[Script] Automatically change DNS if Pi-hole is no longer working

RouterOS Scripting
26

The definitive version, in case anyone is searching for it. Note most scripts above lack a space or two, making them incorrect.

With the below, you will get the following:

  1. ALWAYS force dns requests to go either via your server (AdGuard Home or PiHole or Unbound etc) OR the public fallback DNS servers configured in your router (blocking Amazon devices, Google devices, smartTVs using their own dns server for tracking & ads).

HOW-TO:

  1. In IP > DHCP Server > Networks, set DNS to the same address as the router: 192.168.88.1
  2. In IP > DNS set your preferred fallback DNS servers, for example AdGuard DNS: 94.140.14.14 and 94.140.14.15.
  3. Now go to TERMINAL and type (without arrows) < /ip firewall nat >, hit ENTER then enter the folowing 3 rules (no typos!) and hit enter after each one:

add action=dst-nat chain=dstnat comment=force-own-DNS1 dst-address=!192.168.88.2 dst-port=53 in-interface=bridge protocol=udp src-address=!192.168.88.2 to-addresses=192.168.88.2 to-ports=53


  2. ```text
add action=masquerade chain=srcnat comment=force-own-DNS2 dst-address=192.168.88.2 dst-port=53 protocol=udp src-address=192.168.88.0/24

add chain=dstnat action=dst-nat comment=force-router-DNS to-addresses=192.168.88.1 protocol=udp src-address=!192.168.88.1 dst-address=!192.168.88.1 in-interface=bridge dst-port=53


The first 2 NAT rules are required to force your server DNS, the 3rd NAT rule is required to force the DNS servers that are configured in IP / DNS:

Finally, in System > Scripts, create the following script with name: DNS-fallback:

```text
:local serverIP "192.168.88.2"
:local testDomain "www.google.com"
:do {
     :resolve $testDomain server $serverIP
      /ip firewall nat;
          enable [find comment="force-own-DNS1"];
          enable [find comment="force-own-DNS2"];
          disable [find comment="force-router-DNS"];
    } on-error={
                /ip firewall nat;
                    enable [find comment="force-router-DNS"];
                    disable [find comment="Force-own-DNS1"];
                    disable [find comment="Force-own-DNS2"];
               }
    }

In System > Scheduler: add a new one, use the name of your script (DNS-fallback) and set interval to 10 seconds (to test).
Go to IP > Firewall > NAT, disable the 2 ‘force-own-DNS’ rules, enable the ‘force-router-DNS’ rule, wait max 10 seconds. If your server is up and running, the 2 rules should be enabled and the third rule disabled.

Go back to scheduler and change the interval to 1:00 (every minute, should be enough).


Remaining issue: since we need a masquerade rule, we cannot see clients in AdGuard Home or PiHole. Which means you cannot disable blocking per client or set rules per client :frowning:
To solve this, I understand your server should be in a different subnet (IP > DHCP Server > Networks). I tried creating a seperate subnet, changed the static lease of the server IP to reflect the change, refreshed my server network connection etc. But I didn’t have internet access, couldn’t access the router from the server. Or the clients couldn’t access anything on the server.
If anyone has NOOB instructions how to solve this, please share!