Environment

Devices

  • 10.0.0.0/24 local network
  • Router running OpenWRT as default gateway at 10.0.0.1
  • Pi-hole at 10.0.0.2

Goals

  • Advertise pi-hole as default DNS server on the LAN
  • Catch any and all DNS requests on the LAN and force them to use the pi-hole
  • Use router as upstream DNS, using DNSSEC, when pi-hole doesn’t block a request

Setup

On pi-hole

  • set upstream server to router, uncheck all other upstreams

On router

This will be done via LuCi web interface. Eventually want to get used to the CLI but I am currently not well-versed enough.

Basic settings

Network Interfaces

  • wan interface advanced settings
    • uncheck “Use DNS servers advertised by peer”
    • Use custom DNS servers: 8.8.8.8 and 8.8.4.4
  • wan6 interface advanced settings
    • uncheck “Use DNS servers advertised by peer”
    • Use custom DNS servers: 2001:4860:4860::8888 and 2001:4860:4860::8844
  • lan interface DHCP server Advanced settings
    • DHCP-options: 6,10.0.0.2

Redirect settings

Create a rule to redirect any DNS requests coming into the router, EXCEPT from the pi-hole itself, to the pi-hole. (Accounts for clients on the LAN that ignore the pi-hole as the advertised DNS server.) This also includes a masquerade rule as a NAT rule that makes the client think the requested DNS server was the one that fulfilled its request.

I don’t take credit for this, I read it somewhere over a year ago before I was getting into the habit of documenting. Blog post or reddit.

Port Forward rule

Network Firewall Port Forwards Add
General Settings

  • Name: Redirect-DNS
  • Protocol: TCP | UDP
  • Source zone: lan
  • External port: 53
  • Destination zone: lan
  • Internal IP address: 10.0.0.2
  • Internal port: 53
    Advanced Settings
  • Source IP address: !10.0.0.2
  • Source port: 53

NAT rule

Network Firewall NAT Rules Add
General Settings

  • Name: Masquerade-DNS
  • Protocol: TCP | UDP
  • Outbound zone: lan
  • Source address: any
  • Source port: any
  • Destination address: 10.0.0.2
  • Destination port: 53
  • Action: MASQUERADE - Automatically

Use DoT / DNSSEC (encrypted DNS)

Helpful links

EOF