Configuring DNS Server - LAN or WAN Settings on ASUS Router?

Hello - I am fairly new to pi-hole and had a quick question.

I have an ASUS RT-AX86U router, and pi-hole (v5.2.4) running on R-Pi. I have everything set and it seems to be working well. So this question might be moot.

Current setup: I am using the routers DHCP settings and configured the DNS to the pi-hole's IP on the router, and it is working correctly, and blocking ad's.

But I am confused as to whether I setup the DNS settings in my router correctly. As per this link from pi-hole documentation I should be changing settings under LAN configuration and not under WAN.

However as per the instructions to change my DNS settings on my router - I am supposed to change the WAN settings and not LAN, which is what I did.

So, question is - did I do it right or should I change the LAN DNS settings as well?

On my ASUS RT-N56U the setting is in LAN then DHCP Server under the DNS and WINS Server setting on that page. The page you show looks similar here on mine so I would think it should be there for you too in your firmware.

The only setting that needs changing is the LAN --> DHCP Server --> DNS Server setting(s).
But Asus routers are known to have a snag:

Ps. The nmap command posted in above link can be replaced by below one since a month or so:

pihole-FTL dhcp-discover

Thanks for the response guys.

So nmap and pihole-FTL both shows only one DNS server and that is the routers address itself, not pi-hole (10.0.0.10). Output attached below.

pi@raspberrypi:~ $ sudo nmap -sU -p67 --script dhcp-discover 10.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-01-25 00:42 GMT
Nmap scan report for 10.0.0.1
Host is up (0.00059s latency).

PORT   STATE SERVICE
67/udp open  dhcps
| dhcp-discover:
|   DHCP Message Type: DHCPACK
|   Server Identifier: 10.0.0.1
|   Subnet Mask: 255.255.255.0
|   Broadcast Address: 10.0.0.255
|   Domain Name Server: 10.0.0.1
|   NetBIOS Name Server: 10.0.0.1
|   Domain Name: mydomainname
|_  Router: 10.0.0.1

deHakkelaar - I read your response here. Few questions:

  1. Does this mean I have to flash custom firmware on my router to use pihole? Merlin doen't have a stable version for RT-AX86U yet, only a beta version, So I will have to wait.
  2. Using pi-hole for DHCP - is that recommended?
  3. Where is pihole getting its current queries from?
  4. Should I just let is continue as is, since I don't seem to be seeing any ads on any clients while browsing?
  5. Would changing the DNS setting on the LAN page make any difference?

I would go for option 2 below.

Yes as flashing could, if go wrong, brick your router.

Preferred is to have the clients query Pi-hole directly so you see individual stats for your clients on the web GUI.

If you configured your router WAN/Internet DNS setting to point to Pi-hole only, yes this works but you wont see stats described above.
You would only see queries coming from the router.

This is preferred if it weren't for your Asus router to advertise its own IP through DHCP alongside the IP you configured in that LAN --> DNS Server field.
The pihole-FTL dhcp-discover part that should only show the single Pi-hole IP for DNS:

Because of the "feature" Asus decided to code into their firmware the router may include itself as one of the DNS servers used by LAN clients. This of course leads to the possibility that LAN clients may potentially bypass the Pi-Hole when the Pi-Hole's IP address is input into the LAN DNS field(s).

Can one use the Pi-Hole IP address in the WAN DNS field(s)? Yes. Should one do so? That is up for debate. Some say yes, some say no. No idea what is the proper way with respect to the WAN DNS fields. One definitely inputs their Pi-Hole IP's into the LAN DNS fields though.

The Asus-Merlin firmware includes the ability to disable the router itself being used as a DNS entry. One would set the option; "Advertise router's IP in addition to user-specified DNS" to "No". Down side is not all Asus routers are supported by the Merlin firmware.

Personally (running the merlin firmware on a RT-AC68U) I have the LAN DNS field and WAN DNS fields both set to my Pi-Hole's IP addresses (I use two Pi-Holes). And it seems to work fine. I have Conditional Forwarding enabled in the Pi-Hole Settings pointing to the Asus router. My query logs show responses from all local network clients by their client names and not by IP address.

As always YMMV.

You potentially created a partial "DNS forwarding loop" if enabled CF and have the Pi-hole IP configured in the router as the WAN DNS.
Some queries might get trapped bouncing between router and Pi-hole causing high number of queries, high load on router or Pi-hole and maybe even time-outs.
A trapped query looping looks like this:

Client --> router --> Pi-hole ---
             ^                   |
             |                   |
              --------[CF]-------

When have Pi-hole configured in the WAN DNS settings of the router (which is doing DHCP), you dont need CF.

Yes, know full well the implications of a potential loop using Conditional Forwarding. Cannot remember exactly why I enabled Conditional Forwarding at the time, maybe due to some client IP's not being resolved to their names. If I remember right there was an issue using IoT devices on guest WiFi where I had to use the Asus-Merlin YazFi script to get guest WiFi to use Pi-Hole. Which introduced client name resolving issues which lead to other changes. Think I enabled Conditional Forwarding somewhere along the way and just left enabled. Shrugs.

Nowhere in the official guide is it mentioned to use the Pi-hole IP upstream in the WAN/Internet DNS settings of the router:

https://docs.pi-hole.net/main/post-install/

And guest networks are a bit tricky.

Of course, yet its something some do (WAN DNS) with the Asus routers because the Asus firmware may potentially bypassing the Pi-Hole(s) due to the reasons previously mentioned or for other reasons if using the Merlin firmware. Its why some say its OK and others do not.

Some other discussion where the use of both conditional forwarding and Pi-Hole in the WAN DNS.
https://www.snbforums.com/threads/asus-rt-ac68u-the-correct-way-to-configure-dns-for-pi-hole-standalone-device.65010/
https://www.reddit.com/r/pihole/comments/4canon/my_router_running_asuswrt_has_two_spots_for_dns/
https://carlosfelic.io/network/configuring-the-pi-hole-with-asus-routers-merlin-or-johns-fork/

1 Like

Thank You both. Appreciate the education. Did not realize that ASUS routers also act as a DNS, was a little confused when I saw the router IP as the DNS IP on the nmap result above.

I do not mind the router IP showing as the only one in the query logs - of course client names/IP's would be a nice to have but doesn't matter to me that much. I however did try and edit the /etc/hosts file to add client IP's and name but that did not work - should it have?

What matters more to me is the fact that some of the IP's might get resolved through the router acting as DNS and hence ads won't be blocked. Haven't seen any ads pop up on any of the clients yet - so that is a good thing.

I am a little bit vary of switching DHCP server from router to pi-hole. Is this a pretty straight forward task - I have a lot of clients connected (including a couple of servers and home automation stuff on wifi) and obtaining leases from the router. Do I have to do anything specific on the client side to do this? If it is pretty complicated then, I will wait for the non-beta version of Merlin for RT-AX86U to be released and will flash that.

One doesn't really need to use the Pi-Hole DHCP server in simple/basic setups. The router's DHCP server works in most simple/basic cases.

Generally, its a simple process. Input the Pi Hole device IP's into the router's LAN DNS fields and then save the settings in the router.

On the client side one can either wait for the DHCP lease to expire and the client renews it when it will update with the new DNS server(s). Or just reboot the client devices so they obtain new DHCP leases and updated DNS servers. This assumes one has LAN client devices configured to obtain DHCP leases and not configured internally (on the client device) with their own static IP's/DNS servers.

1 Like

That way the Asus router can cache DNS queries for all your clients without the DNS query leaving your fast LAN.
Pi-hole does same caching for your clients.

Other Pi-hole features like "Groups" wont work either if Pi-hole only sees the queries from the router.

No wont work ... not as long as clients query the router first.
None of the client queries will get through to Pi-hole, only the router ones.

As long as you configured the Pi-hole address as the only DNS server in the WAN/Internet DNS fields!
If you configured a second IP like for example your ISP DNS servers, ad blocking might not work when the router decides to use your ISP DNS thus bypassing Pi-hole.

Its not that complicated:

Make sure to enable the Pi-hole DHCP service first before you disable the one on the Asus router.
Tail the logs for DHCP:

tail -F /var/log/pihole.log | grep dnsmasq-dhcp

Grab a test PC/device and disconnect and reconnect it from network (or reboot it) to renew its DHCP lease while tailing the logs .
And test if the http://pi.hole site loads on that divice.
If dont work, just enable the DHCP service on the router again and disable the one on Pi-hole.

Dont forget to copy over DHCP reservations that you might have created on the Asus router!

1 Like

You potentially created a partial "DNS forwarding loop" if enabled CF and have the Pi-hole IP configured in the router as the WAN DNS.
Some queries might get trapped bouncing between router and Pi-hole causing high number of queries, high load on router or Pi-hole and maybe even time-outs.
A trapped query looping looks like this:

Client --> router --> Pi-hole ---
             ^                   |
             |                   |
              --------[CF]-------

When have Pi-hole configured in the WAN DNS settings of the router (which is doing DHCP), you dont need CF.

Finally and explanation for something I have experienced but didn´t knew why it happened!!

I decided to disable both CF and "Only forward FQDN" because something was weird but wasn't sure what it was.

I have also put the Pi-Hole IP adress in the LAN and WAN fields on my Asus Router

Thats not recommended and will cause inconsistent replies.
One path via the WAN option will be:

Client --> router --> Pi-hole --> Upstream configured DNS servers

And the other via the LAN option will be:

Client --> Pi-hole --> Upstream configured DNS servers

That will mean that if DNS queries following the second path, local hostnames stored on the router will not resolve.

EDIT: The only option to work properly without having to flash the Asus router is the DHCP switch option.
All others will mis out features/individual stats or wont resolve proper names.

Yes, that correct, I knew this would happen but I decided that I rather lose some accuracy in my stats in exchange for ~100% no adds. (also I don’t look at the stats very often)

I know Merlin let’s you turn off the ASUS broadcasting itself as a DNS but right now our router it too mission critical to experiment with a non official firmware.

So lets recap some of the issues discussed as they are somewhat spread out in this thread. Trying to make this as non technical as possible to avoid getting non technical folks confused with technical jargon/terms. This isn't a complete list, just some of the basics of what has been already discussed.

  • Asus routers, using Asus firmware, will likely include the router's IP address as a LAN DNS address in addition to any manually input LAN DNS address a user may add. This means there is the potential LAN DNS requests could potentially bypass the Pi-Hole by going directly to the Asus router instead of the Pi-Hole.
  • If using the Asus router DHCP server, one enters the Pi-Hole IP address into the LAN DNS field (LAN > DHCP Server > DNS and WINS Server Setting > DNS Server 1, and the DNS Server 2 if needed).
  • If one flashes the Asus-Merlin firmware (https://www.asuswrt-merlin.net/) to their Asus router, one can disable the router's IP address from being included as a LAN DNS. In the Asus-Merlin configuration; LAN > DHCP set "Advertise router's IP in addition to user-specified DNS" to "No".
  • The Pi-Hole documentation (Post-Install - Pi-hole documentation) does not mention or suggest using the Pi-Hole(s) IP address in the router's WAN DNS fields.
  • Using Conditional Forwarding (on the Pi-Hole) may cause a loop which could potential cause issues depending on how one configures their router (using Pi-Hole as router WAN DNS for example).
  • Several blog posts and other web pages that describe setting up Pi-Hole with Asus routers do make mention of using the Pi-Hole IP address for the router's WAN DNS. Doing so may present potential issues.
  • Several blog posts and other web pages that describe setting up Pi-Hole with Asus routers do make mention of enabling Conditional Forwarding. Doing so may present potential issues.
  • One can disable the router's DHCP server and enable the Pi-Hole embedded DHCP server if they so choose. One would have to manually re-create any static/reserved IP address mappings, that were present in the router, in the Pi-Hole DHCP server section/settings.
  • Depending on one's configuration (both Pi-Hole and Asus router) the LAN client names may not be properly resolved by the Pi-Hole. One method, if using the router's DHCP server, that may or may not be recommended by Pi-Hole, is to edit the "host" file on the Pi-Hole to manually add IP addresses and client names. Then restart the Pi-Hole DNS. If one goes this route, use DHCP server static/reserved IP addresses. There are a number of ways to do this modification of the Pi-Hole host file option. One example: Adding a static host record to PiHole – Zewwy's Info Tech Talks EDIT TO ADD: See the post by deHakkelaar following this post that updates this particular issue and has a better way to deal with unresolved client names.

Couple of additional comments not previously mentioned.

  • One issue some may run into when using Pi-Hole with a Asus router running stock Asus firmware or the Asus-Merlin firmware is Guest Network WiFi device DNS requests may not be routed through the Pi-Hole and certain IoT device features may fail to work on the Guest Network, especially when Guest Access Intranet is disabled. This due to the Asus guest network being blocked from accessing main LAN devices including the Pi-Hole. One workaround is to install the Asus Merlin firmware (https://www.asuswrt-merlin.net/), then install the YazFi script (https://github.com/jackyaz/YazFi). The YazFi script includes the ability to set guest WiFi network DNS servers. Make sure to read through the following thread on the YazFi to understand its limitations and additional configuration options: https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-inc-ssid-vpn-client.45924/. EDIT TO ADD: See the post by deHakkelaar following this post that updates this particular issue and has a alternate way to deal with the Guest Network WiFi clients when using the YazFi script.
  • If using an Asus router one can power a Raspberry Pi Zero W (running Pi-Hole) off the router's USB 2.0 port. May not be recommended but is possible.
  • One can setup a Pi Zero (running Pi-Hole) and Asus router with "Ethernet Gadget" connection to facilitate the use of a single USB cable to both power the Pi and provide "Ethernet" connection between the router and the Pi. Older thread with general directions on how to do so with an Asus router and Pi Zero W here: https://discourse.pi-hole.net/t/pi-zero-w-usb-ethernet-gadget-with-asus-router-fix/19352. However, one should test this Ethernet Gadget option extensively before using on a mission critical Asus router. There may be issues with router rebooting or Pi Zero rebooting causing the Ethernet Gadget connection to go offline and not recover.

As always; any modifications to either the router or the Pi or Pi-Hole is at the user's own risk! To make any non recommended modifications like flashing firmware or editing router/Pi/Pi-Hole files will require some additional knowledge including how to use SSH and issue some general Linux commands.

4 Likes

Nice recap!

We have local DNS records now:

http://pi.hole/admin/dns_records.php

If use Yazfi, and have a Raspberry Pi with both ethernet and WiFi, you could connect ethernet to your LAN and the WiFi interface (with different IP and subnet in guest network) to the guest network.
Make sure Pi-hole is listening on all interfaces:

pi@ph5:~ $ pihole -a -i local
  [i] Listening on all interfaces, permitting origins from one hop away (LAN)
  [✓] Restarting DNS server

Setup proper firewall and your good to go :wink:

One other setting, when using the Asus-Merlin firmware + Pi-Hole, one should consider enabling is the DNS Filter option. This will supposedly force all LAN clients to go through the Pi-Hole. Go to LAN > DNSFilter, turn Enable DNS-based Filtering to On. Set Global Filter Mode to Router. Leave Custom (user-defined) DNS 1, 2, 3 fields blank. Input/select the Pi-Hole device's MAC address from the Client MAC address drop down box. Next set the Filtering Mode to No Filtering, then select the Add button. When finished hit the Apply button to save the settings.

More on this suggested Asus-Merlin DNSFilter setting change at the following posts/links.

2 Likes

One more possible suggestion when using the Asus-Merlin with YazFi script + Pi-Hole. Ran into issues with the Pi-Hole not resolving LAN client names (ARP records apparently), particularly when looking at the long term query data listings. This goes back to, I think, to one reason why I may have initially enabled Conditional Forwarding in the Pi-Hole. Previously added the following (adjusted for my local network subnets and router IP address) to the /etc/dnsmasq.d/10-subnet-dns.conf file (and then rebooted the Pi).

server=/1.168.192.in-addr.arpa/192.168.1.1
server=/3.168.192.in-addr.arpa/192.168.1.1
server=/6.168.192.in-addr.arpa/192.168.1.1

Have three lines there, one for the main LAN and the other two for the guest YazFi WiFi client subnets which due to the YazFi script have separate IP subnet ranges. I do have all LAN clients set with static IP addresses (within the router, YazFi clients static IP set using scripting). Probably better ways to deal with name resolution but it worked for me to fix the name resolution issue I was having. YMMV

More explanation on this particular specific change re client name resolution (ARP records) due to using the YazFi script with Pi-Hole at the YazFi Github Wiki page: https://github.com/jackyaz/YazFi/wiki/Setting-up-YazFi-with-Pi-hole-and-ARP-records#subnet-name-resolutionarp-settings-for-lan-clients