pi-hole as DNS server

nichky · September 27, 2023, 1:29am

running on issue where i can’t force Pihole DNS.
I was using OpenDNS and it was working perfectly fine with same NAT rules

DST-NAT
add action=redirect chain=dstnat  dst-address-type=!local dst-port=53 protocol=tcp src-address=!pi-hole_ip-add \
    to-addresses=pi-hole_ip-add
add action=redirect chain=dstnat dst-address-type=!local dst-port=53 protocol=udp src-address=!pi-hole_ip-add to-addresses=pi-hole_ip-add

SRC_NAT
add action=masquerade chain=srcnat  dst-address=pi-hole_ip-add dst-port=53 protocol=udp to-addresses=pi-hole_ip-add
add action=masquerade chain=srcnat  dst-address=pi-hole_ip-add dst-port=53 protocol=tcp to-addresses=pi-hole_ip-add

normis · September 27, 2023, 6:20am

action must be dst-nat
redirect is for using the router itself as dns server, not what you want

also you only need the dst-nat rules

nichky · September 27, 2023, 6:51am

this example is redirect, but even dst-nat doesn’t do the job

normis · September 27, 2023, 7:08am

also why dst-address-type? if user specified the router as DNS server, it will be a local destination

all you need is port, protocol and action dst-nat. remove the other stuff.

nichky · September 27, 2023, 8:12am

dst-address-type - was for just for testing.

the topology is:

ISP—R1–vlan–R2(pi-hole)—vlan–(R3-lan)

normis · September 27, 2023, 8:14am

can you post new and correct config?

ivicask · September 27, 2023, 8:22am

running on issue where i can’t force Pihole DNS.
I was using OpenDNS and it was working perfectly fine with same NAT rules

DST-NAT
add action=redirect chain=dstnat  dst-address-type=!local dst-port=53 protocol=tcp src-address=!pi-hole_ip-add \
    to-addresses=pi-hole_ip-add
add action=redirect chain=dstnat dst-address-type=!local dst-port=53 protocol=udp src-address=!pi-hole_ip-add to-addresses=pi-hole_ip-add

SRC_NAT
add action=masquerade chain=srcnat  dst-address=pi-hole_ip-add dst-port=53 protocol=udp to-addresses=pi-hole_ip-add
add action=masquerade chain=srcnat  dst-address=pi-hole_ip-add dst-port=53 protocol=tcp to-addresses=pi-hole_ip-add

This is all you need:

 
/ip firewall nat add action=dst-nat chain=dstnat comment="REDIRECT DNS" dst-port=53 in-interface-list=!WAN protocol=udp src-address=!pi-hole_ip-add to-addresses=pi-hole_ip-add to-ports=53

nichky · September 27, 2023, 8:47am

on R1 yes, same thing.

@normis, i think u are asking for the NAT rules.

ill play again today, if no luck ill export here

ToTheFull · September 27, 2023, 10:20am

https://www.youtube.com/watch?v=EdzDCkFaskc
Mine doesn’t work if I do this

1 chain=dstnat action=dst-nat to-addresses=192.168.88.3 protocol=tcp src-address=!192.168.88.3
in-interface=bridge dst-port=53 log=no log-prefix=“”

2 chain=dstnat action=dst-nat to-addresses=192.168.88.3 protocol=udp src-address=!192.168.88.3
in-interface=bridge dst-port=53 log=no log-prefix="

It works when I do this

1 chain=dstnat action=dst-nat to-addresses=192.168.88.3 protocol=tcp src-address=!192.168.88.3
in-interface=ether1 dst-port=53 log=no log-prefix=“”

2 chain=dstnat action=dst-nat to-addresses=192.168.88.3 protocol=udp src-address=!192.168.88.3
in-interface=ether1 dst-port=53 log=no log-prefix=“”

Or maybe that isn’t correct either.

Either way it doesn’t stop this
Screenshot 2023-09-27 132402 - Copy.png

nichky · September 27, 2023, 1:25pm

solved.

it can happen when many hands are involved in to the config hhh

Thanks @normis @ivicask

nichky · September 27, 2023, 1:27pm

@ToTheFull

do u have it on same lan range?

ToTheFull · September 27, 2023, 1:36pm

Yes but the device was set static from a previous install, so it maybe be something to do with that not sure.
IE my dhcp server range is 192.168.88.100/253
dns 192.168.88.10 it doesn’t appear in the pool etc.