and greatest guidance.

I have a home network, based on an Asus RT-AC68U router, running Asuswrt Merlin 386.7_2. There are two pi-holes on the local network, which both include Unbound resolvers. Here is my wishlist:

1. Devices connecting to the LAN, including guests, should be issued the addresses of both pi-holes for DNS. If one pi-hole is unavailable, the other will provide redundancy.
2. The pi-holes should see queries as originating from the requesting devices, and not from the router.
3. Any DNS requests attempting to bypass the pi-holes (hard-coded, DoT, DoH, Google, etc.) should be intercepted, except,
4. The pi-holes' Unbound resolvers should naturally have WAN access to work.
5. All the above for both IPv4 and IPv6.
6. Router DDNS, NTP should work. Personally, I do not need AiProtection, VPN or other services that may(?) depend on router DNS control.

I think a concise guide to achieving each of the above would be a boon to the community! Ideally, all configuration should be possible with the GUI. I hope I am not asking too much!

 

[bennor]

There are past discussions/posts that answer some if not most of your questions. With respect to setting up Asus-Merlin to use two Pi-Hole's, here are two posts I made on setting up two Pi-Holes.
https://www.snbforums.com/threads/pihole-dns.74646/#post-712118
https://www.snbforums.com/threads/pihole-dns.74646/page-3#post-712319

In my case the Raspberry Pi's that run Pi-Hole also run Unbound. Plenty of DIY guides out there on how to setup Unbound on a Raspberry Pi. I use DNSFilter to try and deal with clients that try to bypass the Pi-Hole servers. There are various methods to deal with getting the Pi-Holes to pull the correct network client name rather than listing just the router. In my case I use the Conditional Forwarding option in Pi-Hole. Been running a two Pi-Hole setup for several years now. Works well for my basic needs. I do not put the IP addresses of the Pi-Hole's in the router's WAN DNS fields like some do and which Asus suggests. Pi-Hole suggests not inputting the Pi-Hole IP address in the WAN DNS fields. I also use JackLul's Pi-Hole update script to pull the Firebog lists into Pi-Hole. I also run YazFi with static client IP addresses assigned for both the main LAN/WiFi clients and for the YazFi Guest WiFi clients. I don't currently run AiMesh.

 

[Lightning]

There are past discussions/posts that answer some...[snipped]

Thank you for your reply, much to digest. Give me a day and I'll get back with my progress.

 

[N/A]

1. Devices connecting to the LAN, including guests, should be issued the addresses of both pi-holes for DNS. If one pi-hole is unavailable, the other will provide redundancy.

Unfortunately this is not available in GUI for AC68U. I posted a feature request for a GUI option to set IPv6 DNS pushed by DHCP and after some time it did made into an update but only for HND platform. Check scripts from this thread to do the same on your AC68U. https://www.snbforums.com/threads/a...stead-of-ipv6-dns-server-ip-f-w-384-19.67225/

I'm not sure on this one but I think DNS intercept for IPv6 is also on HND platform only.

 

[Lightning]

Unfortunately this is not available in GUI for AC68U. I posted a feature request for a GUI option to set IPv6 DNS pushed by DHCP and after some time it did made into an update but only for HND platform. Check scripts from this thread to do the same on your AC68U. https://www.snbforums.com/threads/a...stead-of-ipv6-dns-server-ip-f-w-384-19.67225/

I'm not sure on this one but I think DNS intercept for IPv6 is also on HND platform only.

Thank you, this jibes with the problems I have experienced as new to Asuswrt. I'm really hoping not to have to jump through all these hoops to achieve my aim. But I'll keep looking at it, although my fiddling is constrained by SWMBO needing internet for work.

FYI, I come from FreshTomato, which can mostly do what I need, but has other problems.

 

[Clark Griswald]

@bennor
Has provided helpful links in Post #2.
The easy to follow steps for setting up an Asus router and Pi-Hole (etc) are Griswald Easy!