Block DNS change on local PC to not bypass Pi-Hole server

Ralph_Osle · April 21, 2018, 1:43am

My question is how can I force DNS to be resolved by PI-Hole.

Example : I can change my DNS to 8.8.8.8 on my local PC and bypass Pi-hole DNS server ?.

Thanks

Mcat12 · April 21, 2018, 1:54am

On your router or firewall, route all packets going to port 53 of some address to Pi-hole.

Ralph_Osle · April 21, 2018, 2:04am

I am using Tomato by shibby.

Can you offer an example of using Iptables or another command to capture port 53 ?. If I set capture port 53 on the router setting, it will bypass Pi-Hole server. That tomato setting has to be unchecked.

Thanks

DanSchaper · April 21, 2018, 6:28pm

@WaLLy3K What iptables rules do you have set up for this situation?

WaLLy3K · April 21, 2018, 11:52pm

These are the basic rules I use, which ensure that 10.0.0.1 to 10.0.0.4 (my router and SBC's) can query any upstream server, while everything else is forced to go to $pihole

If you're using Tomato, please turn off the "Redirect Port 53" checkbox under Advanced DNS/DHCP settings.

When implementing this, make sure to test everything first! Change your primary computer's DNS to something that you don't use. If your Pi-hole upstream is Cloudflare, then set your primary computer's DNS to Google, or vice versa. Then, run a DNS leak test to confirm your computer is using Google. Apply the iptable rules, and then confirm you're using Cloudflare. You can then remove Google which you've added manually to your primary computer.

Finally, run an Open DNS resolver test to ensure that you've set -i "<lan network interface>" correctly. You could also do ! -i "<wan network interface>" such as ! -i "ppp0".

pihole="10.0.0.2"

# If DNS query outside source range is not sent to destination range, redirect it to the primary DNS server
iptables -t nat -A PREROUTING -p tcp -i "br0" -m iprange ! --src-range "10.0.0.1"-"10.0.0.4" ! --dst-range "10.0.0.1"-"10.0.0.4" --dport 53 -j DNAT --to-destination "${pihole}"
iptables -t nat -A PREROUTING -p udp -i "br0" -m iprange ! --src-range "10.0.0.1"-"10.0.0.4" ! --dst-range "10.0.0.1"-"10.0.0.4" --dport 53 -j DNAT --to-destination "${pihole}"

# Ensure transparent DNS interception
iptables -t nat -A POSTROUTING -j MASQUERADE

If you've got a router that has some kind of firewall-up script, put this in there and it'll be automatically applied when the router reboots.

Ralph_Osle · April 22, 2018, 11:09am

I believe I have resolved the issue based on your code. Keep in mind that I am new to Linux but I continue to learn from others.

This is what I did

In the router I changed IP range to 192.168.1.10 - 192.168.1.75
I wanted to have Pi-Hole use an IP not in this range. (192.168.1.9)

In the router Firewall I modified the code to the following

pihole="192.168.1.9"

iptables -t nat -A PREROUTING -p tcp -i "br0" -m iprange ! --src-range "192.168.1.1"-"192.168.1.9" ! --dst-range "192.168.1.1"-"192.168.1.9" --dport 53 -j DNAT --to-destination "${pihole}"
iptables -t nat -A PREROUTING -p udp -i "br0" -m iprange ! --src-range "192.168.1.1"-"192.168.1.9" ! --dst-range "192.168.1.1"-"192.168.1.9" --dport 53 -j DNAT --to-destination "${pihole}"

iptables -t nat -A POSTROUTING -j MASQUERADE

If I try to change the local PC's DNS IP address, it is caught in the firewall and forwarded to the PI-Hole.
If this setting looks OK, then I am good !.

Thank You

system · May 14, 2018, 12:24pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.