Failover script for DNS is working but PiHole only shows Router IP in queries

RouterOS Beginner Basics
1

Router with default configuration + my custom WAN/LAN.

I have a configuration that forces all DNS resolutions to my PiHole server, with a script that failover in case the server goes down, using the public DNS.

The current configuration is:
WAN: whatever
LAN: 192.168.3.0/24
GW: 192.168.3.1
PIHole: 192.168.3.34

DNS:

/ip dns set allow-remote-requests=yes

DHCP-Server:

/ip dhcp-server add address -pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/ip dhcp-server network add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1

Address list:

/ip firewall address-list
add address=192.168.3.0/24 list=LANs

NAT:

/ip firewall nat 
add action=masquerade chain =srcnat src-address=192.168.3.0/24
add  action=dst-nat chain=dstnat comment=Blocky dst-address-list=LANs dst-port=53 protocol=tcp src-address-list=LANs to-addresses=192.168.3.34
add action=dst-nat chain=dstnat comment=Blocky dst-address-list=LANs dst-port=53 protocol=udp src-address-list=LANs to-addresses=192.168.3.34
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT"

Mangle:

/ip firewall mangle
add action=mark-connection chain=prerouting comment="We mark connections for hairpin NAT - LAN IP" dst-address-list=LANs new-connection-mark="Hairpin NAT" passthrough=yes  src-address-list=LANs

Script:

# Specify search filters for NAT rules
:local tcpRuleId [/ip firewall nat find comment="Blocky" protocol="tcp"]
:local udpRuleId [/ip firewall nat find comment="Blocky" protocol="udp"]

# Find Blocky IP from NAT rule
:local toAddresses [/ip firewall nat get $tcpRuleId to-addresses]

# Specify query domain
:local queryDomain "www.google.com"

:if ([/ip firewall nat get $tcpRuleId disabled] = false) do={
    :do {
        :resolve $queryDomain server=$toAddresses
    } on-error={
        /ip firewall nat set $tcpRuleId disabled=yes
        /ip firewall nat set $udpRuleId disabled=yes
    }
} else={
    :do {
        :resolve $queryDomain server=$toAddresses
        /ip firewall nat set $tcpRuleId disabled=no
        /ip firewall nat set $udpRuleId disabled=no
    } on-error={}
}

Everything works correctly, but the thing is that in PiHole all DNS queries come from the router IP and not from the client computer.
What can I do to ensure that each query is identified by its real client IP?

2

I’m using VVRP for the failover. Installed keepalived on Pi, added floating IP between router and Pi and no problem with client ip in the logs.

3

Thanks for your contribution but I don't intend to change the configuration scheme.
I would simply like to know if there is any way to identify each IP on the PiHole server instead of having all queries appear with the IP of the router itself.
To find out if I have something wrong configured or if I can configure something else so that the queries appear to be made by the clients and not by the router.
Thanks.

4

IP-DHCP Server-Networks select the network and enter the PiHole IP (192.168.3.34) in the DNS field

5

If I do that my failover script is worthless, since all clients would point to the pihole server even if it was down.
Right now with my script I force all DNS queries to PiHole or public depending on whether the PiHole server is up or not. I don’t want to change that for security reasons.

6

Curently you’re running a thing called “hair-pin NAT” for PiHole DNS service (the src-nat/masquerade is essential part of it). As long as PiHole server is in the same IP subnet as clients, you can not get rid of src-nat/masquerade which obfuscates clien IPs. You could move PiHole to another IP subnet (preferrably not by overlaying your LAN L2 broadcast domain by another IP subnet but rather by using dedicated LAN broadcast fonain - there are many ways of doing it) … which would allow you to get rid of src-nat/masquerade towards PiHole, dst-nat would be enough.

7

Thank you very much for the information.
Do you think there is any way to improve the failover strategy to force all the clients on the network to use the DNS that I say, either the PiHole server when it is up or to use a public DNS when my server goes down?
If so, how would you do it?
I don’t know if I have the possibility of moving the server to a different physical port of the Mikrotik router and giving it another subnet. Would I change my way of doing it so that all the computers use the same subnet and at the same time change the DNS in case the PiHole server goes down?

8

The only strategy, which is fast enough, is to handle it using dst-nat … like you’re doing it now. Using external DNS servers is no different in this aspect. Doing it directly on main router cones with a benefit: you are not adding another point of failure (router is already there and for different reasons).

The issue about PiHole seeing router’s IP instead of clients’ addresses may only be cosmetic … unless you want PiHole to return different replies based on client’s address. But as explained, as long as you want the failover be done using dst-nat rules on router and you don’t want to move PiHole to different IP subnet, there’s nothing to be done. If the issue is a cosmetic one, then live with it. If the issue is a material one to you, then you’ll have to reconsider your LAN strategy and layout.

9

Perfect, thank you very much, I can close this consultation.