Community discussions

MikroTik App
 
Simba91
just joined
Topic Author
Posts: 6
Joined: Fri Apr 15, 2022 5:48 pm

VLAN, Pi-Hole, DHCP and Local DNS.

Fri Apr 15, 2022 9:05 pm

I am trying to configure my router to direct DNS traffic to a local Pi-Hole instance, except for local hostnames stored on the Router.

For reference, I am using RouterOS 7.2, the router is 192.168.88.1, and Pi-Hole is on 192.168.88.211. DHCP is set to offer the router and the pi-hole as DNS providers. (I provide 2 DNS addresses because some of my older Android devices don't work properly without them)

local hostnames are available on the router's DNS through a script that keeps the dhcp leases in sync with the dns records. I've configured conditional forwarding on the Pi-Hole. The local network is configured on the Pi-Hole as 192.168.0.0/16, and the domain name "lan".

I thought I could setup a basic layer7-protocol filter so anything queries for *.lan would go to the RouterOS resolver, and a firewall rule would redirect anything else back to the pi-hole, but this (and various other tweaks on this) aren't working. I am now getting out of my depth here, and unsure what terms to search for to find more help. Can anyone offer advice on how to complete this setup?

Tips and pointers appreciated!
R
/ip firewall layer7-protocol add name=local-dns regexp=\.lan$  <-- I tried various combinations of regex here.
/ip firewall mangle add chain=prerouting dst-address=192.168.88.1 layer7-protocol=local-dns action=mark-connection new-connection-mark=local-dns-handle protocol=tcp dst-port=53
/ip firewall mangle add chain=prerouting dst-address=192.168.88.1 layer7-protocol=local-dns action=mark-connection new-connection-mark=local-dns-handle protocol=udp dst-port=53
/ip firewall nat add action=dst-nat chain=dstnat connection-mark=!local-dns-handle to-addresses=192.168.88.211
/ip firewall nat add action=masquerade chain=srcnat connection-mark=!local-dns-handle
With these settings on the firewall, the Pi-Hole gets flooded with a LOT of queries.
/ip firewall print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 
 1    chain=dstnat action=dst-nat to-addresses=192.168.88.211 protocol=udp src-address=!192.168.88.211 dst-address=!192.168.88.211 in-interface=bridge dst-port=53
 2    chain=dstnat action=dst-nat to-addresses=192.168.88.211 protocol=tcp src-address=!192.168.88.211 dst-address=!192.168.88.211 in-interface=bridge dst-port=53
 3    chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 dst-address=192.168.88.211 dst-port=53 
 4    chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.211 dst-port=53 

Who is online

Users browsing this forum: AtomikRoach, Majestic-12 [Bot], Qanon, tesme33 and 48 guests