Block DNS Change

#1

I followed this topic
My setup is as follows Asus RT-AC68R (192.168.1.1)
raspberry pi 3 b+ (192.168.1.2) connected to LAN
DNS-Over-HTTPS is setup on Pi-hole via this guide

pihole=“192.168.1.2”

iptables -t nat -A PREROUTING -p tcp -i “br0” -m iprange ! --src-range “192.168.1.1”-“192.168.1.2” ! --dst-range “192.168.1.1”-“192.168.1.2” --dport 53 -j DNAT --to-destination “${pihole}”
iptables -t nat -A PREROUTING -p udp -i “br0” -m iprange ! --src-range “192.168.1.1”-“192.168.1.2” ! --dst-range “192.168.1.1”-“192.168.1.2” --dport 53 -j DNAT --to-destination “${pihole}”

iptables -t nat -A POSTROUTING -j MASQUERADE

Expected Behavior:

clients can manually change DNS and not bypass pihole, all DNS should be redirected to pihole.

Actual Behavior:

any client DNS change bypasses pihole DNS completely.

Debug Token:

9hss4rjsnw

0 Likes

#2

I assume that it works when you test it.

Blocking usage of other DNS severs is become more difficult in the last few years because Google/Mozilla/Cloudflare/etc. are offering a alternative way to resolve domains.

You can block this by blocking the IP addresses of those DNS servers.

The you have also IPv6 that is more difficult to block. I am propagating to not assign public addresses to local device unless needed.

0 Likes

#3

Make a firewall rule and force trafic to port 53 -> pi-hole

0 Likes

#4

On an ASUS router you should be able to do this via the DNS Filtering tab option. Enable this option and set Global Filter mode to “Router”.

0 Likes

#5

Thanks for the suggestions I found the solution for anyone who finds this.

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br0 -p tcp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br0 -p udp -s 192.168.1.2 --dport 53 -j ACCEPT

I ran these commands directly on the Asus RT-AC68R router via SSH using putty. This will force any DNS client change to use pihole. it will take a few minutes for it take effect. also credit for the commands go to Lethal

0 Likes

#6

If your pi-hole does not resolve new domains then switch line two and three and the last two lines.

0 Likes

closed #7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

0 Likes