Hello,
I used Tomato firmware before and it had a feature which forced all devices to use the Router's DNS server.
I believe the feature said... "Intercept DNS port 53" and it worked great. Prevented users from using their own DNS server.
How can I achieve the same in Pihole?
Is that a setting or is it via scripts?
You need a router which supports this feature. In the router you will configure a rule to intercept DNS traffic and redirect it to the Pi-hole's address. You also need to make sure that the Pi-hole's address itself is exempt from this rule so that the Pi-hole can query its upstream servers.
My router has this feature, but it only works when I am not using Pihole..
What I mean is, I have the router configured to route all traffic to Pihole and it's working great, no issues.
But, I noticed that I can bypass pihole by changing the DNS server on any of the devices, whereas If I set the router to use the router's DNS server options, then all devices are forced to use the router's DNS even if they change it on their devices.
My Asus Router has this option
That setting, when set Global filter to Router is supposed to force all devices to use whatever DNS the router has and it works great... But, this doesn't work when I set for all devices to use Pihole by adding the pihole IP on the LAN DCHP of the router... if I do that, then all devices are routed to the Pihole and everything works great.. except, now any device can easily bypass the Pihole because the Router's rule doesn't appy anymore.
The best solution is, typically, to go into your router's firewall and rewrite all port 53 UDP access to your Pi-hole (the Pi-hole itself needs to be excluded from this rule). This will catch traffic that tries to bypass your Pi-hole and ensure it is processed by your Pi-hole, too.
If your router is not able to do this, an alternative is to block all port 53 UDP to the Internet for all devices (the Pi-hole itself needs to be excluded from this rule, too). This will not catch traffic that tries to bypass, but, at the very least, prevent this from working.
I can use scripts on my router. Are there any scripts I can use to accomplish this?
What kind of scripts are supported by your router?
these..
iptables -A INPUT -p udp --dport 53 -j DROP
I got it resolved. The reason I was able to to bypass Pihole is because I enabled DOH on the browser which bypasses the router's rules.
I got it resolved by adding these no doh bypass to the adlist
https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt
Works great.. now devices are not able to use their own DNS even with doh enabled on their browsers.
Did you consider disabling DoH on the browser?
I was looking for a solution to prevent users from bypassing Pihole by enabling doh on the browser.
That list prevents that.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.