Community discussions

MikroTik App
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Redirect all DNS requests to local hosted Pi-Hole

Wed Sep 14, 2022 7:01 pm

RB750Gr3
Home setup
Attached is my configuration as it is today.


1. My goal is to force, or “redirect”, all DNS requests from my LAN and from my Wireguard clients to go to my Pi-Hole on 10.0.0.69
2. If it is possible I would like to create a rule that checks if the Pi-Hole is up and running every 30 to 60 seconds, and if it is not, change the DNS server to 8.8.8.8.
And if the Pi-Hole gets up again, set the DNS server back to 10.0.0.69

I have tried different things, but I now understand that I don’t have the required knowledge to create the correct firewall and/or NAT rules to achieve this.

Could someone with this knowledge please advise on the specific rules needed?
Best regards
A new user
You do not have the required permissions to view the files attached to this post.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 12:14 am

Hi,

You need to set a srcnat rule and two dstnat rules (both port 53 for tcp and udp).
Plenty of topics on the same matter here.

As for the check rule I created an entry in the Scheduler:
10.0.0.69 your Pihole IP

interval: 00:00:30
# set variables
:local primaryDNS "10.0.0.69";
:local fallbackDNS "8.8.8.8";
:local currentDNS;
:set $currentDNS [/ip dns get servers];
#:log warning "What I got is: $currentDNS"
#:log warning "What I want to see is: $primaryDNS"
:do {
:put [resolve google.com server=$primaryDNS];
if ($currentDNS!=$primaryDNS) do={
:log warning "DNS Failover: Switching to primaryDNS";
/ip dns set servers $primaryDNS
} else={}
} on-error={ :set $currentDNS [/ip dns get servers];
if ($currentDNS!=$fallbackDNS) do={
:log error "DNS Failover: Switching to FallbackDNS";
/ip dns set servers $fallbackDNS;
} else={:log info "Using Failover DNS, Primary Unavailable"}
}
#try to reach google through the primaryDNS
#if it works and we are on a different DNS, set the DNS server to the primaryDNS
#if it works and we are already on the primaryDNS, do nothing
#if we can't reach google and we aren't already on our FallbackDNS, switch to fallback
#if we can't reach google through primaryDNS and we are on the fallback, log that primaryDNS is unavailable

 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 1:59 pm

removed useless quote ... use Post Replay not Quote button
Hi broderick
Yes, I've seen many topics on the matter, but when asking in those threads, users respond with "don't hijack threads", so, therefore I'm trying to ask the question in this new thread.
And I don't have the necessary knowledge to sort this out by myself...

If you know how to formulate such rules, I would very much appreciate you help in the matter.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 2:17 pm

Know how to formulate such rules.
CLI
/ip firewall mangle
add action=mark-connection chain=prerouting comment="DNS-Mark" connection-state=new dst-port=53 new-connection-mark="via-dns" passthrough=yes protocol=tcp src-address="your-LAN"
add action=mark-connection chain=prerouting connection-state=new dst-port=53 new-connection-mark="via-dns" passthrough=yes protocol=udp src-address="your-LAN"
/ip firewall nat
add action=dst-nat chain=dstnat connection-mark="via-dns" src-address="your-LAN" to-addresses="pi-hole"
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 2:50 pm

removed useless quote ... use Post Replay not Quote button
Have you already tried these very Firewall rules on your Mk device?
Thanks
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 3:59 pm

removed useless quote ... use Post Replay not Quote button
I have very similar commands the only difference is I used src-address-list vs src-address.
2022-09-16_17-27-14.jpg
2022-09-16_17-27-22.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 4:41 pm


Have you already tried these very Firewall rules on your Mk device?
Thanks
I have very similar commands the only difference is I used src-address-list vs src-address.
2022-09-16_17-27-14.jpg
2022-09-16_17-27-22.jpg
As far as I know, DNS redirect needs also a src NAT for it to work properly, otherwise clients which make dns queries would drop any responses sent by the pi-hole server if it is in the same LAN, since they wouldn't recognize the IPs they made the DNS queries to. Maybe it is the "MOD" rule I see in the second image you posted above. Is 192.168.1.2 your pihole IP?

Thanks
Last edited by broderick on Fri Sep 16, 2022 9:34 pm, edited 1 time in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 5:54 pm

removed useless quote ... use Post Replay not Quote button
Well, You are correct and I have one rule number=2 is my src-nat rule. However, OP config files and topic suggest the pi-hole runs at the same subnet as the LAN. There is a WG IP range that needs to be forwarded too, although the WG config was not clear to me so I did not include that.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 9:43 pm

removed useless quote ... use Post Replay not Quote button
Well, You are correct and I have one rule number=2 is my src-nat rule.
hmm, maybe you meant number 1 with the "MOD" text on it. The number 2 seems to be the WG subnet.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 9:44 pm

The DNS rules are also for forwarding to WG. :D
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 10:21 pm

Why do you quote previous post? Use Post Replay not Quote button instead.
I didn't understand what is your Pihole IP.
My dst Nat rule points to my Mk router which in turn points to my pihole server IP.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Redirect all DNS requests to local hosted Pi-Hole

Fri Sep 16, 2022 10:35 pm

I don't have any pi-hole at my home setup. I use an ad-guard container in my x86 ROS VDS. Which provides VPNs like WG and IKEv2. There is a WG tunnel between my home route and this VDS. Most of my internet and any DNS queries are routed through this tunnel.
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Re: Redirect all DNS requests to local hosted Pi-Hole

Sat Sep 17, 2022 7:50 am

Thanks for all the replies!!!

My only home lan is on 10.0.0.1/24
Pihole is on 10.0.0.69

Wg1 is on 10.0.10.1/24
You do not have the required permissions to view the files attached to this post.
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Re: Redirect all DNS requests to local hosted Pi-Hole

Sat Sep 17, 2022 9:20 am

:mrgreen: So this is what I've tested now;
/ip firewall nat
add action=dst-nat chain=dstnat comment="User added NAT" connection-mark=via-dns src-address=10.0.0.0/24 to-addresses=10.0.0.69

and
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DNS-Mark connection-state=new dst-port=53 new-connection-mark=via-dns passthrough=yes protocol=udp src-address=10.0.0.0/24
add action=mark-connection chain=prerouting comment=DNS-Mark connection-state=new dst-port=53 new-connection-mark=via-dns passthrough=yes protocol=tcp src-address=10.0.0.0/24

When the NAT was enabled my devices lost internet connectivity.
pihole nat enabled.png
mk-log-NAT-enabled-internet-broke.png
Any ideas on what went wrong here?
Thinking of a NAT rule that @broderick is talking about in answer #7
Regarding address lists; I am also a fan of using lists, so if there are any new lists that could help out, please don't hold out on me
:D
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Sat Sep 17, 2022 9:52 am

You have to exclude pihole from being redirected ... if not, pihole queries get redirected back to itself. You can make exception either in mangle rules or in NAT rule.
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Re: Redirect all DNS requests to local hosted Pi-Hole  [SOLVED]

Sat Sep 17, 2022 10:13 am

So, it actually turns out that the following NAT rules, in my network setup, works for me;
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.0.0.69 protocol=udp src-address=!10.0.0.69 dst-address=!10.0.0.69 dst-port=53
add chain=dstnat action=dst-nat to-addresses=10.0.0.69 protocol=tcp src-address=!10.0.0.69 dst-address=!10.0.0.69 dst-port=53

add chain=srcnat action=masquerade protocol=udp src-address=10.0.0.0/24 dst-address=10.0.0.69 dst-port=53
add chain=srcnat action=masquerade protocol=tcp src-address=10.0.0.0/24 dst-address=10.0.0.69 dst-port=53
At this moment, I'm NOT using the mangle rules for pre-routing or "New connection mark".

It seems as if these NAT-rules also catch my wg1 interface, and forces DNS queries to local 10.0.0.69 (pi-hole), which is a good thing!
Or is it??
10.0.10.10 is a wg client outside my LAN.
wg1 or not.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Re: Redirect all DNS requests to local hosted Pi-Hole

Sat Sep 17, 2022 10:23 am

You have to exclude pihole from being redirected ... if not, pihole queries get redirected back to itself. You can make exception either in mangle rules or in NAT rule.
Hi
And THANK YOU for taking your time to reply to my thread.
The thing is that the answer you provided does not tell me HOW to do that.
And that is one of the the reasons I'm asking for help.

This way for "answering" questions is fairly common in "Linux communities" and to be frank it's one of the biggest hurdles to overcome for a newbie that want to learn stuff. It's just arrogant. It's telling new users "I know the answer, you don't, now you have to find it out also".
- The the educational aim of an answer like that is to force the user asking the question, to do the research and find the answer him self. Yes, I understand that. But in most cases, amateur users like me lack the background knowledge in the requested subject (just as I twice in this thread have stated).
I have several small kids, a full time job, and this (networking, computers, pi-hole etc) is a hobby.

I most humbly ask of anyone that want to help me out; please do so.
If you feel a need to tell me that you know the answer but don't want to help me with this thread/question, just don't reply.
It's that simple.

TLDR; new user asking other user to answer question and not tease.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Sat Sep 17, 2022 11:25 am

I'm sorry if my answer didn't help you to solve the problem.

As you're mentioning linux community and the way of answering questions: it is indeed common to "help learn how to catch fish" instead of "giving fish" and personally I'm a big fan of it. I feel that by mentioning the possible cause for malfunction instead of writing a recipe to fix the rules (which you might or might not understand) I helped you both understand the networking better and somehow helped you to find the recipe yourself (which again made you know ROS better). If neither of them is your objective, then perhaps (die hard) linux and ROS are not for you? Besides, most people helping around are hobbyists ... just like you or me.

TLDR; get direct help from one of these: https://mikrotik.com/consultants
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Sat Sep 17, 2022 12:11 pm

You have to exclude pihole from being redirected ... if not, pihole queries get redirected back to itself. You can make exception either in mangle rules or in NAT rule.
hmm, what you said seems to be right, but it is strange. I don't have such a rule and pihole works as expected nonetheless.

What would this rule look like?

Thanks
 
S8T8
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Sep 15, 2022 7:15 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Sat Sep 17, 2022 1:18 pm

maybe this as first rule
/ip firewall nat add chain=dstnat action=accept... pihole.ip
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Re: Redirect all DNS requests to local hosted Pi-Hole

Sat Sep 17, 2022 1:23 pm

I'm sorry if my answer didn't help you to solve the problem.
[...]
TLDR; get direct help from one of these: https://mikrotik.com/consultants
I simply asked for help in a beginners sub-forum. Thats it.
No one forced you to "answer".
I read several of your other answers in the main forum and I have learned alot from you and other seniors here. But come on m8...
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Redirect all DNS requests to local hosted Pi-Hole

Sat Sep 17, 2022 2:05 pm

You have to exclude pihole from being redirected ... if not, pihole queries get redirected back to itself. You can make exception either in mangle rules or in NAT rule.
My dstnat rule:
add action=dst-nat chain=dstnat comment="Pihole Ubuntu " dst-port=53 in-interface-list=LAN protocol=tcp to-addresses=192.168.3.1 to-ports=53
As you can see it redirects DNS queries from LAN to 192.168.3.1 (my mk router IP) which in turn has my pihole IP (192.168.3.12) set as DNS server.
There might be the reason why it has been working without any issue so far.
So, I don't know if I really need the rule to exclude pihole itself from being redirected as you said. Not sure though.

Who is online

Users browsing this forum: No registered users and 39 guests