So I am thinking about running something like PiHole on my network or using OpenDNS. Ideally though if I use PiHole I would like all of the DNS from the network to be directed through the PiHole, but if the PiHole is down switch over to something like Google. Theoretically I can do this easily by dst-nat port 53 tcp/udp → PiHole and then masq all of that traffic and use netwatch to disable the rule if PiHole is down.. The issue is that PiHole then only sees the IP address of the router, but if I don’t have the Masq rule then the clients complain because they requested DNS from some server and are getting a response from someone else…
a) Let clients use router as resolver and put PiHole’s address in /ip dns. If it goes down, replace it by something else.
b) If router and PiHole are in same subnet, set up VRRP and use virtual address as resolver.
c) Use some additional address (can be something completely different) as resolver. Normally PiHole will have it and you’ll route requests there. If it goes down (check by primary PiHole’s address), assign it to router instead.
Edit: Small mistake, of course option a) won’t allow PiHole to see individual client addresses.
If this is for customer networks use caution as PiHole has a tendency to disrupt streaming devices such as Roku etc.
You could run two separate PiHole servers, one primary and one secondary and then you should always have one working.
I personally would only offer it to the customer if they opted in as it can be really annoying if they have a habit of going to a news site and then finding it blocked because they are using an ad blocker.
You could also give the PiHole a public IP and get past this issue. Just filter it so that only your customer network can query it.
You can place a NAT accept rule for customer to PiHole before the masquerade to preserve src
That’s an old post, but did you find anything about this ?
Everyone is pointing to the Mikrotik server as DNS server. I’ve setuped two rules (tcp and udp) to forward DNS request to PiHole and I have a script to ping that PiHole, if it’s down, it will disable the rules, so the Mikrotik will reply to DNS itselft instant of forwarding the request to PiHole.
But the PiHole is logging the request as if it’s was the Mikrotik… I wish I could have the Source IP, but I’m not sure what I should do!
I don’t see a reason why forwarding DNS queries to another server should also involve a src-nat (or masquerade) if the clients’ actuall addresses are “visible” to the server and the server is not in the same LAN like the clients. If it is in the same LAN as the clients, the problem is that without the src-nat, the responses from the server would bypass Mikrotik’s L3 processing (or the whole Mikrotik if there is a switch between the client and the PiHole server) and thus would go to the clients with the server’s address as source, and so the clients would not accept those requests as they would come from an unexpected address.
So one thing you can do is to connect the machine running PiHole directly to one of Mikrotik’s Ethernet interfaces and create a separate IP subnet on that interface. That way, the responses will get to the Mikrotik even if the requests won’t be src-nated, and thus the PiHole will see the requests coming from the actual addresses of the clients, while the clients will see the responses coming from the address of the Mikrotik (un-dst-nated) to which they have previously sent the requests.