Currently I have a Pi-hole in my network with IP address 192.168.18.2. The router has an outgoing public DNS of 1.1.1.1 and 1.0.0.1. The DHCP server has DNS 192.168.18.1 (router gateway) for the clients.
I've added the following NAT rules to force all DNS through the Pi-hole:
Code: Select all
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.18.2 protocol=udp src-address=!192.168.18.2 dst-address=!192.168.18.2 dst-port=53 comment="piholeNAT1"
add chain=dstnat action=dst-nat to-addresses=192.168.18.2 protocol=tcp src-address=!192.168.18.2 dst-address=!192.168.18.2 dst-port=53 comment="piholeNAT2"
add chain=srcnat action=masquerade protocol=udp src-address=192.168.18.0/24 dst-address=192.168.18.2 dst-port=53 comment="piholeNAT3"
add chain=srcnat action=masquerade protocol=tcp src-address=192.168.18.0/24 dst-address=192.168.18.2 dst-port=53 comment="piholeNAT4"
I've created the following script, scheduled at an interval of 30 seconds:
Code: Select all
:local piholeDNS "192.168.18.2"
:local testDomain "www.google.com"
:if ([/ip firewall nat [find comment="piholeNAT1"] enabled]) do={
:do {
:resolve $testDomain server $piholeDNS
} on-error={
/ip firewall nat disable [find comment="piholeNAT1"]
/ip firewall nat disable [find comment="piholeNAT2"]
/ip firewall nat disable [find comment="piholeNAT3"]
/ip firewall nat disable [find comment="piholeNAT4"]
}
} else={
:do {
:resolve $testDomain server $piholeDNS
/ip firewall nat enable [find comment="piholeNAT1"]
/ip firewall nat enable [find comment="piholeNAT2"]
/ip firewall nat enable [find comment="piholeNAT3"]
/ip firewall nat enable [find comment="piholeNAT4"]
} on-error={}
}