How does LAN traffic get approximately routed to the Pi-hole?


I’m a bit of a noob on this Pi-hole business. After much fuss and head scratching I finally managed to get it working (v4.1.2 on an ODROID XU4 running Debian Stretch), and it turns out that I was massively overcomplicating things initially.

My router (TP-Link Archer C8 v1) has two areas for DNS. One within ‘Internet’ (which I guess is WAN) and one within DHCP (which I guess is LAN).

In my WAN DNS, I currently have Cloudfare setup (, Initially, I was trying to leave this blank, or enter my Pi-Hole local IP, or enter a range that was outside my subnet mask - all sorts. Nothing worked. Only leaving Cloudfare (or other valid DNS) in this area will work, otherwise my Internet breaks.

In my now working setup, I’ve left Cloudfare in WAN, and added my local Pi-Hole in LAN DNS.

So now I’m confused. It works flawlessly, and all my LAN traffic actually goes via the Pi-hole (to my surprise!).

How does router know to serve LAN requests via Pi-hole rather than WAN requests via custom DNS?

Why aren’t all requests just going via the WAN DNS (Cloudfare) since this seems the default?

Does the router software prioritise LAN traffic (origin LAN) and therefore shunts DNS requests to my Pi-hole as configured in my routers DHCP section?

I’m just really confused as to how this is working, even though it is working perfectly. I have even configured my /etc/hosts file to serve meaningful names, because I couldn’t get Conditional Forwarding to work for all connected devices (some had names whereas others had IPs) - now they all have names. It’s sweet!

So, if anyone can help me out and clear up my confusion as to how the traffic is routed and how my router knows to serve LAN originating DNS requests from my Pi-hole rather than those in the WAN DNS settings (,, then it would really help me to understand things better.

Next mission, OpenVPN server…more brain-melt ahead I think! :joy:

Thanks for an awesome tool.


The router uses the DNS server specified in the LAN settings for clients on the LAN-facing side of the router. It provides this DNS address along with the IP during the DHCP exchange process. When the client gets an IP from the router, they get the DNS address as well.

I suspect if you left this blank, the clients would get the WAN DNS address by default.


You are definitely correct. Blank DHCP LAN DNS, and WAN DNS takes precedence. So, it seems the router software gives priority to LAN requests if there is an entry in DHCP LAN DNS option.

This is good to know, but it’s been a mystery to me, and it’s almost too easy to configure. I went the hard way, and wrongly assumed that WAN DNS needed to be empty, and therefore opened up a world of pain (and learning!). This really threw me for ages.

Perhaps it would be worth adding to documentation that WAN DNS can be left alone. I’m sure others have and will fall into the same trap as me.

Thanks for the insightful reply.

All the best.


This is not the case for all routers. Example - Apple routers don’t have this configuration option.

Since Pi-Hole is run with pretty much every router on the market, it is difficult to give instructions that may not apply to all configurations. In addition to different routers, models and software versions on the routers, each network is configured differently as well.


Yes, of course. Anyway, I hope some other soul finds this post useful.

Thanks for taking the time to discuss.