What's the best way to force all traffic through the pihole for any devices that may have hardcoded DNS on an ASUS router (rt-ax86u) with Merlin?

[imsoconfused]

What's the best way to force all traffic through the pihole for any devices that may have hardcoded DNS on an ASUS router with Merlin? Additionally, will I still be able to see which devices is blocking what in pihole if I do this?

 

[bartj12]

I'm having the same in my network and don't have the answer unfortenately. Hopefully someone else has.

EDIT: did some digging, maybe this will do the trick: LAN -> DNSFilter (192.168.1.110 is my pi-hole). I'm testing right now.

 

[scapetical]

Yes DNSFilter will work if you want to force every single device on your network to the pihole but it will appear as if all the traffic is from your router.

For a more proper approach, go to LAN->DHCP Server tab and fill in your pihole IP there and turn off Advertise Router's IP. Do note that you will have to wait for your devices to renew DHCP lease before the dns request goes through the pihole when using this method. But this way, the individual devices will be correctly mapped in your pihole.


This is my setup for AdguardHome:

 

[bartj12]

I've changed my settings to this with my pihole as DNS server in the DHCP server tab.
Devices are shown individual in Pi-hole, not all as router.

 

[bartj12]

Yes DNSFilter will work if you want to force every single device on your network to the pihole but it will appear as if all the traffic is from your router.

For a more proper approach, go to LAN->DHCP Server tab and fill in your pihole IP there and turn off Advertise Router's IP. Do note that you will have to wait for your devices to renew DHCP lease before the dns request goes through the pihole when using this method. But this way, the individual devices will be correctly mapped in your pihole.


This is my setup for AdguardHome:

You are right, now everything is shown as traffic is from my router instead of the clients...

 

[Crimliar]

Using LAN> DHCP Server : DNS Server 1 & DNS Server 2 supplies the DNS server addresses to clients when they are provided with settings by the DHCP server. It doesn't force them to use the DNS servers, it's more of a blunt suggestion.
If you want to see what devices are ignoring the DHCP supplied DNS then you can find them by looking at System Log > Connections: and then sort by the destination port.
When you find out which devices are ignoring the suggested DNS, you can add corresponding entries for those devices to DNSFilter. By not using the "Global Filter Mode" you'll still get log info on the Pi-Hole for all the other clients.

*Personal preference is to use DNSFilter as little as possible!

 

[alan6854321]

I think another problem with using DNSFilter is that you can only specify a single DNS server.

I have two PiHoles for redundancy and can specify them both on the LAN tab, but if you use DNSFilter, there's no way to provide a backup.

 

[bennor]

I think another problem with using DNSFilter is that you can only specify a single DNS server.

I have two PiHoles for redundancy and can specify them both on the LAN tab, but if you use DNSFilter, there's no way to provide a backup.

I run two Pi-Holes as well. Don't seem to have any issues using DNSFilter. When one Pi-Hole goes down, the DNS request traffic flows through the other. I don't use the Pi-Hole IP addresses in the WAN DNS fields (per Pi-Hole's recommendation), have them listed in the LAN DNS fields. Current DNSFilter setting with both Pi-Hole's in the Client List:

As always YMMV.

 

[Crimliar]

I run two Pi-Holes as well. Don't seem to have any issues using DNSFilter. When one Pi-Hole goes down, the DNS request traffic flows through the other. I don't use the Pi-Hole IP addresses in the WAN DNS fields (per Pi-Hole's recommendation), have them listed in the LAN DNS fields. Current DNSFilter setting with both Pi-Hole's in the Client List:

Err....
@bennor Based on your description: Are you sure you have that the right way around? You appear to be forcing through DNSFilter, your client DNS requests TO the Raspberry Pi to be forcibly rerouted to the router instead and hence to the WAN > Internet Connection : DNS Server - that would bypass the Pi-Holes for all but their own device queries!

FIN - for now!

 

[bennor]

Err....
@bennor Based on your description: Are you sure you have that the right way around? You appear to be forcing through DNSFilter, your client DNS requests TO the Raspberry Pi to be forcibly rerouted to the router instead and hence to the WAN > Internet Connection : DNS Server - that would bypass the Pi-Holes for all but their own device queries!

https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Filter

If using a global filter, then specific devices can be told to bypass the global filter, by creating a client rule for these, and setting it to "No Filtering".
...
You can configure a filter rule to force your clients to use whichever DNS is provided by the router's DHCP server (if you changed it from the default value, otherwise it will be the router's IP). Set the filtering rule to "Router" for this.

There are a number of reddit posts about using DNSFilter in this way, for example this post:
h t t p s://www.reddit.com/r/pihole/comments/dfm5j4/guide_for_asuswrtmerlin_users_with_screenshots/

There are also several past posts on using Pi-Hole and DNSFilter here on SNB Forums as well one can search for and read.

Again this is a YMMV. For me the setup works. Network clients use the Pi-Holes and the Pi-Holes shows those requests correctly with the client names in the Query Log, and the ads are blocked.

 

[Crimliar]

Freds PC makes a DNS request
Freds PC is not listed in the individual "client list" in DNSFilter
The DNS request is though intercepted and rerouted through the DNSFilter "Global Filter" which in your example points to the router.
At this point the DNS request is either handled from router DNS cache or is forwarded on to the WAN > DNS servers.
In this example, unless the WAN > DNS servers are also pointed at the Pi-Holes, the query from Fred's PC never goes near either of the Pi-Holes.

*With some minor tweaks the above can be made to work in a number of different ways, but as it stands as far as I can see, on the info provided, it doesn't!

*If I'm wrong I'm wrong, but I'm struggling to see where at the moment!

 

[bennor]

Freds PC makes a DNS request
Freds PC is not listed in the individual "client list" in DNSFilter

You are leaving out the Pi-Hole.

As I understand things, it works (very simplistically) like this with the DNSFilter settings I'm using:

• Fred's PC makes a DNS request to the Pi-Hole.
• The Pi-Hole (or Pi-Hole+Unbound) makes the DNS request upstream.
• The Pi-Hole's DNS requests are not filtered by the router's DNSFilter because the Pi-Holes are listed in the Client List and the Filter Mode is set to No Filter; so the DNS request continues upstream to the Internet.
• Other PC's who's DNS requests try to bypass Pi-Hole however are stopped by the router's DNSFilter Global Filtering Mode being set to Router and the PC not being in the Client List; so their DNS requests "use the DNS provided by the router's DHCP server" and are sent to the Pi-Hole where the DNS request process starts again. The Pi-Hole Query Log shows these requests as coming from the router.

In other words the only DNS requests that should be let through upstream by the DNSFilter are those of the Pi-Hole. Network clients with (static) DNS servers other than the Pi-Hole(s) hit the DNSFilter and are sent to the Pi-Hole, the Pi-Hole then sends that request back to the DNSFilter which then sends that request upstream.

Someone can likely better explain it in "geek" for those who need a technical explanation. The point of using the DNSFilter this way is to prevent network clients from bypassing the Pi-Hole's through the use of alternate static DNS servers or other methods.

 

[Crimliar]

Because of the way you have this set up the DNS request from Freds PC is intercepted by DNSFilter It never even gets to the PiHole. Instead it is rerouted to the router which then uses the DNS Servers it has set up in WAN Internet connection and not those in LAN > DHCP.

If you want the redundant Pi-Holes to work together the two main techniques are:

Just set the Pi-Holes up in LAN > DHCP Server: DNS 1 & 2. In DNS filter, leave the global filtering as "no filtering" and just add line items for any devices that you catch misbehaving.

Or you can point to the Pi-Holes in WAN > Internet Connection: DNS servers. Now all your clients are given the IP address of the router when they receive their DHCP settings, such that their DNS queries should be forwarded first to router which then forwards them on to the Pi-Holes. The ideal is again that you only forcefully redirect the DNS queries from devices that ignore DHCP through DNSFilter. You can though set the global to "router" and add the pi-holes as "no filtering" line items, and this will work - why I asked if you'd got this the wrong way around. It's easy to misconfigure this too and end up with DNS queries just getting dropped!

 

[Crimliar]

Setting DNS addresses in WAN > Internet Connection : DNS servers
Those servers are the servers that the router will use for itself, and by default for any devices that have been issued the router IP as a DNS server (ie not set in LAN > DHCP).

Setting LAN > DHCP > DNS 1 & 2(optional)
During DHCP the addresses for DNS 1 & 2 are supplied directly telling clients to query DNS servers (local or remote) directly.

DNSFilter
As soon as you have a "Global Filter" EVERY DNS query that does not have its own line item redirection is caught by the global filter BEFORE it goes anywhere else! This OVERWRITES EVERYTHING from WAN > Internet Connection & LAN DHCP!

 

[bennor]

Because of the way you have this set up the DNS request from Freds PC is intercepted by DNSFilter It never even gets to the PiHole. Instead it is rerouted to the router which then uses the DNS Servers it has set up in WAN Internet connection and not those in LAN > DHCP.
<snip for readability>

Except that's not what happening. As previously indicated in my post above (#8) I already have the Pi-Holes input into the LAN DHCP DNS fields. Both of my Pi-Holes also run Unbound.
Per the previously posted link from the Asus-Merlin:

You can configure a filter rule to force your clients to use whichever DNS is provided by the router's DHCP server (if you changed it from the default value, otherwise it will be the router's IP). Set the filtering rule to "Router" for this.

When the DNSFilter Global Filter Mode is set to router, it doesn't appear to use the WAN DNS fields, rather it appears to use the LAN DHCP DNS fields; i.e. the Pi-Hole IP addresses that are input there for LAN clients. At least, that's how its working for me.
My WAN DNS fields are set to 1.1.1.1/1.0.0.1. The Pi-Hole documentation recommends not using Pi-Hole's IP address(s) in the WAN DNS fields anyway on Asus routers:

On newer firmware they recommend setting Pi-hole as DNS server for the WAN connection and on older versions for LAN connections. However, we recommend to setup Pi-hole always as DNS server for your LAN!

All I can say is this setup is working for me and has been for several years. The Pi-Holes indicates they are blocking queries. Pi-Hole's Query Log shows the correct information/requests for local network clients that are using the Pi-Hole for their DNS entries. And the Pi-Hole Query Log shows entries coming from the router from clients that have hard coded alternate DNS addresses which indicates the DNSFilter is using the LAN DHCP DNS (Pi-Hole) servers not the WAN DNS (1.1.1.1/1.0.0.1) servers.

 

[dave14305]

Because of the way you have this set up the DNS request from Freds PC is intercepted by DNSFilter It never even gets to the PiHole. Instead it is rerouted to the router which then uses the DNS Servers it has set up in WAN Internet connection and not those in LAN > DHCP.

This is not how it works. The router and DNSFilter won’t see the traffic from a LAN client to the LAN PiHole, because it doesn’t pass through the router.

 

[bartj12]

Except that's not what happening. As previously indicated in my post above (#8) I already have the Pi-Holes input into the LAN DHCP DNS fields. Both of my Pi-Holes also run Unbound.
Per the previously posted link from the Asus-Merlin:

When the DNSFilter Global Filter Mode is set to router, it doesn't appear to use the WAN DNS fields, rather it appears to use the LAN DHCP DNS fields; i.e. the Pi-Hole IP addresses that are input there for LAN clients. At least, that's how its working for me.
My WAN DNS fields are set to 1.1.1.1/1.0.0.1. The Pi-Hole documentation recommends not using Pi-Hole's IP address(s) in the WAN DNS fields anyway on Asus routers:

All I can say is this setup is working for me and has been for several years. The Pi-Holes indicates they are blocking queries. Pi-Hole's Query Log shows the correct information/requests for local network clients that are using the Pi-Hole for their DNS entries. And the Pi-Hole Query Log shows entries coming from the router from clients that have hard coded alternate DNS addresses which indicates the DNSFilter is using the LAN DHCP DNS (Pi-Hole) servers not the WAN DNS (1.1.1.1/1.0.0.1) servers.

I have my pi hole address as DHCP DNS server. In Dnsfilter "router" as global filter setting and the pihole Mac address in the client list with no filtering.

System log -> connection shows that all traffic on port 53 goes to my pi hole OR from my pi hole to the upstream DNS server.

I've set 8.8.8.8 as fixed dns on my phone to test and somehow the DNS request is not forwarded to my pi hole. Any idea what I am doing wrong? Or more info needed?

It drives me crazy...

 

[bennor]

I've set 8.8.8.8 as fixed dns on my phone to test and somehow the DNS request is not forwarded to my pi hole. Any idea what I am doing wrong? Or more info needed?

You may need to reconfigure the phone WiFi connection for a static IP (if you haven't done so already), then use 8.8.8.8 and 8.8.4.4 as the static DNS fields. Then force the phone to disconnect from the WiFi network and then reconnect. That may reset the phone's network connection including its DNS servers. Then surf some websites on the phone. Check the System log to see where requests are going, and or check the Pi-Hole Query Log to see if it shows a request coming from the router going to those websites you surfed too.

 

[bennor]

This is not how it works. The router and DNSFilter won’t see the traffic from a LAN client to the LAN PiHole, because it doesn’t pass through the router.

Exactly. That's what I tried to indicate above as well. When network clients use Pi-Hole, as I understand it, DNS requests don't hit the router's DNSFilter, rather those requests go straight to the Pi-Hole and it is the Pi-hole that then sends the DNS request upstream to the router where it hits the router's DNSfilter. And since the Pi-Hole is listed as a no filtered client the DNS request passes through the DNSFilter and continues upstream to the internet.

 

[bbunge]

What's the best way to force all traffic through the pihole for any devices that may have hardcoded DNS on an ASUS router with Merlin? Additionally, will I still be able to see which devices is blocking what in pihole if I do this?

Since you are using Merlin firmware ditch the Pi-Hole and install Diversion via AMTM. Uses the same block lists and can be controlled easier than a Pi-Hole/DNS Filter and any other config someone else may recommend. Using Diversion you can use the routers DoT or set up Unbound.

To put your RPI to good use set it up to run BOINC.