Where to put iptables script to execute on boot?

[josh3003]

@dave14305 Is this by design for DNAT'ed traffic for it to reappear as having come from the router (192.168.1.1) as a client on pihole as opposed to the offending device that is trying to reach outside to a hardcoded dns server?

I assume there is no workaround for this?


Edit:
Just a thought, could you run DNSFilter set to custom and set a bogus local dns entry say (192.168.1.2) that is attached to no device to route the request no where and drop it?

Pointed DNSFilter to custom - set it to 192.168.2.2 (different subnet entirely) and seems to not be showing any redirections from router and I guess just sinks any request trying to go outside so far devices have been doing well.

 

[dave14305]

Still got some requests coming blocked from other devices from the router. Do you get the same result or do you have strictly coming from the devices only?

I don’t run a Pi-Hole anymore. You probably need to re-post your configuration again to get a sanity check.

• WAN DNS settings
• LAN DHCP DNS settings
• DNS Filter settings
• dnsmasq.conf.add / dnsmasq.postconf
• firewall-start
• nat-start
• Pi-Hole conditional forwarding setup

Is this by design for DNAT'ed traffic for it to reappear as having come from the router (192.168.1.1) as a client on pihole as opposed to the offending device that is trying to reach outside to a hardcoded dns server?

Yes, the answer is to not redirect it at all to the Pi-Hole, but force them to the router (and dnsmasq) and let dnsmasq forward to Pi-Hole. This also technically reaches the Pi-Hole from the router IP, but those extra dnsmasq config options also pass the client IP and MAC address in the query, letting Pi-Hole use that info for client identification.

Just a thought, could you run DNSFilter set to custom and set a bogus local dns entry say (192.168.1.2) that is attached to no device to route the request no where and drop it?

Pointed DNSFilter to custom - set it to 192.168.2.2 (different subnet entirely) and seems to not be showing any redirections from router and I guess just sinks any request trying to go outside so far devices have been doing well.

That will eventually break something.

 

[josh3003]

• WAN DNS settings

• LAN DHCP DNS settings

• DNS Filter settings

• dnsmasq.conf.add

Could you let me know the commands for the other info? I'll get it to you.

 

[dave14305]

• WAN DNS settings

View attachment 35054

• LAN DHCP DNS settings

View attachment 35055

• DNS Filter settings

View attachment 35056

• dnsmasq.conf.add

View attachment 35057

Could you let me know the commands for the other info? I'll get it to you.

DNSFilter Custom 1 should be changed to 192.168.1.1 and WAN DNS 2 should be 192.168.1.20. At least for my suggested setup.

 

[josh3003]

DNSFilter Custom 1 should be changed to 192.168.1.1 and WAN DNS 2 should be 192.168.1.20. At least for my suggested setup.

Does the custom matter in DNSFilter? the 192.168.1.20 is a shared virtual IP so I can make the changes in WAN settings. I've made a load of changes over the past couple of days. Do you need the other info you asked for earlier??

 

[dave14305]

Does the custom matter in DNSFilter? the 192.168.1.20 is a shared virtual IP so I can make the changes in WAN settings. I've made a load of changes over the past couple of days. Do you need the other info you asked for earlier??

Yes it matters if you want to see the actual client IPs for intercepted DNS queries. But it does no good if you don’t change the WAN DNS 2 also, because we need dnsmasq to forward the request to Pi-Hole instead of an iptables rule doing it.

 

[josh3003]

Yes it matters if you want to see the actual client IPs for intercepted DNS queries. But it does no good if you don’t change the WAN DNS 2 also, because we need dnsmasq to forward the request to Pi-Hole instead of a iptables rule doing it.

I've made the changes. Never thought to set DNSFilter to custom so dnsmasq to forward it. Thank you I think this may do the trick!!

 

[josh3003]

Just a follow up. Want to thank you again for your help Dave looks like we have achieved the result we were looking for. One question I have is a few ptr records every hour popping up. Is there a file anywhere I can put the details so it stops querying every hour or is that just going to be how it is? No biggie I can deal with it if thats how it will be but very happy we resolved the issue at hand of redirected queries are now being as coming from themselves rather than all bundled as coming from the router itself.

198.1.168.192.in-addr.arpa
207.1.168.192.in-addr.arpa
177.1.168.192.in-addr.arpa

 

[dave14305]

One question I have is a few ptr records every hour popping up. Is there a file anywhere I can put the details so it stops querying every hour or is that just going to be how it is?

I think that's how pi-hole updates its client list.

 

[josh3003]

I think that's how pi-hole updates its client list.

Cool, and do you keep your edit your /etc/ hosts file on the pi or leave at default with conditional forwarding enabled?

 

[dave14305]

Cool, and do you keep your edit your /etc/ hosts file on the pi or leave at default with conditional forwarding enabled?

I would just use Conditional Forwarding.