I'm currently running Chateau - RouterBOARD v7.0. One of router's interfaces is connected to the RPi, running Raspbian OS with Pihole and Unbound on board.
To dump all the DNS traffic have added dst-nat rules and masquerade to receive answers back. This setup is doing it's job, but there is small issue. I would like to
see which host generates which queries. With masquerade rules it is not possible (Router IP logically is the only traffic generator), without dst-nat and masquerade
devices would use their own DNS addresses avoiding Pihole blocklists.
The question is whether it is possible to set up DNS routing through Pihole without "nat-ing" host adresses. If no masquerade rules added, then RPi will drop packets
not knowing the destination to the host. Do I need to add static routes in Raspbian to the end nodes?
I will surely share infrastructure info, as well as applied RouterOS rules.
RPi-IP(Eth0) = 10.0.10.100/24
MikrotikRouterOS-IP(Eth2) = 10.0.10.1/24
For other Subnets first host bit + network address can be assumed as MikrotikRouterOS address IP.
Code:
Code: Select all
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no
log-prefix="" ipsec-policy=out,none
1 chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53
protocol=udp dst-address=!10.0.10.100 src-address-list=user-net-list
dst-port=53,5353 log=no log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53
protocol=tcp dst-address=!10.0.10.100 src-address-list=user-net-list
dst-port=53,5353 log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53
protocol=udp dst-address=!10.0.10.100 src-address-list=guest-net-list
dst-port=53,5353 log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53
protocol=tcp dst-address=!10.0.10.100 src-address-list=guest-net-list
dst-port=53,5353 log=no log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53
protocol=udp dst-address=!10.0.10.100 src-address-list=work-net-list
dst-port=53,5353 log=no log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53
protocol=tcp dst-address=!10.0.10.100 src-address-list=work-net-list
dst-port=53,5353 log=no log-prefix=""
7 chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53
protocol=udp dst-address=!10.0.10.100 src-address-list=smart-net-list
dst-port=53,5353 log=no log-prefix=""
8 chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53
protocol=tcp dst-address=!10.0.10.100 src-address-list=smart-net-list
dst-port=53,5353 log=no log-prefix=""
11 chain=srcnat action=masquerade protocol=udp dst-address=10.0.10.100
src-address-list=user-net-list dst-port=53,5353 log=no log-prefix=""
12 chain=srcnat action=masquerade protocol=tcp dst-address=10.0.10.100
src-address-list=user-net-list dst-port=53,5353 log=no log-prefix=""
13 chain=srcnat action=masquerade protocol=udp dst-address=10.0.10.100
src-address-list=work-net-list dst-port=53,5353 log=no log-prefix=""
14 chain=srcnat action=masquerade protocol=tcp dst-address=10.0.10.100
src-address-list=work-net-list dst-port=53,5353 log=no log-prefix=""
15 chain=srcnat action=masquerade protocol=udp dst-address=10.0.10.100
src-address-list=smart-net-list dst-port=53,5353 log=no log-prefix=""
16 chain=srcnat action=masquerade protocol=tcp dst-address=10.0.10.100
src-address-list=smart-net-list dst-port=53,5353 log=no log-prefix=""
17 chain=srcnat action=masquerade protocol=udp dst-address=10.0.10.100
src-address-list=guest-net-list dst-port=53,5353 log=no log-prefix=""
18 chain=srcnat action=masquerade protocol=tcp dst-address=10.0.10.100
src-address-list=guest-net-list dst-port=53,5353 log=no log-prefix=""