Community discussions

MikroTik App
 
mk13139
just joined
Topic Author
Posts: 10
Joined: Mon Dec 30, 2013 3:32 am

Pi-hole forced DNS redirection with failover script

Tue Dec 08, 2020 1:50 pm

I'm trying to create a Pi-hole DNS failover script, without luck so far.

Currently I have a Pi-hole in my network with IP address 192.168.18.2. The router has an outgoing public DNS of 1.1.1.1 and 1.0.0.1. The DHCP server has DNS 192.168.18.1 (router gateway) for the clients.
I've added the following NAT rules to force all DNS through the Pi-hole:
/ip firewall nat

add chain=dstnat action=dst-nat to-addresses=192.168.18.2 protocol=udp src-address=!192.168.18.2 dst-address=!192.168.18.2 dst-port=53 comment="piholeNAT1"
add chain=dstnat action=dst-nat to-addresses=192.168.18.2 protocol=tcp src-address=!192.168.18.2 dst-address=!192.168.18.2 dst-port=53 comment="piholeNAT2"

add chain=srcnat action=masquerade protocol=udp src-address=192.168.18.0/24 dst-address=192.168.18.2 dst-port=53 comment="piholeNAT3"
add chain=srcnat action=masquerade protocol=tcp src-address=192.168.18.0/24 dst-address=192.168.18.2 dst-port=53 comment="piholeNAT4"
What I would like to do in case of failure of the Pi-hole is disabling these NAT rules. When these NAT rules are disabled, the clients DNS will go through the router gateway and public DNS 1.1.1.1/1.0.0.1 like normal until the Pi-hole is up again (NAT rules get enabled again and DNS redirect to Pi-hole).
I've created the following script, scheduled at an interval of 30 seconds:
:local piholeDNS "192.168.18.2"
:local testDomain "www.google.com"


:if ([/ip firewall nat [find comment="piholeNAT1"] enabled]) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
		/ip firewall nat disable [find comment="piholeNAT1"]
		/ip firewall nat disable [find comment="piholeNAT2"]
		/ip firewall nat disable [find comment="piholeNAT3"]
		/ip firewall nat disable [find comment="piholeNAT4"]
    }
} else={
    :do {
        :resolve $testDomain server $piholeDNS
		/ip firewall nat enable [find comment="piholeNAT1"]
		/ip firewall nat enable [find comment="piholeNAT2"]
		/ip firewall nat enable [find comment="piholeNAT3"]
		/ip firewall nat enable [find comment="piholeNAT4"]
    } on-error={}
}
When I disconnect the Pi-hole as a failure test, the NAT rules don't get disabled. So something is obviously wrong in the script. Can somebody help me out?
Last edited by mk13139 on Wed Dec 09, 2020 12:05 pm, edited 1 time in total.
 
mk13139
just joined
Topic Author
Posts: 10
Joined: Mon Dec 30, 2013 3:32 am

Re: Pi-hole DNS failover script  [SOLVED]

Tue Dec 08, 2020 4:39 pm

Nevermind! I looked again carefully and figured that the fault was in getting the state value of the nat rule.
The working code for forced redirection through Pi-hole with DNS failover is as follows:
:local piholedown [/ip firewall nat get value-name=disabled [find comment="piholeNAT1"]]
:local piholeDNS "192.168.18.2"
:local testDomain "www.google.com"


:if ($piholedown = false) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
		/ip firewall nat;
			disable [find comment="piholeNAT1"];
			disable [find comment="piholeNAT2"];
			disable [find comment="piholeNAT3"];
			disable [find comment="piholeNAT4"];
    		}
} else={
    :do {
        :resolve $testDomain server $piholeDNS;
		/ip firewall nat;
			enable [find comment="piholeNAT1"];
			enable [find comment="piholeNAT2"];
			enable [find comment="piholeNAT3"];
			enable [find comment="piholeNAT4"];
    } on-error={}
}
With the following NAT rules (*edit: added in-interface LAN bridge to dst-nat rules to prevent exposure of port 53 to outside world):
/ip firewall nat

add chain=dstnat action=dst-nat to-addresses=192.168.18.2 in-interface=bridge protocol=udp src-address=!192.168.18.2 dst-address=!192.168.18.2 dst-port=53 comment="piholeNAT1"
add chain=dstnat action=dst-nat to-addresses=192.168.18.2 in-interface=bridge protocol=tcp src-address=!192.168.18.2 dst-address=!192.168.18.2 dst-port=53 comment="piholeNAT2"

add chain=srcnat action=masquerade protocol=udp src-address=192.168.18.0/24 dst-address=192.168.18.2 dst-port=53 comment="piholeNAT3"
add chain=srcnat action=masquerade protocol=tcp src-address=192.168.18.0/24 dst-address=192.168.18.2 dst-port=53 comment="piholeNAT4"

Who is online

Users browsing this forum: aliboy and 34 guests