Environment
Devices
- 10.0.0.0/24 local network
- Router running OpenWRT as default gateway at 10.0.0.1
- Pi-hole at 10.0.0.2
Goals
- Advertise pi-hole as default DNS server on the LAN
- Catch any and all DNS requests on the LAN and force them to use the pi-hole
- Use router as upstream DNS, using DNSSEC, when pi-hole doesn’t block a request
Setup
On pi-hole
- set upstream server to router, uncheck all other upstreams
On router
This will be done via LuCi web interface. Eventually want to get used to the CLI but I am currently not well-versed enough.
Basic settings
Network → Interfaces
- wan interface → advanced settings
- uncheck “Use DNS servers advertised by peer”
- Use custom DNS servers:
8.8.8.8
and8.8.4.4
- wan6 interface → advanced settings
- uncheck “Use DNS servers advertised by peer”
- Use custom DNS servers:
2001:4860:4860::8888
and2001:4860:4860::8844
- lan interface → DHCP server → Advanced settings
- DHCP-options:
6,10.0.0.2
- DHCP-options:
Redirect settings
Create a rule to redirect any DNS requests coming into the router, EXCEPT from the pi-hole itself, to the pi-hole. (Accounts for clients on the LAN that ignore the pi-hole as the advertised DNS server.) This also includes a masquerade rule as a NAT rule that makes the client think the requested DNS server was the one that fulfilled its request.
I don’t take credit for this, I read it somewhere over a year ago before I was getting into the habit of documenting. Blog post or reddit.
Port Forward rule
Network → Firewall → Port Forwards → Add
General Settings
- Name: Redirect-DNS
- Protocol: TCP | UDP
- Source zone: lan
- External port: 53
- Destination zone: lan
- Internal IP address: 10.0.0.2
- Internal port: 53
Advanced Settings - Source IP address: !10.0.0.2
- Source port: 53
NAT rule
Network → Firewall → NAT Rules → Add
General Settings
- Name: Masquerade-DNS
- Protocol: TCP | UDP
- Outbound zone: lan
- Source address: any
- Source port: any
- Destination address: 10.0.0.2
- Destination port: 53
- Action: MASQUERADE - Automatically
Use DoT / DNSSEC (encrypted DNS)
Helpful links
EOF